Security Center

Enterprise-Grade Security
Built into Every Scan.

CloudFinOps operates on a Zero-Trust, Read-Only architecture. We provide deep financial visibility without ever compromising your infrastructure's integrity.

Version 5.1 (Enterprise)ISO 27001 AlignedSOC 2 Type II Controls

1. Architecture Overview

Our platform is engineered to be strictly non-intrusive. We use a unidirectional, read-only data flow ensuring client infrastructure remains isolated, immutable, and secure. Data flows from Client Cloud (AWS/Azure/GCP) to our Encrypted Storage via TLS 1.3 using a Secure Connector with Read-Only Roles.

Zero-Trust Principles

Assume BreachWe verify every request as if it originates from an open network.
Least Privilege AccessServices operate with the minimum permissions necessary.

2. Shared Responsibility Model

CloudFinOps Responsibilities

  • Security of SaaS application & code
  • Encryption of data (At-rest & Transit)
  • Patch management of infrastructure
  • Supply chain security of dependencies

Customer Responsibilities

  • Management of IAM Roles (Granting/Revoking)
  • Reviewing cost recommendations
  • Managing internal user access to dashboard

3. Identity & Access Management (IAM)

3.1 Zero-Trust Integration

We strictly use temporary credentials and role assumption. We never store long-term keys. For AWS, we utilize the External ID condition key to prevent the "Confused Deputy" problem.

AWS

Cross-Account Role assumption (STS). Requires SecurityAudit role only.

Azure

Service Principal with built-in Reader role. No write access.

GCP

Service Account with Viewer role. Non-interactive access.

Technical Guarantee

The system is technically incapable of provisioning, modifying, or deleting resources. Any write attempt is rejected by the cloud provider APIs.

4. Data Protection & Governance

Encryption Standards

  • Data At RestAES-256-GCM encryption. Keys managed via AWS KMS with annual rotation.
  • Data In TransitStrictly enforced TLS 1.3 (HSTS enabled). No plaintext connections allowed.

Data Retention & Deletion

Upon account termination, data deletion follows strict NIST SP 800-88 guidelines:

0-30 DaysSoft Delete (Recovery Window)
30+ DaysPermanent Cryptographic Erasure
BackupsPurged after 90 days

5. Application Security

SDLC Security

Code goes through SAST/DAST scanning before every deployment.

Vulnerability Management

Automated dependency scanning (SCA) for all libraries.

Penetration Testing

Annual third-party black-box penetration tests.

DDoS Protection

Enterprise-grade protection via AWS Shield & Cloudflare.

WAF Rules

Managed rulesets for SQLi, XSS, and common exploits.

Audit Logging

Immutable logs for all system access and actions.

6. Compliance & Certifications

SOC 2 Type II

Our infrastructure providers (AWS, Vercel, Supabase) are SOC 2 Type II certified. We inherit critical physical and network security controls.

ISO 27001

Security management aligned with ISO/IEC 27001:2022 standards. Regular internal audits ensure continuous compliance.

GDPR ReadyCCPA CompliantDPDP Act 2023PCI-DSS Level 1 (Payment)HIPAA Eligible

Contact Security Team

For security inquiries, audit reports, or responsible disclosure.

sambhav@cloudfinops.solutions

© 2026 CloudFinOps Inc. All rights reserved.