Security at Chalked.

How we handle your data

Today, the chalkedai.com marketing site collects email addresses, form submissions, and basic technical information (IP address, user agent) for security and operational purposes. All web traffic is served over HTTPS. Form data is stored in a managed Postgres database. Transactional emails are sent through Resend. The full data lifecycle is described in our Privacy Policy.

When JAWN beta opens June 5, 2026, the application will additionally process audio and video recordings produced by users. These recordings, their transcripts, and the resulting analyses are stored to deliver the service. We will publish a comprehensive description of product data handling before beta launch.

Infrastructure

The marketing website is hosted on Vercel. The database is hosted on Neon. Email delivery is through Resend. All three providers are SOC 2 Type II certified and operate enterprise-grade security programs. We treat them as subprocessors and disclose them in our Privacy Policy.

The JAWN application is currently in development and not deployed to production. Production hosting will be selected before beta launch with security posture, data residency, and uptime as primary criteria.

Authentication and access

Staff access to our marketing site's admin dashboard is password-protected and gated by signed session cookies (HttpOnly, Secure, SameSite=Lax, HMAC-SHA256 signature, 24-hour TTL). Public visitors never receive this cookie.

User authentication for the JAWN application is not yet implemented. The authentication mechanism will be selected before beta launch.

Encryption

Data in transit is encrypted using TLS 1.2 or higher across all chalkedai.com traffic and traffic between our marketing site and its subprocessors. Encryption at rest is provided by our database and hosting providers (Vercel, Neon) as part of their standard service. We will publish more detailed encryption practices for the JAWN application before beta launch.

Compliance

Chalked is a pre-launch company. We have not yet completed third-party security certifications. We recognize that institutional customers (schools, athletic programs, and similar organizations evaluating our JAWNED offering) require evidence of formal compliance programs. We plan to pursue:

• SOC 2 Type II audit on a timeline aligned with first institutional contracts
• FERPA-compliant data handling practices for educational institution customers
• BIPA-compliant practices for the audio and video recordings the product collects
• GDPR compliance for European users
• Documented security policies and incident response procedures

If you represent an institution evaluating Chalked and have specific compliance requirements, contact us directly at info@chalkedai.com. We'd rather have a real conversation about where we are than send you a checklist response.

Reporting a security issue

If you discover a vulnerability or security concern with chalkedai.com or the JAWN application, please contact us at security@chalkedai.com. Include enough information to reproduce the issue. We respond to security reports within two business days and will keep you updated on remediation progress. We don't currently run a bug bounty program but appreciate responsible disclosure.

Please don't publicly disclose vulnerabilities before we've had a chance to address them. We don't take legal action against researchers acting in good faith.