Chroniq
TRANSPARENCY REPORT

Open by design.
Verifiable by default.

A record of how Chroniq is built, secured, and operated. Updated as our practices evolve.

TLS 1.2+AES-256 at restHttpOnly JWT cookiesHMAC-SHA256 signingAppend-only audit log
OUR PRACTICES

Security

Encryption

  • Data in transit is protected with TLS 1.2+ (HSTS on production hosts).
  • Data at rest is encrypted with AES-256 in object storage and managed database.
  • Certificate signing uses HMAC-SHA256 with a server-only key rotated periodically.
  • Session tokens are HttpOnly, Secure, and SameSite-scoped cookies.

Authentication & authorization

  • Passwords are hashed with bcrypt using a per-user salt.
  • API keys are scoped, revocable, and displayed only once at creation.
  • OAuth 2.0 authorization codes are single-use with a 60-second TTL.
  • Access to your files is restricted to your own account by default.

Isolation & separation of concerns

  • File bytes are stored in object storage; metadata lives in a separate managed database.
  • Hashing and timestamping happen server-side before any downstream processing.
  • AI processing runs in a separate execution path and cannot mutate evidence records.

Auditability

  • Every mutation is logged with actor, timestamp, and action.
  • Audit logs are append-only and cannot be edited via the application.
  • Full audit history is included in every Evidence Package export.
DATA LIFECYCLE

Retention policies

Evidence records

Cryptographic evidence — hashes, timestamps, certificates, and audit logs — is retained for the lifetime of your account. If you delete your account, private evidence is removed but certificates you have previously published remain publicly verifiable so third parties who received them can still validate their integrity.

Identity verification documents

Government IDs and selfies submitted for identity verification are stored in restricted-access storage and purged automatically after admin review completes (typically within 24 hours). Only the verification decision, the reviewer, and the timestamp are retained.

Backups & snapshots

Rolling database snapshots are retained on a short window (7–30 days) for disaster recovery. Backups are encrypted and inaccessible from the application layer.

Deleted files

Files deleted from your vault are soft-deleted immediately (hidden from all views), then hard-deleted from object storage on the next retention sweep. Deleted files cannot be restored via self-service — contact support within 7 days if you deleted something by mistake.

RESPONSIBLE AI

How we use AI

Chroniq integrates Anthropic's Claude Sonnet 4.5 to generate optional file summaries and power the Research Assistant. AI is used as an interpretation layer on top of your own files — never as part of the evidence-generation path.

  • AI outputs are stamped as AI-generated and stored alongside — never inside — your evidence record.
  • Hash and timestamp are computed server-side before any AI call runs.
  • Your file contents are sent to the AI provider per-request as context only.
  • Your content is not used to train third-party foundation models per our provider agreement.
  • You can opt out of AI features from Settings; your provenance record is unaffected.
WHEN THINGS GO WRONG

Incident response

Reporting

Report vulnerabilities to security@chroniq.io. We acknowledge within 2 business days and coordinate disclosure with the reporter.

Triage

Reported issues are triaged by severity (P0–P3). P0 incidents involving user data go through our incident-response runbook with a designated incident commander.

Notification

Users materially impacted by a confirmed security incident are notified without undue delay via email at the address on file, alongside a public post-mortem where appropriate.

WHAT'S NEXT

Compliance roadmap

Chroniq is a young platform. We are transparent about the certifications we do and do not currently hold. Our public roadmap:

  • In progressInternal SOC 2 Type I readiness assessment — target audit 2026 H2.
  • PlannedISO 27001 gap analysis — target certification 2027.
  • PlannedGDPR & CCPA data-subject-request self-service portal.
  • PlannedIndependent third-party penetration testing (annual).
  • LiveLeast-privilege internal access with quarterly reviews.
  • LiveAutomated dependency vulnerability scanning on every build.

We update this list as milestones move. Have a compliance question we haven't answered? Email trust@chroniq.io.

Curious how the mechanics work?

The Trust Center walks through every technical step of building a provenance record — in plain language.