Security Overview

Last updated: 10/06/2026

Security and privacy-by-design are core to how Chamelix, operated by ArizenLab S.r.l.s., is built. This page gives a high-level overview of the controls we use to protect customer data. It is intentionally general and does not disclose implementation details.

Encryption in transit

Traffic to the Platform is served over HTTPS, with HTTP Strict Transport Security enabled. Connections to our database and storage providers use encrypted transport.

Access control and authentication

Access to the Platform requires authentication. Access to data is governed by role-based permissions, so that each user only sees what their role allows. Administrative access is limited to a small, known set of accounts.

Tenant isolation

Chamelix is multi-tenant: each organization's data — its customers, bookings, documents, certificates, logs, and settings — is logically separated and access is scoped to the organization the user belongs to. Requests are authorized on the server, not only hidden in the interface.

Document and certificate protection

Medical and fitness certificates are treated as sensitive data. They are kept in private storage, are never exposed through public links, and are served only through short-lived, expiring access. Access to certificates is restricted to the certificate's owner and the authorized staff of the relevant organization.

Audit logging

Sensitive operations — including legal-document acceptance, privacy acknowledgements, and certificate operations — are recorded in tamper-resistant, organization-scoped audit logs.

Backup and recovery

Data is backed up by our infrastructure providers. Note that deleted files may remain recoverable from storage backups or soft-delete for a limited period; see the Privacy Policy for details on retention and deletion recovery.

Vendor and subprocessor review

We use a limited set of vetted subprocessors and review their data-protection posture. The current list is published on our Subprocessors page.

Reporting a security issue

If you believe you have found a security vulnerability, please contact us at app@chamelix.it. We ask that you give us a reasonable opportunity to investigate and remediate before any public disclosure.