Enterprise-grade security & trust
CookieChimp is built so privacy, security and procurement teams can quickly understand our controls: encryption, hosting transparency, independent penetration testing, data minimisation, SSO, password-login 2FA and a signed DPA.
- Penetration tested
- CREST-accredited
- GDPR & ePrivacy
- Compliant
- EU–US Data Privacy
- Framework
- ISO 27001
- Certification in progress
- Hosting transparency
- Published register
- Visitor privacy
- Masked IPs only
Only consent proof is saved
CookieChimp uses the request IP to show the right consent banner. Before the consent record is saved, the IP is shortened and masked. Each record also gets a random consent ID for audit lookup.
Saved with each consent record
The saved record contains enough detail to prove consent and route future banner logic. Consent proof is looked up by consent ID or customer reference, not by full IP address.
Consent lookup reference
Each record has a randomly generated consent ID for customer-side lookup. Customers can also pass a non-identifying user ID to connect consent records to their own system without sending personal details to CookieChimp.
Security built into every layer
From the edge to the database, CookieChimp applies defence-in-depth so your compliance tooling never becomes your risk.
Encryption everywhere
All traffic is protected with TLS 1.3 and HSTS-enforced HTTPS. Data at rest — including PostgreSQL and Redis — is encrypted, and application secrets are stored using Rails encrypted credentials.
Independent penetration testing
Our application is tested by CREST-accredited testers. The most recent authenticated, grey-box test (October 2025) returned no critical or high-risk findings.
Account access protections
Team access controls, optional two-factor authentication for password-based logins, failed-login lockout and breached-password detection protect account access.
Privacy by design
CookieChimp processes a visitor's IP address to infer the right location and banner, then stores only a masked IP value alongside the consent record.
Resilient infrastructure
Built on Heroku and Cloudflare’s global network of 310+ data centres, with hosting locations documented in our public sub-processor register.
Continuous monitoring
Error and performance monitoring, audit-ready consent records, and an in-progress ISO/IEC 27001 programme keep our controls verifiable and maintained — not stale.
You stay the controller.We keep the processor role narrow.
CookieChimp gives your team the hosting, retention, transfer and vendor details needed for procurement review without turning consent management into a broad data store.
- Hosting transparency
- Application, analytics, support and edge-delivery processors are listed with their data categories and locations.
- Retention controls
- Choose standard consent-record retention, with extended periods available for compliance needs.
- Processor paperwork
- A standard DPA with EU SCCs is available for customer review and signature.
- Sub-processor register
- Published vendors make hosting, support and transfer dependencies clear.
Everything procurement and security teams ask for
Single sign-on (SSO)
Sign in with Google and partner SSO over OpenID Connect, alongside native authentication.
Team management
Invite teammates and manage account membership from one workspace.
Two-factor authentication
Optional 2FA and account lockout protect password-based logins.
Sub-processor transparency
Our full sub-processor register is published and kept up to date.
View sub-processorsAudit-ready consent records
Consent logs with configurable retention support your own audits and compliance reviews.
Independent penetration testing
CookieChimp engages CREST-accredited testers for independent, authenticated penetration tests of the application and API. A redacted summary and letter of completion are available to enterprise customers under NDA.
Report a vulnerabilitySecurity & compliance questions
Where is my data hosted?
CookieChimp publishes its sub-processors, purposes, data categories and locations in our sub-processor register. Application hosting, database hosting, analytics, support and edge delivery may use different hosting regions depending on the service.
How is data encrypted?
All data in transit uses TLS 1.3 with HSTS enforced. Data at rest in PostgreSQL and Redis is encrypted, and application secrets use Rails encrypted credentials.
Do you carry out penetration testing?
Yes. We engage CREST-accredited testers for independent assessments. Our most recent authenticated, grey-box web application test (October 2025) found no critical or high-risk issues. A summary is available to enterprise customers under NDA.
Are you GDPR compliant, and will you sign a DPA?
Yes. CookieChimp is built for GDPR and ePrivacy compliance, and we offer a standard Data Processing Agreement incorporating EU Standard Contractual Clauses for international transfers.
What personal data do you store about website visitors?
CookieChimp stores consent metadata for auditability. We process the visitor's IP address to infer location and select the right banner, then store only a masked IP value with a randomly generated consent ID for customer audit lookup. Customers may optionally pass a non-identifying user reference for their own lookup needs, but CookieChimp does not use full IP addresses to map consent records to people.
Do you support SSO and two-factor authentication?
Yes. We support SSO via Google and OpenID Connect partner identity providers, plus optional two-factor authentication for password-based logins and account lockout.
How do you vet your sub-processors?
We maintain a published sub-processor register. Transfers to US-based processors rely on the EU–US Data Privacy Framework or Standard Contractual Clauses, and EU-hosted processors require no cross-border transfer.
Are you ISO 27001 and Cyber Essentials certified?
We are Cyber Essentials certified and are actively working towards ISO/IEC 27001:2022 certification, with our controls and evidence programme already in place. We do not currently hold a SOC 2 report.
Ready to put it in front of your security team?
We’ll walk through our controls, share our penetration-test summary and DPA, and answer your security questionnaire.