Security at Chalked.

How we handle your data

Today, the chalkedai.com marketing site collects email addresses, form submissions, and basic technical information (IP address, user agent) for security and operational purposes. All web traffic is served over HTTPS. Form data is stored in a managed Postgres database. Transactional emails are sent through Resend. The full data lifecycle is described in our Privacy Policy.

The JAWN application at jawn.chalkedai.com additionally processes audio and video recordings produced by users. These recordings, their transcripts, and the resulting analyses are stored to deliver the service.

Infrastructure

The marketing website is hosted on Vercel. The database is hosted on Neon. Email delivery is through Resend. All three providers are SOC 2 Type II certified and operate enterprise-grade security programs. We treat them as subprocessors and disclose them in our Privacy Policy.

The JAWN application is in production. Its web application is hosted on Vercel with its database on Neon, and analysis processing runs on a separate backend server. Application traffic is served over HTTPS.

Authentication and access

Staff access to our marketing site's admin dashboard is password-protected and gated by signed session cookies (HttpOnly, Secure, SameSite=Lax, HMAC-SHA256 signature, 24-hour TTL). Public visitors never receive this cookie.

User authentication for the JAWN application uses credential sign-in. Passwords are stored as bcrypt hashes, sessions are signed tokens in HttpOnly cookies, authorization is enforced on the server, and database access uses parameterized queries.

Encryption

Data in transit is encrypted using TLS 1.2 or higher across all chalkedai.com traffic and traffic between our marketing site and its subprocessors. Encryption at rest is provided by our database and hosting providers (Vercel, Neon) as part of their standard service. JAWN application traffic is likewise encrypted in transit.

Compliance

Chalked is a pre-launch company. We have not yet completed third-party security certifications. We recognize that institutional customers (schools, athletic programs, and similar organizations evaluating our JAWNED offering) require evidence of formal compliance programs. We plan to pursue:

• SOC 2 Type II audit on a timeline aligned with first institutional contracts
• FERPA-compliant data handling practices for educational institution customers
• BIPA-compliant practices for the audio and video recordings the product collects
• GDPR compliance for European users
• Documented security policies and incident response procedures

If you represent an institution evaluating Chalked and have specific compliance requirements, contact us directly at info@chalkedai.com. We'd rather have a real conversation about where we are than send you a checklist response.

Reporting a security issue

If you discover a vulnerability or security concern with chalkedai.com or the JAWN application, please contact us at security@chalkedai.com. Include enough information to reproduce the issue. We respond to security reports within two business days and will keep you updated on remediation progress. We don't currently run a bug bounty program but appreciate responsible disclosure.

Please don't publicly disclose vulnerabilities before we've had a chance to address them. We don't take legal action against researchers acting in good faith.