Security at Channl
Carousel Labs, Inc. d/b/a Channl
Last Updated: May 19, 2026 Classification: Public. Published at https://channl.ai/security
Security is foundational to the Channl platform. As a B2B commercial-intelligence platform that uses AI to surface signals and map relationships across the systems revenue teams already run, Channl handles sensitive business data on behalf of its customers. This page summarizes the technical and organizational measures we use to protect that data.
A more detailed description of our security program, including our named sub-processor list, Data Processing Addendum, security questionnaire responses, and SOC 2 status letter, is available to customers and prospective customers at https://channl.ai/dpa, subject to a non-disclosure agreement.
Compliance
Channl maintains a documented information security program supported by a continuous compliance-monitoring platform. An independent SOC 2 audit is currently in progress; reports will be made available to customers and prospective customers under non-disclosure agreement when issued.
We support customers subject to GDPR, UK GDPR, the Swiss FADP, and the California Consumer Privacy Act (CCPA / CPRA). Standard Contractual Clauses, a UK International Data Transfer Addendum, and a Data Processing Addendum are available on request. See our Privacy Policy at https://channl.ai/privacy for the underlying commitments.
We do not knowingly process protected health information governed by HIPAA, cardholder data subject to PCI-DSS (beyond limited tokens managed by our payment processor), or other regulated data outside the scope of our Terms of Service.
Infrastructure
The Channl platform runs entirely on managed, SOC 2-attested cloud infrastructure. Channl operates no on-premise servers and maintains no physical data centers. Production systems are deployed in vendor-managed environments with no direct shell or console access from Channl personnel.
| Layer | Posture |
|---|---|
| Application hosting and edge | Managed serverless platform with global edge network, automatic HTTPS, isolated execution per request, and built-in DDoS protection. |
| Managed databases | SOC 2-attested managed database environment (relational, document, vector, graph) with tenant isolation enforced at the database layer. |
| Caching, rate limiting, and queues | TLS-encrypted managed key-value, rate-limit, and queue services. |
| Error and performance monitoring | Continuous error tracking and performance monitoring with alerting on anomalous patterns. |
Production data is processed and stored in the United States.
The categories of infrastructure and AI sub-processors we use, including purpose and data processed, are published at https://channl.ai/security/subprocessors. The current named list of specific vendors within each category is made available to customers and prospective customers under non-disclosure agreement.
Encryption
All data is encrypted in transit and at rest.
| Protection | Standard |
|---|---|
| Encryption in transit | TLS 1.2 or higher on all external connections. HTTP Strict Transport Security (HSTS) is enabled with preload and includeSubDomains. |
| Encryption at rest | AES-256 (or equivalent industry-standard cipher) across all managed datastores, including primary databases, backups, file storage, and caches. Encryption keys are managed by the underlying cloud providers with automatic rotation. |
| Secrets management | Application and integration secrets are stored in encrypted environment configuration with access scoped to production systems only. |
Authentication
Channl does not collect or store user passwords for the Service.
- Federated single sign-on and email magic-link: Sign-in is performed through federated single sign-on or short-lived, single-use email links. Channl never receives or stores user passwords.
- Session integrity: Sessions are managed through secure, HttpOnly, SameSite cookies with server-side validation on every authenticated request.
- Customer-authorized integrations: When you connect a third-party service, OAuth refresh tokens are stored encrypted at rest and scoped to the minimum permissions the integration requires.
- Administrator and personnel access: Channl personnel access to production tooling requires multi-factor authentication and is reviewed on every personnel change.
Access Controls
Channl enforces least-privilege access across all systems.
- Role-based access control: Roles grant only the minimum permissions necessary for each function. Customer roles are configured within each customer's organization; Channl personnel roles follow a documented matrix.
- Tenant isolation: Every database query is scoped to the requesting organization at the database layer through row-level security policies.
- Quarterly access reviews: Production access is reviewed and validated at least quarterly; unused accounts and excessive permissions are revoked.
- Audit logging: Authentication events, schema changes, administrative actions, and sensitive state-changing API calls are written to immutable audit logs with actor attribution and timestamps.
- Production access boundary: No direct database, server, or console access from personnel laptops to production. Operational changes are made through reviewed, version-controlled code paths.
Application Security
- Secure SDLC: All production code goes through peer code review, automated test suites, and dependency-vulnerability scanning in continuous integration.
- Security headers: All HTTP responses set
Strict-Transport-Security,Content-Security-Policy,X-Frame-Options: DENY,X-Content-Type-Options: nosniff,Referrer-Policy: strict-origin-when-cross-origin, and a restrictivePermissions-Policy. - Rate limiting: Authenticated and unauthenticated endpoints are rate-limited.
- Attack-surface review: Authenticated routes are reviewed regularly for appropriate authentication and authorization controls.
- Dependency hygiene: Continuous vulnerability scanning of open-source dependencies; critical advisories trigger remediation workflows.
Data Handling
- Customer Data ownership: Customers retain all rights to their data. Channl uses Customer Data only to operate, secure, and support the Service.
- Tenant isolation: Multi-tenant isolation is enforced at the database layer; there is no cross-tenant data access.
- No data selling: Channl does not sell or rent customer data and does not engage in cross-context behavioral advertising.
