Security – Chasqui AI

1. Field-Level Encryption

Chasqui encrypts sensitive fields using AES-256-GCM at the application layer — independently of, and in addition to, disk-level encryption. This means your personal content is encrypted before it is written to the database and decrypted only when returned to your session. Even with direct database access, this data appears as ciphertext.

The following categories of data are encrypted at the field level:

Contact notes, phone numbers, and secondary email addresses
Meeting titles, descriptions, locations, transcripts, and AI-generated summaries
Meeting preparation content and desired outcomes
AI chat messages and full conversation history
Action item titles, descriptions, and status history
Goals, milestones, and associated AI reasoning
AI-generated profile insights and suggestions
OAuth tokens — Google, Microsoft, HubSpot, and Slack connection credentials
Profile bios, ideal customer profiles, and value propositions
Uploaded document and resume file names
Onboarding responses and AI insights

Encryption keys are stored as Railway environment secrets — separate from the database, never in source code or logs.

2. Encryption in Transit

All connections between your browser and Chasqui are encrypted via HTTPS/TLS. OAuth tokens (your Google, Microsoft, and Slack credentials) receive double protection: TLS during transmission and AES-256-GCM when stored.

3. Infrastructure

Hosting: Railway, backed by Google Cloud Platform (GCP), which provides platform-level disk encryption at rest on all volumes.
Graph database: Neo4j runs on Railway's internal private network and is not publicly reachable — only Chasqui's own services can connect to it.
Database: PostgreSQL with connection pooling and TLS. The database does not accept connections from outside Railway's private network.

4. Authentication Security

Passwords: Hashed with bcrypt before storage. Plaintext passwords are never stored or logged — not even transiently.
Single sign-on: Google, Microsoft, and GitHub OAuth are available so you don't need a password at all.
Password reset tokens: Generated with a cryptographically secure random number generator (48-bit entropy), not predictable Math.random() values.
Rate limiting: All authentication endpoints (sign-in, register, password reset) are rate-limited to prevent brute-force attacks.

5. Data Access Controls

All data is strictly scoped to your user account at the query level — no cross-user data access is possible.
Because field-level encryption keys are deployment-level environment secrets, Chasqui employees do not have routine access to the contents of your notes, messages, transcripts, or AI insights. This is a deliberate design choice.

6. Questions or Concerns

If you have a security question or want to report a vulnerability, email us at security@chasqui.ai. You can also review our Privacy Policy for full details on how we handle your data.

1. Field-Level Encryption

The following categories of data are encrypted at the field level:

Contact notes, phone numbers, and secondary email addresses

Meeting titles, descriptions, locations, transcripts, and AI-generated summaries

Meeting preparation content and desired outcomes

AI chat messages and full conversation history

Action item titles, descriptions, and status history

Goals, milestones, and associated AI reasoning

AI-generated profile insights and suggestions

OAuth tokens — Google, Microsoft, HubSpot, and Slack connection credentials

Profile bios, ideal customer profiles, and value propositions

Uploaded document and resume file names

Onboarding responses and AI insights

Encryption keys are stored as Railway environment secrets — separate from the database, never in source code or logs.

3. Infrastructure

Hosting: Railway, backed by Google Cloud Platform (GCP), which provides platform-level disk encryption at rest on all volumes.

Graph database: Neo4j runs on Railway's internal private network and is not publicly reachable — only Chasqui's own services can connect to it.

Database: PostgreSQL with connection pooling and TLS. The database does not accept connections from outside Railway's private network.

4. Authentication Security

Passwords: Hashed with bcrypt before storage. Plaintext passwords are never stored or logged — not even transiently.

Single sign-on: Google, Microsoft, and GitHub OAuth are available so you don't need a password at all.

Password reset tokens: Generated with a cryptographically secure random number generator (48-bit entropy), not predictable Math.random() values.

Rate limiting: All authentication endpoints (sign-in, register, password reset) are rate-limited to prevent brute-force attacks.

5. Data Access Controls

All data is strictly scoped to your user account at the query level — no cross-user data access is possible.

Because field-level encryption keys are deployment-level environment secrets, Chasqui employees do not have routine access to the contents of your notes, messages, transcripts, or AI insights. This is a deliberate design choice.

Security at Chasqui

1. Field-Level Encryption

2. Encryption in Transit

3. Infrastructure

4. Authentication Security

5. Data Access Controls

6. Questions or Concerns

Security at Chasqui

1. Field-Level Encryption

2. Encryption in Transit

3. Infrastructure

4. Authentication Security

5. Data Access Controls

6. Questions or Concerns