Open Console
Open Console

Security & Data Protection

Effective Date: 26/03/2026

Chronosense is designed to provide structured compliance monitoring while maintaining appropriate safeguards for organizational data.

This page outlines the security and data protection measures applied within the platform.

1. Access Controls

Access to the Chronosense platform is protected through multiple layers of authentication and security controls:

  • Secure account login with token-based session management (JWT)

  • Mandatory email verification on account creation — accounts cannot be activated until the registered email address is confirmed

  • Strong password policy — passwords must be a minimum of 12 characters and meet complexity requirements; password age is tracked and expiration is enforced

  • Optional two-factor authentication (2FA) — users may enable SMS-based one-time codes for an additional layer of account security

  • Bot protection on the registration flow, implemented via Cloudflare Turnstile

  • Rate limiting applied to authentication endpoints to mitigate brute-force attempts

2. Organizational Data Segregation

Chronosense enforces organization-level data separation. Each subscription operates as an isolated organization. Users may only access data associated with their own organization. Cross-organization data access is not permitted at any level of the platform.

3. Team Access & Onboarding

Organizations can invite team members via a secure invitation code system. Invitation codes carry an expiry period and are invalidated after use, preventing reuse or unauthorized access via stale links.

Once onboarded, team members are assigned one of the following roles:

  • Owner — full administrative access, including the ability to manage members and organization settings

  • Member — access to compliance tools and data within the organization, without administrative permissions

Owners are responsible for managing internal access and ensuring that roles reflect current personnel.

4. Document Storage

Compliance documents and submission packets generated within the platform are stored in encrypted cloud storage provided by Amazon Web Services (S3). Documents are retained with version history — prior submissions are never overwritten, ensuring a complete and unalterable record is maintained.

5. Audit & Activity Logging

All significant compliance actions within the platform are recorded with a timestamp and the identity of the acting user. This provides a full auditable trail that can be referenced in the event of regulatory scrutiny or internal review.

Alert records are append-only. Escalation events create new records rather than modifying existing entries, preserving the integrity of the compliance history. Alerts remain open until explicitly acknowledged by an authorized user.

6. Infrastructure & Service Providers

Chronosense utilizes the following third-party providers to support secure service delivery:

  • Hetzner — platform hosting and infrastructure

  • Amazon Web Services (S3) — encrypted document and compliance packet storage

  • SendGrid — transactional email delivery

  • Twilio — SMS delivery and two-factor authentication

  • Stripe — subscription billing and payment processing

  • Cloudflare — bot protection and traffic management

Each provider operates under its own security and compliance frameworks. Links to their respective security documentation are available on their websites.

7. Data Protection Principles

Chronosense operates in accordance with the following data protection principles:

  • Data minimization — only data necessary for operating the platform is collected and retained

  • Organizational access control — data is strictly scoped to the organization it belongs to

  • Controlled notification delivery — alerts and notifications are delivered only to verified contacts within an organization

  • Protection against unauthorized access — enforced through authentication controls, session management, and role-based permissions

Personal data is processed only for the purposes of operating and improving the platform.

8. Account & Data Deletion

Users may request deletion of their account at any time. Upon deletion, associated personal data is removed in accordance with the platform's data retention practices. Organizations wishing to request removal of their organizational data should contact support directly.

9. Incident Response

Chronosense maintains internal procedures for identifying and responding to suspected security incidents. Where required by applicable law, affected users will be notified of material security incidents in a timely manner.

10. User Responsibilities

Users are responsible for:

  • Maintaining the confidentiality of their login credentials and any active session

  • Enabling two-factor authentication where appropriate for their security requirements

  • Managing internal access within their organization, including promptly revoking access for departing team members

  • Ensuring that authorized personnel are assigned appropriate roles

11. Limitations

While Chronosense implements the safeguards described on this page, no system can guarantee absolute security. Users acknowledge that use of online services carries inherent risk.

12. Contact

If you have security-related questions or concerns, please contact:

Email: support@chronosenseapp.com

Chronosense Limited

Company No: 17019194

72 Alexandra Road

Sheffield

S26 4TB

UK

Email: hello@chronosenseapp.com

Privacy Policy

Terms of Service