New

Developer Platform & CHeKT Apps are now live — read the May release notes.

CHeKTDevelopers
Get started
Security

How CHeKT secures the platform.

The controls, certifications, and operational practices behind every CHeKT API call, webhook, and device connection.

App security guideContact security

Data in transit

Every connection to api.chekt.com and dealer.chekt.com terminates TLS 1.2 or higher. We disable older protocols and weak cipher suites. HTTP requests are redirected to HTTPS with HSTS preload.

Webhook deliveries to your endpoint require HTTPS — we refuse to register http:// URLs even in sandbox apps. Self-signed certificates are rejected by default; contact security@chekt.com if you have a legitimate internal-CA case.

Data at rest

All data — including device telemetry, alarms, snapshots, and audit logs — is encrypted at rest. We use AES-256 for object storage and database-native encryption for relational data. Encryption keys are managed via AWS KMS with per-tenant key isolation for enterprise plans.

Authentication & authorization

Three primary auth modes, in order of trust:

API Key
Per-app, dealer-scoped, rotatable. Default for CHeKT Apps. Always paired with permission scopes.
OAuth 2.0
For end-user-facing apps that need user-mediated grants. Tokens rotate every 24 hours.
Assertion Token
Service-to-service signed JWTs with rotating keys. Used by high-trust service-to-service partners.

All three honour the same permission system. Scopes are enforced at the API edge before requests reach the data tier.

Audit logging

Every API call, webhook delivery, and operator action is logged with timestamp, actor identifier, scope used, request ID, source IP, and result. Logs are immutable — once written, they can be read but not edited.

Retention is 365 days for standard plans and up to 7 years for enterprise plans requiring extended compliance windows.

Certifications & compliance

SOC 2 Type II

Annual third-party audit covering security, availability, and confidentiality. Report available under NDA.

UL 827

Central station certification — our monitoring infrastructure is UL-listed.

GDPR

Data Processing Agreement available for customers operating in the EU/UK. DPA covers all data shared with CHeKT.

CCPA

Honours California Consumer Privacy Act rights for end users of our platform.

For SOC 2 reports, DPAs, security questionnaires, or vendor reviews, email security@chekt.com.

Reporting vulnerabilities

We run a coordinated disclosure programme. If you find a vulnerability in any CHeKT property — the API, the dealer portal, the CLI, the MCP server, or any of our published SDKs — please email security@chekt.com.

Response SLA
We acknowledge within 24 hours and provide a triage status within 72 hours.
Scope
Production CHeKT services. Sandbox / staging environments are out of scope.
Bug bounty
No public programme yet. Critical findings on production may receive a discretionary bounty — contact us.
Safe harbour
Good-faith research that follows this policy is exempt from legal action under our terms.

Next steps