// Trust & Security Report
Chargebee Inc.
Billing and Monetization Platform (subscription billing, revenue recognition, churn management, CPQ)
Certifications held
7
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on chargebee.com“Chargebee is PCI DSS Level 1 certified – the highest standard of PCI compliance, and is listed on the VISA Global Registry of Service Providers. We are subject to an annual external audit by a Qualified Security Assessor (QSA) to achieve this certification.”
Verify on chargebee.com“Chargebee is certified under ISO 27001:2022, an internationally recognized standard that sets requirements for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).”
Verify on chargebee.com“Chargebee's SOC 1 Type II report provides independent assurance of our financial controls and systems. Annual audits by external auditors reinforce transparency with our customers. [In scope: Chargebee Billing and RevRec]”
Verify on chargebee.com“Chargebee's SOC 2 Type II compliance confirms our robust data security, availability, and confidentiality practices. Annual assessments by third party auditors validate our operational controls.”
Verify on chargebee.com“Chargebee is certified under the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework relating to the transfer of personal data from the EU, UK, and Switzerland to the USA.”
Verify on chargebee.com“Chargebee operates in compliance with the EU and UK GDPR, offering data processing agreements, standard contractual clauses, and assistance for customer obligations such as exercise of data subject rights, conducting data protection impact assessments, etc.”
Verify on chargebee.com“Chargebee complies with CCPA, ensuring that the privacy rights and protections of California residents are maintained.”
> Show 1 unconfirmed / not-held certifications
source: chargebee.comWhile customers are generally prohibited from sharing PHI to Chargebee products, Chargebee supports HIPAA compliance for Chargebee Billing product upon specific request from customer in this regard and upon entering into appropriate Business Associate Agreements (BAA).
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Customer selects region at account creation: US (AWS US East, N. Virginia), EU (AWS Frankfurt), AU (AWS Sydney). Region cannot be changed post-signup without contacting support.
Chargebee's privacy policy (effective Feb 15, 2026) states: 'We may use artificial intelligence and machine learning capabilities offered by third parties as well as those built by Us in order to process Your personal information for the purposes set out above. In certain cases, Your information may also be used to help improve the accuracy, efficiency, and overall performance of such capabilities.' This is ambiguous: it does not explicitly state that Chargebee trains general AI/LLM models on business customer billing data, but the clause leaves the door open for using data to improve internal ML models (such as their Smart Routing churn-prediction feature). Enterprises handling sensitive billing data should request clarification and review the DPA, which may impose stricter limits on data processor use.
// Security controls
Penetration Testing
Annual third-party penetration tests by certified external experts. Summary/attestation available on request (full report not shared externally). Contact: security@chargebee.com
chargebee.comBug Bounty / Responsible Disclosure
Chargebee runs a responsible disclosure program hosted on BugBase (bugbase.ai/programs/chargebee). Scope includes app.chargebee.com, chargebeeportal.com, and related subdomains. CVSS v3 scoring used. Not on HackerOne or Bugcrowd.
bugbase.aiAuthentication
Two-Factor Authentication (2FA), Role-Based Access Control (RBAC), SSO/SAML integration with leading identity providers.
chargebee.comSOC Team
24x7 Security Operations Center (SOC) team monitoring infrastructure and application activities.
chargebee.comNetwork Security
Advanced firewall protection, DDoS mitigation, MITM prevention, regular VAPT scans.
chargebee.comSecure Coding
OWASP Top 10 addressed in SDLC, regular secure coding training, automated vulnerability scanning.
chargebee.comEncryption
Card data encrypted and sent directly to PCI-compliant environment. TLS/HTTPS enforced.
chargebee.comCompliance Contact
compliance@chargebee.com for compliance reports/certifications; security@chargebee.com for security inquiries.
chargebee.com// Products & data scope
data: Cardholder data, subscription records, customer PII (name, email, billing address, payment info). PCI DSS Level 1 and SOC 1 Type II in scope. HIPAA BAA available on request.
Core product. Highest compliance coverage. PCI DSS v4.0.1 scope. Supports 30+ payment gateways.
data: Financial transaction data, subscription revenue schedules. SOC 1 Type II in scope (alongside Billing).
For GAAP-compliant revenue recognition and audit readiness.
data: Customer cancel-intent data, behavioral analytics, CRM/billing integration data. Uses ML (Smart Routing) for personalized retention offers.
Smart Routing uses ML trained on cancel traffic. Privacy policy at brightback.com and chargebee.com both apply. Distinct ML data usage scope from Billing.
data: Billing and usage data for pricing experiments.
Analytics and experimentation layer on top of Billing data.
data: Deal and quote data, customer contact information.
Sales-led GTM use case.
data: Exposes Chargebee billing data to AI agents/LLMs via MCP protocol. Data scope depends on integration.
Newer product for AI-era billing automation. Compliance posture for MCP connections not separately documented on security page.
// What to watch
- AI training clause in privacy policy (effective Feb 15, 2026) states customer data MAY be used to improve AI/ML capabilities. Enterprises should review DPA for processor-level restrictions and request written clarification.
- HIPAA BAA is available only on specific request for Chargebee Billing; not automatic. PHI must not be sent to Chargebee by default.
- Bug bounty is hosted on BugBase (not HackerOne or Bugcrowd). Program is active but on a smaller platform.
- Chargebee Receivables/Smart Routing explicitly trains ML models on customer cancel-traffic data. Distinct data use from core billing.
// At a glance
Pricing model
SaaS subscription, tiered by revenue volume (Starter, Performance, Enterprise). Free trial available.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Chargebee Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
chargebee.com