Trust center

Security isn't a tier.
It's the foundation.

Autonomy is only valuable if it's trustworthy. Chimes is built so that isolation, encryption, and AI safety are properties of the architecture — not features you bolt on later.

Talk to securityRead the docs
SOC 2 Type IMonth 6
SOC 2 Type IIMonth 12
HIPAARoadmap
PCI DSSRoadmap
ISO 27001Roadmap
GDPR-readyToday

Defense in depth

Six layers, working together.

From the database row to the last token of an AI response, every layer assumes the others might fail — and protects you anyway.

Tenant isolation

Row-level security on every tenant-scoped table. One tenant can never see another's data — enforced at the database, not the application.

PII protection

AES-256-GCM envelope encryption at rest via the KMS adapter, plus a typed redactor that scrubs PII before anything reaches a log.

API security

Argon2id-hashed keys with rotation and revocation, and GCRA rate limiting on every endpoint to stop abuse cold.

Hardened transport

TLS 1.3 with rustls — no OpenSSL — plus HSTS, a strict CSP, COOP/CORP, and a locked-down Permissions-Policy.

AI safety

Confidence thresholds, grounding checks, hostile-sentiment escalation, and per-session budgets keep autonomy inside the lines.

Immutable audit

Every action — human or agent — is hash-chained and attributable. You can reconstruct exactly what happened, and why.

Your keys, your control

Bring your own everything.

Identity, secrets, and storage are adapters. Run Chimes against your OpenBao, your KMS, your Postgres — the platform never assumes it owns your sensitive infrastructure.

security.toml
[adapters.kms]
provider = "openbao"        // your vault

[adapters.iam]
provider = "keystone"
mode     = "postgres"       // your database

[security]
pii_redaction = "strict"
tls           = "1.3"       // rustls, no openssl
audit         = "hash-chained"
The most autonomous system we evaluated was also the most auditable. That's not a coincidence — it's the design.
Security review · Regulated industry buyer

Questions

The short answers.

Row-level security is applied to all tenant-scoped tables in PostgreSQL. Isolation is enforced by the database itself on every query, so a bug in application code can't leak one tenant's data to another.

Trust center

Autonomy you can actually trust.

Talk to securityRead the docs

No credit card to start · Open-source core · Deploy in hours, not quarters