Bank-level security.
Independently verified.
ChargePilot is CASA Tier 2 verified — the same standard required for apps handling high-sensitivity data in the Google Workspace Marketplace. Your merchant data and customer evidence are protected by encryption and authentication standards built for financial institutions.
CASA Tier 2 Verified
Independent DAST scan by TAC Security. Zero critical findings.
AES-256-GCM Encryption
All integration tokens encrypted at rest.
Stripe App Marketplace
Verified native Stripe app.
Google Cloud Infrastructure
Enterprise-grade hosting on Firebase Hosting + Firestore.
ENCRYPTION EVERYWHERE.
Tokens, secrets, and merchant data protected at rest and in transit.
At rest
- All OAuth access and refresh tokens encrypted with AES-256-GCM
- Encryption key managed by Google Cloud Secret Manager
- Merchant API keys (BYOK integrations) encrypted with the same standard
- Firestore rules enforce server-only writes on sensitive integration documents
In transit
- TLS 1.2+ across all API endpoints
- HTTPS-only redirect for all public-facing URLs
- Strict Content Security Policy (CASA CSP requirement)
- Firebase Hosting with HTTPS enforcement
What does CASA Tier 2 actually mean?
CASA (Cloud Application Security Assessment) is Google's security framework for third-party apps in its ecosystem. Tier 2 is the higher of the two commonly applied tiers, required for apps handling sensitive user data.
ChargePilot completed a DAST (Dynamic Application Security Testing) scan by TAC Security, an independent auditor, and passed with zero critical findings.
The same standard applies to apps processing Gmail messages, Google Drive files, and Google Workspace administrative data — the bar for high-sensitivity data.
ChargePilot maintains CASA compliance continuously. This is not a one-time checkbox.
INTEGRATION SECURITY
Zero-trust authorization. Minimum scope. Read-only by default.
OAuth 2.0 for user-authorized integrations
Stripe, Shopify, Gmail, Recharge, Gorgias, and Help Scout all connect via industry-standard OAuth flows. No API keys shared. Merchants can revoke tokens anytime from the source platform.
BYOK for developer-first integrations
For Skio, merchants generate their own API key and paste it into ChargePilot. Keys are encrypted before storage. Merchants can rotate keys anytime in their Skio dashboard.
Read-only by default
Every ChargePilot integration requests the minimum scope needed for evidence enrichment. No writes to merchant data. No admin access. No destructive capability.
Automated token refresh
Expired tokens are refreshed server-side without user intervention. Revoked tokens flip the integration to an error state so merchants can reconnect cleanly.
Google API Services User Data Policy
ChargePilot's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. We only request the minimum Gmail scopes necessary to surface customer email communications as chargeback evidence, and we never sell, transfer, or use this data for advertising purposes.
Scopes requested: read-only access to Gmail message metadata and message bodies for emails exchanged between the merchant and a specific customer involved in a chargeback dispute. ChargePilot does not modify, delete, or send messages on the merchant's behalf.
Data handling: Email content retrieved via the Gmail API is processed transiently during evidence package generation and is not persisted in long-term storage. Any referenced email metadata stored alongside a dispute record is purged when the associated dispute is deleted or the merchant disconnects the Gmail integration.
User control: Merchants can revoke ChargePilot's Gmail access at any time from their Google Account's Security settings at myaccount.google.com/permissions, or from within ChargePilot's Settings → Integrations. Revocation is instant and disables all further Gmail data access.
For full details, review Google's policy at Google API Services User Data Policy or see our full Privacy Policy.
Account security
- Firebase Auth for merchant sign-in
- Stripe OAuth for platform connection — ChargePilot never sees merchant Stripe secret keys
- HTTP-only admin cookies where applicable
- Session tokens tied to Firebase Auth refresh lifecycle
- Account deletion wipes all associated data: integration tokens, dispute evidence, stored artifacts
Data handling
- Merchant data stays in US-region data centers (Firebase project configured for US)
- ChargePilot never sees cardholder data — all PCI-scope data stays inside Stripe
- Chargeback evidence is generated from metadata only; customer PII is minimized to what card networks require
- GDPR-ready: account deletion purges all merchant data
COMPLIANCE & CERTIFICATIONS
| Standard | Status |
|---|---|
| CASA Tier 2 (Google) | Verified — TAC Security DAST scan passed |
| Stripe App Marketplace | Verified — app.chargepilot.ai live |
| Firebase Security Rules | Enforced server-side |
| AES-256-GCM at rest | All sensitive fields |
| TLS 1.2+ in transit | All endpoints |
| GDPR | Account deletion supported |
Security FAQ.
What is CASA Tier 2?
CASA (Cloud Application Security Assessment) is Google's security framework for third-party apps in its ecosystem. Tier 2 is the higher of the two commonly applied tiers and is required for apps handling sensitive user data — the same standard applied to apps that process Gmail messages, Google Drive files, or Google Workspace administrative data. ChargePilot completed a DAST scan by TAC Security, an independent auditor, and passed with zero critical findings.
How are my API keys protected?
For OAuth integrations (Stripe, Shopify, Gmail, Recharge, Gorgias, Help Scout), ChargePilot stores only scoped OAuth tokens — never API keys or passwords. For BYOK integrations (Skio), the API key you paste in is encrypted with AES-256-GCM before being written to storage. The encryption key is managed by Google Cloud Secret Manager and is never exposed to application code.
Can ChargePilot access my Stripe account if my ChargePilot account is compromised?
No. ChargePilot never holds your Stripe secret key. We authorize against Stripe via OAuth, which means Stripe issues us a scoped access token. If you suspect compromise, you can revoke that token instantly from your Stripe dashboard and ChargePilot loses access immediately — with no path back in until you re-authorize.
What happens to my data when I disconnect an integration?
Disconnecting an integration revokes the OAuth token (or invalidates the stored API key) and stops future enrichment. Existing evidence that's already been submitted stays on record because card networks require it, but no new data is fetched. Full account deletion wipes all stored tokens and merchant data.
Where is my data stored?
ChargePilot is hosted on Google Cloud. The Firebase project is configured for US data centers. Sensitive tokens are stored encrypted in Firestore with keys managed by Google Cloud Secret Manager.
Can I request a copy of my data?
Yes. Email security@chargepilot.ai with your merchant account details and we'll produce an export of your stored data. We honor GDPR data access and deletion requests regardless of where you're based.
Who do I contact for security concerns?
Email security@chargepilot.ai for vulnerability reports, security questions, or data requests. For urgent issues involving suspected account compromise, include "URGENT" in the subject.
Security concerns or vulnerability reports? security@chargepilot.ai
Built on the same infrastructure that runs Google and Stripe.
ChargePilot combines independently verified security, bank-level encryption, and zero-trust integration authorization — so you can recover chargebacks without worrying about your stack.