- Data minimization for AI: Only the data necessary for a given AI-assisted feature is transmitted to AI sub-processors.
- No model training on Customer Data: Channl does not train, fine-tune, or improve any AI model on Customer Data, in any tier, ever. AI sub-processors are contractually bound not to use Customer Data submitted through the Service to train their general-purpose models.
- Customer rights and deletion: Data-subject and customer-controlled deletion requests are processed within the statutory windows described in our Privacy Policy.
- Data residency: Production data is processed and stored in the United States.
AI Data Handling
Channl uses third-party large-language-model and embedding providers under contractual data-processing agreements to deliver AI-assisted features such as research, drafting, scoring, summarization, and search. The specific providers and model configurations may change over time; Channl reserves the right to substitute providers without notice provided the substitution does not materially diminish the privacy or security commitments described here. The current named list of AI sub-processors is available to customers under NDA on request.
For every AI sub-processor we require:
- a written commitment that Channl inputs and outputs will not be used to train the vendor's general-purpose models;
- zero-retention or short-retention processing where the vendor offers it;
- SOC 2 attestation, ISO 27001, or an equivalent third-party security certification;
- a Data Processing Addendum (or equivalent) with Standard Contractual Clauses where personal data may transfer outside the EEA, UK, or Switzerland.
AI-assisted outputs may be inaccurate or incomplete. Customers are responsible for reviewing AI outputs before relying on them.
Monitoring and Detection
- Centralized error and exception monitoring with alerting on anomalous error rates, latency, and failure patterns.
- Authentication anomaly detection: Failed logins, unusual access patterns, and credential-reuse signals are monitored.
- Health checks and synthetic probes: Background jobs monitor pipeline freshness, audit-log writeability, dead-letter queues, and cost anomalies, with alerts on staleness.
- Audit-log integrity: Marketplace, administrative, and security-sensitive actions are written to append-only audit logs.
- Continuous compliance monitoring: Configuration, access, and control evidence is monitored continuously through an automated compliance platform.
Incident Response
Channl maintains a documented incident-response plan, reviewed and exercised at least annually.
| Severity | Initial response | Customer notification |
|---|---|---|
| P1. Critical (confirmed data breach, sustained service compromise) | 4-hour initial response during business hours; ASAP outside business hours via the on-call channel | Affected customers notified within 72 hours per applicable law, with regulatory notification handled under GDPR Art. 33 or equivalent. |
| P2. High (service degradation, attempted breach, sensitive misconfiguration) | 1-business-day initial response | Status page updated; affected customers notified if impact is confirmed. |
| P3 / P4. Medium / Low | Next business day | Tracked internally; included in periodic security reviews. |
Every incident is followed by a documented root-cause analysis, remediation plan, and post-incident review.
Customers may report suspected security issues to security@channl.ai.
Responsible Disclosure
We welcome responsible security research.
- Reporting: email security@channl.ai with a clear description and reproduction steps.
- Acknowledgment: we aim to acknowledge receipt within three business days.
- Safe harbor: we will not pursue legal action against persons who in good faith comply with this policy and do not (a) access, modify, or exfiltrate data belonging to anyone other than themselves, (b) disrupt the Service, or (c) publicly disclose the issue before we have had a reasonable opportunity to remediate.
- Scope: the Channl application, APIs, and authentication flows operated by Carousel Labs, Inc. Third-party services we depend on are out of scope; please report issues to those vendors directly.
- Out of scope: denial-of-service, social-engineering against Channl personnel, physical attacks, and findings against staging or sandbox environments.
Vendor and Sub-Processor Management
Vendors that process customer personal data are assessed before onboarding and at least annually thereafter. Requirements include:
- SOC 2 Type 2 attestation, ISO 27001, or equivalent security-program documentation appropriate to the data they process;
- a written Data Processing Addendum (or equivalent) with appropriate confidentiality, security, and data-subject-rights provisions;
- Standard Contractual Clauses (or other appropriate transfer mechanism) where personal data may move outside the EEA, UK, or Switzerland;
- a documented incident-notification commitment to Channl.
The current categories of sub-processors we use are published at https://channl.ai/security/subprocessors. The named list of specific vendors within each category is made available to customers and prospective customers under non-disclosure agreement. Material changes are also notified through the channel set out in our DPA.
Personnel Security
- Background checks for personnel with production access, subject to applicable law.
- Confidentiality and acceptable-use obligations in every employment and contractor agreement.
- Security and privacy training: Personnel with system access complete security and privacy training before production access and annually thereafter.
- Multi-factor authentication required for production and administrative tooling.
- Off-boarding workflow: Off-boarding revokes access on termination; access lists are audited at least quarterly.
Business Continuity and Backups
- Managed datastores are backed up by our infrastructure providers on rotating schedules with point-in-time recovery available within the standard windows offered by each provider.
- Recovery procedures are documented and exercised periodically.
- Application infrastructure is multi-region at the edge and automatically fails over within the hosting provider's global network.
Contact
- Security incidents and vulnerability reports: security@channl.ai
- Privacy inquiries: legal@channl.ai
- General questions: hello@channl.ai
Carousel Labs, Inc. 251 Little Falls Drive Wilmington, New Castle County, DE 19808 United States
© 2026 Carousel Labs, Inc. All rights reserved.