Security
Your trust. Our responsibility.

The security of your systems and your users' data is Chariow's top priority. We build our services with security measures in place to act in good faith to identify and report potential vulnerabilities.

Last updated: March 15, 2026

Our commitments
Protection. Transparency. Vigilance.
Encryption

TLS 1.3 in transit, AES-256 at rest. Your files are never accessible in plain text on our servers.

Infrastructure

Secure servers with automatic backups, geographic redundancy and continuous monitoring.

24/7 Monitoring

Every suspicious activity triggers an alert and an immediate investigation by our team.

Chariow is committed to protecting its users' data through rigorous technical and organizational measures. All communications between your browser and our servers are encrypted. Digital files hosted on our platform are stored encrypted at rest on a secure cloud infrastructure with strict access controls.

In the event of a security incident, we immediately activate our response protocol: threat isolation, in-depth investigation, notification of affected users as quickly as possible and deployment of corrective measures. Transparency guides each of our actions.

Responsible policy
Collaborating for a safer platform
Objet

At Chariow, our mission is to enable content creators to easily sell their digital products. The trust of our users is at the heart of this mission. We have put in place a responsible disclosure program to collaborate with security researchers and help us identify potential vulnerabilities in our services.

If you discover a vulnerability affecting multiple services, we encourage you to ensure separate support for each program concerned. This allows each service to handle the issue independently.

Systems scope

This policy covers information domains, applications and websites accessible via the Internet intended, operated or controlled by Chariow, including all associated subdomains. When a third-party Bug Bounty program applies, third-party systems are outside the scope of responsible delegation.

Bug Bounty rules, at Chariow's discretion:
  • General security best practices on SSL/TLS configurations are generally out of scope
  • Expected behaviors in terms of password complexity
  • Rate limiting issues unrelated to unprotected access points
  • Social injection, cookieless phishing resources
  • Account takeovers, including brute force attacks on low-risk resources
  • Clickjacking on non-login form pages
  • Hijacking of potentially available or expired domains
  • Open source intelligence (OSINT) data
  • Any vulnerability whose evidence requires a conciliatory agreement within a 30-day window

You are not required to be able to exploit bugs you discover outside the scope of this policy, but we encourage providing proof of concept.

Vulnerability scope

This policy covers technical vulnerabilities targeting our Systems including (but not limited to): SQL injections, XSS (Cross-Site Scripting), privilege escalation, CSRF (Cross-Site Request Forgery), IDOR (Insecure Direct Object Reference), insecure deserialization.

Excluded from this policy, at Chariow's discretion:
  • General security best practices on SSL/TLS configurations are generally out of scope
  • Expected behaviors in terms of password complexity
  • Rate limiting issues on unprotected access points
  • Social injection, cookieless phishing resources
  • Account takeovers, including brute force attacks on low-risk resources
  • Clickjacking on non-login form pages
  • Hijacking of potentially available or expired domains
  • Open source intelligence (OSINT) data
  • Any vulnerability whose evidence requires a conciliatory agreement within 30 days
How to submit a report

If you discover a security vulnerability in a Chariow system, report it promptly to [email protected]. Include a detailed summary and any supporting evidence (logs, code, proof of concept) to help us understand, validate, reproduce and respond quickly.

At minimum, your report should contain the following information:

  • The type and severity of the vulnerability.
  • Technical details associated with the vulnerability.
  • A summary of the vulnerability.
  • Steps to reproduce the vulnerability.
  • The URL or location of the vulnerability.
  • Proof of concept scripts, screenshots or recordings.
  • If applicable, potential impacts on the Information System.
  • Any recommended corrective action.

We ask that each report be written clearly, contain only one vulnerability per submission and mention any intention of public disclosure. The more detailed and clear your report, the better we will be able to investigate and respond effectively.

Research guidelines

While we reserve the right to determine whether you are acting in good faith in accordance with this policy, we will generally presume your good faith if you follow these rules:

  • You test Information Systems solely for the purpose of identifying a potential vulnerability and reporting it.
  • You avoid causing any damage to Information Systems, including any destruction, use or acquisition of data, any disruption to systems or user experience, and any violation of the privacy of our clients or employees.
  • You do not exploit a vulnerability beyond the minimum necessary to reasonably demonstrate its existence.
  • You do not access, acquire or use the content of communications, data or information transmitted or stored on Information Systems, except inadvertently.
  • You do not retain any collected data. In the event of inadvertent access to data, you report it in your submission.
  • You do not disclose the existence or details of a vulnerability to a third party or the public before receiving our prior written consent.
  • You do not compromise any account that does not belong to you.
  • You do not conduct any social engineering attacks (phishing, vishing, etc.) against Chariow employees, contractors or representatives.
  • You do not demand payment or compensation as a condition of disclosure, and you do not threaten to disclose the vulnerability irresponsibly.
  • You permanently comply with all applicable laws and regulations in the context of your research activities.

If you have questions about this policy or whether your research complies with these guidelines, contact [email protected] before proceeding.

What you can expect from us

All reports submitted in good faith will be considered. When you responsibly report a vulnerability, we commit to:

  • Acknowledging receipt of your report within a reasonable time and regularly communicating progress during investigation and resolution
  • Taking your report in good faith by developing mutual trust, while staying within best practices and legal framework
  • After your report, establishing your name and contribution in a public acknowledgment based on your disclosure preferences
  • With your agreement, attributing your name and contribution in our public communications
  • With your agreement, mentioning your name and contribution in our researcher list or Hall of Fame
  • Being transparent about resolution timelines and informing you once the vulnerability is fixed
Legal protection (Safe Harbor)

If, in our judgment, you make a good faith effort to research and disclose security findings in accordance with our research and disclosure guidelines, we commit to:

  • Not initiating civil proceedings or legal action against you regarding your responsible disclosure
  • Extending the same protection against intentional measures under privacy and personal data laws
  • Informing authorities that your report is part of a good faith initiative to help us identify and fix security issues

You will benefit from this legal protection as long as your disclosure is intentional and in good faith, and you follow our research guidelines.

Modifications to this policy

We reserve the right to modify this policy at any time and publish it on this site. Developers will be kept up to date to maintain the policy as of the effective date of updates.

Thank you to those who strengthen our security

We would like to thank the following security researchers for their responsible contribution to strengthening Chariow's security.

If you would like to be listed here, please contact us after submitting a valid report at [email protected]. This will allow our team to add you to this list after your vulnerability has been resolved.

A question about security?
Our security team is available to help you. Vulnerabilities can be reported confidentially.
Contact the security team
logo
The All-in-One Platform to Sell Your Digital Products.
Products
FilesCoursesLicensesBundles
Resources
Help CenterPricingRoadmapDeveloper Docs
Legal
Privacy PolicyTerms & conditionsSecurity
Company
About UsPeopleCareersNewsroomContact
Chariow is a service of Axa Zara LLC, an American company registered in the State of Delaware. Axa Zara LLC is a technology company acting as a software service provider, but not as a payment service provider or merchant of record. Payment and billing services are provided by approved service providers in partnership with MiMo Global Inc and its affiliates. Contact us at [email protected] if you have any questions.
Copyright © 2026Chariow - Axa Zara LLC. All rights reserved
Crafted by
axazara-logo