// Trust & Security Report

    Chargebee Inc. logo

    Chargebee Inc.

    Billing and Monetization Platform (subscription billing, revenue recognition, churn management, CPQ)

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    PCI DSS Level 1 (v4.0.1)
    HELD

    Chargebee is PCI DSS Level 1 certified – the highest standard of PCI compliance, and is listed on the VISA Global Registry of Service Providers. We are subject to an annual external audit by a Qualified Security Assessor (QSA) to achieve this certification.

    Verify on chargebee.com
    ISO 27001:2022
    HELD

    Chargebee is certified under ISO 27001:2022, an internationally recognized standard that sets requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

    Verify on chargebee.com
    SOC 1 Type II
    HELD

    Chargebee's SOC 1 Type II report provides independent assurance of our financial controls and systems. Annual audits by external auditors reinforce transparency with our customers. [In scope: Chargebee Billing and RevRec]

    Verify on chargebee.com
    SOC 2 Type II
    HELD

    Chargebee's SOC 2 Type II compliance confirms our robust data security, availability, and confidentiality practices. Annual assessments by third party auditors validate our operational controls.

    Verify on chargebee.com
    EU-U.S. Data Privacy Framework (and UK + Swiss extensions)
    HELD

    Chargebee is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework relating to the transfer of personal data from the EU, UK, and Switzerland to the USA.

    Verify on chargebee.com
    GDPR (EU and UK)
    HELD

    Chargebee operates in compliance with the EU and UK GDPR, offering data processing agreements, standard contractual clauses, and assistance for customer obligations such as exercise of data subject rights, conducting data protection impact assessments, etc.

    Verify on chargebee.com
    CCPA
    HELD

    Chargebee complies with CCPA, ensuring that the privacy rights and protections of California residents are maintained.

    Verify on chargebee.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA BAA
    NOT CONFIRMED

    While customers are generally prohibited from sharing PHI to Chargebee products, Chargebee supports HIPAA compliance for Chargebee Billing product upon specific request from customer in this regard and upon entering into appropriate Business Associate Agreements (BAA).

    source: chargebee.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Customer selects region at account creation: US (AWS US East, N. Virginia), EU (AWS Frankfurt), AU (AWS Sydney). Region cannot be changed post-signup without contacting support.

    Chargebee's privacy policy (effective Feb 15, 2026) states: 'We may use artificial intelligence and machine learning capabilities offered by third parties as well as those built by Us in order to process Your personal information for the purposes set out above. In certain cases, Your information may also be used to help improve the accuracy, efficiency, and overall performance of such capabilities.' This is ambiguous: it does not explicitly state that Chargebee trains general AI/LLM models on business customer billing data, but the clause leaves the door open for using data to improve internal ML models (such as their Smart Routing churn-prediction feature). Enterprises handling sensitive billing data should request clarification and review the DPA, which may impose stricter limits on data processor use.

    // Security controls

    Penetration Testing

    Annual third-party penetration tests by certified external experts. Summary/attestation available on request (full report not shared externally). Contact: security@chargebee.com

    chargebee.com

    Bug Bounty / Responsible Disclosure

    Chargebee runs a responsible disclosure program hosted on BugBase (bugbase.ai/programs/chargebee). Scope includes app.chargebee.com, chargebeeportal.com, and related subdomains. CVSS v3 scoring used. Not on HackerOne or Bugcrowd.

    bugbase.ai

    Authentication

    Two-Factor Authentication (2FA), Role-Based Access Control (RBAC), SSO/SAML integration with leading identity providers.

    chargebee.com

    SOC Team

    24x7 Security Operations Center (SOC) team monitoring infrastructure and application activities.

    chargebee.com

    Network Security

    Advanced firewall protection, DDoS mitigation, MITM prevention, regular VAPT scans.

    chargebee.com

    Secure Coding

    OWASP Top 10 addressed in SDLC, regular secure coding training, automated vulnerability scanning.

    chargebee.com

    Encryption

    Card data encrypted and sent directly to PCI-compliant environment. TLS/HTTPS enforced.

    chargebee.com

    Compliance Contact

    compliance@chargebee.com for compliance reports/certifications; security@chargebee.com for security inquiries.

    chargebee.com

    // Products & data scope

    Chargebee BillingSubscription Billing and Payment Processing

    data: Cardholder data, subscription records, customer PII (name, email, billing address, payment info). PCI DSS Level 1 and SOC 1 Type II in scope. HIPAA BAA available on request.

    Core product. Highest compliance coverage. PCI DSS v4.0.1 scope. Supports 30+ payment gateways.

    Chargebee RevRecRevenue Recognition (GAAP)

    data: Financial transaction data, subscription revenue schedules. SOC 1 Type II in scope (alongside Billing).

    For GAAP-compliant revenue recognition and audit readiness.

    Chargebee Receivables (formerly Brightback)Churn Prevention and Retention

    data: Customer cancel-intent data, behavioral analytics, CRM/billing integration data. Uses ML (Smart Routing) for personalized retention offers.

    Smart Routing uses ML trained on cancel traffic. Privacy policy at brightback.com and chargebee.com both apply. Distinct ML data usage scope from Billing.

    Chargebee GrowthPricing Experimentation

    data: Billing and usage data for pricing experiments.

    Analytics and experimentation layer on top of Billing data.

    Chargebee CPQConfigure Price Quote

    data: Deal and quote data, customer contact information.

    Sales-led GTM use case.

    Chargebee MCPAI Agent Integration (Model Context Protocol)

    data: Exposes Chargebee billing data to AI agents/LLMs via MCP protocol. Data scope depends on integration.

    Newer product for AI-era billing automation. Compliance posture for MCP connections not separately documented on security page.

    // What to watch

    • AI training clause in privacy policy (effective Feb 15, 2026) states customer data MAY be used to improve AI/ML capabilities. Enterprises should review DPA for processor-level restrictions and request written clarification.
    • HIPAA BAA is available only on specific request for Chargebee Billing; not automatic. PHI must not be sent to Chargebee by default.
    • Bug bounty is hosted on BugBase (not HackerOne or Bugcrowd). Program is active but on a smaller platform.
    • Chargebee Receivables/Smart Routing explicitly trains ML models on customer cancel-traffic data. Distinct data use from core billing.

    // At a glance

    Pricing model

    SaaS subscription, tiered by revenue volume (Starter, Performance, Enterprise). Free trial available.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Chargebee Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    chargebee.com

    > Browse all vendor trust reports