Chroma Cloud Security

Chroma Cloud is built with security at its core. We use layered controls across people, process, and technology to protect your data and ensure the reliability of our services. Our security program has been independently assessed through a SOC 2 Type II examination, validating the design of our security controls.

Governance and People

We maintain a comprehensive security program overseen by our Information Security Officer who reports directly to executive leadership. Our approach includes:

Annual review of our Information Security Policy and related policies including Risk Management, Data Classification, Encryption Management, Change Management, Incident Response, Vendor Risk Management, and Business Continuity
Background checks for all employees where permitted by law
Annual security awareness training for all team members
Regular performance reviews and policy acknowledgments
Board of Directors oversight with documented charter
Enterprise risk assessments conducted annually with semi-annual review meetings

Platform Architecture and Hosting

Chroma Cloud is designed for security and reliability:

Hosted on Amazon Web Services (AWS) across multiple Availability Zones for redundancy
Production, staging, and development environments are fully isolated in separate AWS accounts and networks
Infrastructure managed as code with peer review and approval requirements
Containerized architecture orchestrated with Amazon EKS
Network access restricted through code-defined security groups
Physical security provided by AWS under a shared responsibility model

Data Protection

Your data security is our priority:

All customer data encrypted in transit and at rest using industry-standard cryptography (TLS/SSL, PKI, AES)
Key management delegated to AWS services where possible
Customer data classified and treated as confidential
Documented retention and disposal policies with secure wiping of electronic media
Company laptops protected with full-disk encryption
Clean-desk standard and password manager requirements

Access Controls

We enforce strict access controls to protect your data:

Single sign-on (SSO) with role-based access control enforcing least privilege
Multi-factor authentication (MFA) required for all employee production and AWS access
Unique user IDs required for all accounts
Monthly access reviews with immediate revocation upon termination
Remote production access requires VPN and encrypted protocols
Sessions auto-disconnect after inactivity
Cloud resources configured to deny public access by default

Secure Software Development

Security is built into our development process:

Documented Software Development Lifecycle (SDLC) with secure coding practices
Segregated development, staging, and production environments
All changes require peer review and approval before deployment
Infrastructure and configuration managed as code through CI/CD pipelines
Build artifacts and container images scanned for vulnerabilities
Emergency changes follow defined procedures with post-incident review
Temporary production access follows a documented “break-glass” process

Monitoring and Threat Detection

We continuously monitor for security threats:

Comprehensive logging across infrastructure, applications, and databases
Real-time security monitoring with alerts to on-call engineers
Intrusion detection and data exfiltration monitoring
AWS GuardDuty and AWS Inspector for continuous threat detection
Third-party observability tools for performance and security monitoring
Log retention according to documented policies

Vulnerability Management

We proactively identify and remediate security vulnerabilities:

Continuous internal and external vulnerability scanning in production
Annual third-party penetration testing
Remediation tracked by severity with defined timelines
Critical patches targeted within one month of release
Company devices run antimalware with automatic security updates

Incident Response

We're prepared to respond quickly to security incidents:

Documented incident response plan covering all phases from detection to recovery
Incidents tracked and escalated through PagerDuty
Annual testing of incident response procedures
Customer notification for incidents affecting customer data
Post-incident reviews to improve our response

Business Continuity and Disaster Recovery

We maintain robust recovery capabilities:

S3 object storage with versioning, deletion protection, and cross-region replication
Database streaming cross-region replication with daily snapshots
Infrastructure-as-code enables rapid environment redeployment
Annual testing of disaster recovery procedures

Third-Party Security

We carefully manage our third-party relationships:

Vendor due diligence performed before engagement
Annual review of SOC 2 and ISO 27001 reports from critical providers
Security questionnaires for providers without formal certifications

Key service providers include:

AWS (infrastructure hosting)
Vercel (frontend hosting)
Honeycomb (observability)
PostHog (product analytics)

Your Security Responsibilities

Security is a shared responsibility. As a Chroma Cloud customer, you should:

Store Chroma Cloud API keys securely and encrypted
Use strong passwords that meet our application requirements
Enable multi-factor authentication where available
Manage team member accounts, permissions, and terminations appropriately
Maintain backups of your critical data
Implement appropriate security measures for your own infrastructure

Reporting Security Concerns

We take security seriously and welcome your feedback. You can report security incidents, vulnerabilities, or concerns to support@trychroma.com

We'll communicate any system changes that affect our security commitments to ensure you stay informed.

Compliance

Chroma Cloud has successfully completed a SOC 2 Type II examination. This independent assessment validated the suitability of the design of our security controls. The examination covers our security program and evaluates our controls against the Trust Services Criteria.