Security

We design Chiron Pay around defense in depth and least privilege: data is protected at multiple layers, and every person and system is granted only the access required to do its job. Security is built into how we write code, run our infrastructure, and operate our AI agents — not bolted on afterwards.

• Encrypt data in transit and at rest by default.
• Isolate every workspace's data from every other workspace.
• Keep payment card data off our systems entirely.
• Log automated agent actions so collection activity stays auditable.
• Limit and monitor access to production systems.

All traffic between you, your Debtors, and Chiron Pay is encrypted in transit using TLS. Data at rest — including your invoices, Debtor records, and communication history — is encrypted using AES-256, the same 256-bit encryption standard relied on by banks. Sensitive secrets such as third-party integration credentials are encrypted with additional application-level protection on top of storage encryption.

We never see or store full payment card numbers. All card data is handled directly by Stripe, a PCI DSS Level 1 certified payment provider — the highest level of payment-industry certification. Chiron Pay stores only payment references and statuses needed to reconcile invoices.

We also keep our hands off the money itself. Chiron Pay charges zero commission on the amounts your Debtors pay you. Whether funds settle to your own connected Stripe account or are collected on our platform account and passed through to you, we never deduct a share of what you recover. Security and trust are the product; a cut of your cash flow is not.

Chiron Pay is multi-tenant. Every query and background job is scoped to a single workspace, so one Customer can never read or act on another Customer's data. Within your workspace:

• Authentication is managed by Clerk, including secure password handling, social sign-in, and support for two-factor authentication.
• Role-based access control lets you decide which team members can view, send, or configure collection activity.
• Single sign-on (SSO) and advanced audit controls are available on our Enterprise plan for teams with stricter access requirements.

Chiron Pay runs on hardened, industry-leading cloud infrastructure providers, including Vercel for our web application, Render for our API and background workers, and managed, access-controlled database hosting for your data. These providers maintain their own rigorous physical and network security programs. Production access is restricted, authenticated, and granted on a need-to-know basis, and customer data is regularly backed up to support recovery.

Security is part of our development lifecycle. Changes are reviewed before they reach production, dependencies are monitored for known vulnerabilities, and secrets are managed outside of our source code. We follow secure-by-default engineering practices to protect against common web application risks.

Because Chiron Pay can act on your behalf, accountability matters. We log the actions our AI agents take — the messages they draft and send, and the decisions they make — so that your collection activity is auditable and reviewable. We monitor our systems for anomalies and operational issues, and investigate and respond to security events.

AI is core to how Chiron Pay recovers cash, so we hold it to clear guardrails. We do not permit our AI providers to use your data to train their models. You stay in control of agent behavior through configurable tone settings, channel restrictions, discount and follow-up limits, and quiet hours, with review surfaces so a human can oversee what the agent does. These controls protect both your reputation and your Debtors.

Our security program is built to meet recognized industry standards, including SOC 2 Type II for the security, availability, and confidentiality of customer data. We handle personal data in line with the GDPR and with the data-protection laws that apply to our markets, including the Malaysian Personal Data Protection Act 2010 and the Singapore Personal Data Protection Act 2012. See our Privacy Policy for how we process and protect personal data.

A collections platform only helps you get paid when it is online. We design for high availability with redundant, managed infrastructure and regular backups, and we offer a 99.9% uptime SLA to Enterprise customers. We maintain backup and recovery practices so that your data can be restored in the event of an incident.

We welcome reports from security researchers and customers. If you believe you have found a vulnerability, please email us at support@chironpay.com with "Security" in the subject line and enough detail for us to reproduce the issue. We will acknowledge your report, investigate promptly, and keep you updated. We ask that you give us a reasonable opportunity to fix the issue before disclosing it publicly, and that you avoid accessing or modifying other users' data. We will not pursue legal action against researchers who report issues in good faith and follow this guidance.

Security is a shared responsibility. You help keep your workspace safe by using strong, unique credentials, enabling two-factor authentication, granting team members only the access they need, removing access promptly when people leave, and configuring your AI agent's guardrails appropriately for your market.

For security questions or reports, contact us at support@chironpay.com.