securitySecurity Overview

Security

Chief is designed for enterprise environments. Here’s how we protect your data.

What Chief Stores

  • Your Slack messages in conversation threads with Chief, kept for context across replies
  • Task results and generated files (PDFs, sheets, scripts Chief produced)
  • Integration credentials, always encrypted (AES-256-GCM)
  • Usage records — token counts, timestamps, tool call traces (no parameter values logged)
  • Memories Chief has learned about your team

What Chief Does NOT Store

  • Your LLM API keys in plaintext (encrypted ciphertext only)
  • Your provider billing or usage data — that lives with your LLM provider
  • Messages from channels Chief isn’t invited to
  • Personal data beyond what your team shares in conversation
  • Tool call parameter bodies (e.g., the SQL query content) by default; Enterprise can opt into audit-grade logging

Encryption

All sensitive credentials are encrypted with AES-256-GCM before storage. The encryption key lives on the agent host, separate from the Convex database. A database leak alone cannot decrypt your credentials. See Encryption.

Data Isolation

Every tenant’s data is fully isolated. Tenant A cannot access Tenant B’s threads, credentials, settings, files, or memories. Isolation is enforced at the query level: every Convex query carries a tenantId filter. There is no admin override that lets one tenant see another’s data.

Data Rights

  • Export — Request a full JSON export of all your data from Settings, any time, no questions asked.
  • Deletion — Request account deletion with a 30-day grace period; data is permanently destroyed after.
  • Retention — Thread history: 90 days by default (configurable). Usage records: 1 year. Audit logs: forever on Enterprise, 90 days on Pro.

See Data Rights for the full mechanics.

Compliance Posture

Chief is not yet SOC 2 audited (audit in progress as of 2026). We follow SOC 2 Common Criteria controls and can share our internal security policy document under NDA. See Compliance.

Incident Response

If we detect a security incident affecting your tenant, we notify by email within 24 hours with what was affected and what we’re doing about it. For incidents not affecting your tenant, we publish a postmortem at hirechief.ai/security/incidents within 7 days.

Reporting Issues

Found a vulnerability? Email security@hirechief.ai. We respond within 1 business day. Responsible disclosures are credited (or kept private at your preference) and eligible for a bounty depending on severity.

More Detail

Encryption