Security at Chiefly

An operator you can trust with the books.

Chiefly connects to the systems that run your business — QuickBooks, Xero, Stripe, HubSpot, payroll. We’ve built security in at every layer so you can act on the data without worrying who else can see it.

Defence in depth

Four layers. Every request passes all four.

Authenticated at the edge, authorised at the API, filtered at the database. A misbehaving query can’t return another tenant’s data — the database refuses to serve it.

  • Infrastructure

    • UK-resident, on a dedicated private network
    • AI traffic stays on a private backbone
    • Hardened, least-privilege runtime
    • Centralised secret management with recovery

  • Data

    • AES-256 encryption at rest
    • Database-enforced tenant isolation
    • Per-integration application-layer encryption
    • Point-in-time backup recovery

  • Identity

    • TOTP multi-factor authentication
    • Required for password & email changes
    • Role-based access within each tenant
    • Federated sign-in via OAuth

  • Application

    • Hardened security headers on every response
    • Tiered rate limiting per route class
    • Schema validation on every request
    • Parameterised queries throughout
How it protects you

Three things most AI tools don’t do. We do all three.

  • Your accounting credentials are encrypted twice.

    Once at the database layer. Again at the application layer with a key dedicated to that integration. A stolen database dump doesn't unlock your books.

    Per-integration application-layer encryption

  • Your data never leaves the UK — or our network.

    Every model call, every document scan, every query. Routed over a private backbone, end to end. The public internet isn't in the path.

    UK-resident · private network end-to-end

  • The database refuses cross-tenant queries.

    Tenant isolation is enforced inside the database itself, not just in the application. If a query misbehaves, the database still won't return rows belonging to another organisation.

    Database-enforced tenant isolation
Verified, not just claimed

We show our work.

For the technically curious — here’s what your browser sees when it talks to us. Run the command yourself; the output should match. Everyone else is welcome to skip ahead.

Security headers — www.chieflyai.comverified 2026-04-27
$ curl -sI https://www.chieflyai.com

strict-transport-security: max-age=31536000; includeSubDomains
x-frame-options: DENY
x-content-type-options: nosniff
referrer-policy: strict-origin-when-cross-origin
permissions-policy: camera=(), microphone=(), geolocation=()
x-dns-prefetch-control: off
Compliance

Independent assessment, by design.

We’ve chosen certifications that are externally audited and recognised by UK procurement teams — not self-assessments.

  • Certified May 2026

    Cyber Essentials Plus

    UK government-backed certification with independent technical verification by an IASME-accredited assessor. Renewed annually.

    Verify on the registry
  • On the roadmap

    ISO 27001

    The internationally recognised standard for information security management. Planned following successful Cyber Essentials Plus certification.

  • Live today

    UK GDPR / EU GDPR

    We process personal data in line with GDPR. A Data Processing Agreement is available on request from privacy@chieflyai.com.

Verify our certification

Hover the badge to see the live verification status, or open the registry record directly.

What we don’t have yet

Chiefly does not currently hold SOC 2 or ISO 27001. We’re a UK-first company building for UK operators, so Cyber Essentials Plus came first — it’s the certification our customers’ procurement teams ask for. ISO 27001 is the next step.

If your procurement process requires a SOC 2 report or a specific framework we haven’t listed, please contact security@chieflyai.com before signing. We’d rather have the conversation upfront than waste anyone’s time.

Transparency

Sub-processors.

The companies that help us deliver the service. Each one is assessed for security posture and contractually bound to appropriate data protection terms.

  • Microsoft Azure
    Purpose — Compute, AI, storage, networking, secrets
    Data — All processed data
  • Supabase
    Purpose — Managed Postgres & authentication
    Data — All processed data
  • Vercel
    Purpose — Web hosting & CDN
    Data — Request metadata — no persistent customer data
  • OpenAI (via Azure)
    Purpose — LLM inference within our Azure tenancy
    Data — Prompts & completions
  • Sentry
    Purpose — Error tracking
    Data — Stack traces, PII-scrubbed
  • Betterstack (Logtail)
    Purpose — Log ingestion
    Data — Application logs
  • Langfuse
    Purpose — LLM observability
    Data — Prompts & completions
  • Resend
    Purpose — Transactional email
    Data — Recipient email & message body
For procurement & vendor review

Running a vendor review?

Cyber Essentials Plus certified — May 2026verify (opens the Blockmark registry in a new tab)

We’ll make your job easy.

DPA, sub-processor list, and a summary security overview available on request. Detailed architecture documentation is available to qualified buyers under NDA. We acknowledge every security email within one business day.

Contact security@chieflyai.com