Security & Compliance

Enterprise-Grade
Trust & Security

FinOps Co-Pilot is built with security at every layer — from credential encryption to immutable audit trails and SOC 2 readiness.

Start Free TrialSee Features →
🔑Credential Handling
Mixed Trust
[system] Initiating AssumeRole...
[aws-sts] Validating trust policy
AWS token issued / Azure-GCP secrets remain encrypted
Cross-Account AuthNo plaintext exposure
🔒Data Security
TLS 1.3
AES-256
All database volumes, snapshots, and backups are encrypted at rest using KMS.
At RestIn Transit
📋Compliance Status
Mapped
SOC 2 Ready
Controls aligned to CC1–CC9, certification in progress
SecurityAvailabilityConfidentiality
SOC 2Readiness
99.9%Uptime SLA
AES-256Encryption at Rest
TLS 1.3Data in Transit
0Plaintext Secrets
Core Principles

Security by Design, Not Afterthought

Four foundational principles guide every architectural and product decision.

🔐

Zero Trust by Default

No implicit access. Every API call is authenticated, authorized, and rate-limited.

🗝️

No Plaintext Secrets

AWS uses AssumeRole, while Azure and GCP credentials are encrypted at rest and never exposed in logs, API responses, or the UI.

📝

Immutable Audit Trail

Every action, decision, and data access is logged with actor, timestamp, payload, and outcome. Logs cannot be modified or deleted.

🛡️

Defense in Depth

Multiple independent security layers — authentication, authorization, execution safety, rate limiting, and protected resources.

Data Flow

How Your Data Moves Through the Platform

From connection to action — every step is encrypted, audited, and gated.

1

Connect

Provider-native trust models with no plaintext credential exposure

AWS: AssumeRole with ExternalID. Azure: encrypted Service Principal. GCP: encrypted Service Account JWT.

2

Ingest

Cost data pulled via official cloud APIs

AWS Cost Explorer, Azure Cost Management API, GCP BigQuery billing export — always read-only.

3

Process

Data normalized, analyzed, and stored encrypted

Cost metadata is encrypted at rest, encrypted in transit, and processed inside isolated application environments.

4

Act

Remediation requires human approval

Write operations gated by approval workflow. Protected tags exclude critical resources. Rate limited to 10 actions/min.

Controls

9 Security Control Layers

Every layer of the platform is designed with defense-in-depth principles.

🔑Access
Authentication
JWT sessions, OAuth (Google, GitHub, Azure AD), SSO/SCIM (Enterprise)
🎫Access
Authorization
Dual-layer RBAC: page permissions (navigation) + action permissions (operations)
🔒Data
Credential Storage
Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) — zero plaintext persistence
🎟️Access
API Tokens
SHA-256 hashed, show-once creation, configurable expiry, instant revocation
Runtime
Execution Safety
Single-use JTI tokens, replay prevention, approval gates for all write operations
✍️Integration
Webhook Signing
HMAC-SHA256 per-subscription signing secrets
⏱️Runtime
Rate Limiting
Per-IP and per-route limits with elevated thresholds for compute-heavy endpoints
📋Compliance
Audit Trail
Immutable action and decision logging with actor, timestamp, and payload details
Compliance
Compliance
SOC 2 readiness framework (CC1–CC9), 99.9% uptime SLA with service credits
Encryption

Encryption at Every Layer

LayerMethodScope
Data at RestAES-256 encryptionAll database fields and stored files
Data in TransitTLS 1.3All API calls, webhooks, and integrations
CredentialsFernet (AES-128-CBC + HMAC-SHA256)Cloud connection credentials
API TokensSHA-256 hashUser and service API tokens
Webhook SignaturesHMAC-SHA256Per-subscription signing secrets
Credential Handling

Provider-Specific Trust Models

AWS, Azure, and GCP are handled differently, but every path avoids plaintext exposure and keeps execution behind approval gates.

ProviderMethodHandling
AWSIAM AssumeRoleNo static access keys required or stored
AzureEncrypted Service PrincipalStored encrypted, never exposed in logs or UI responses
GCPEncrypted Service Account JWTStored encrypted, never exposed in logs or API payloads
ExecutionApproval-gated write pathAll remediations and purchases require explicit approval before live execution
Access Control

Dual-Layer RBAC

Page-level visibility and action-level permissions — independently configurable per role.

RolePagesActionsDescription
ViewerDashboard, FindingsView-onlyRead-only access to cost data and findings
AnalystAll except AdminScan, Query, ForecastRun analyses but cannot execute changes
OperatorAll except AdminScan, Query, Approve, RemediateFull operational capabilities within team scope
AdminAll pagesAll actions + SettingsWorkspace management, API keys, integrations
Compliance

SOC 2 Readiness Framework

Coverage across all 9 Common Criteria (CC1–CC9) with built-in compliance controls.

CC1
Ready

Control Environment

RBAC, role definitions, organizational policies

CC2
Ready

Communication & Information

Audit trails, user notifications, system alerts

CC3
Ready

Risk Assessment

Risk scoring, anomaly detection, policy evaluation

CC4
Ready

Monitoring Activities

Real-time monitoring, health checks, uptime tracking

CC5
Ready

Control Activities

Approval gates, execution safety, rate limiting

CC6
Ready

Logical Access

JWT auth, OAuth, API token hashing, credential encryption

CC7
Ready

System Operations

Event bus, webhook delivery, outbox pattern

CC8
Ready

Change Management

PR analysis, policy enforcement, configuration auditing

CC9
Ready

Risk Mitigation

Protected tags, dry-run mode, dead-letter queues

Vs. Alternatives

How We Compare

The only option in this comparison that combines AI operations, commitment purchasing, policy enforcement, and governed remediation in one product.

CapabilityCloudHealthInfracostKubecostFinOps Co-Pilot
Multi-Cloud Spend
Pre-Merge PR Analysis
K8s Cost Attribution
AI Conversational Interface
Automated Remediationlimited
Commitment Purchasing
Predictive Forecastingbasicbasic
ChatOps Approvals
Event Bus / Webhookslimited
Policy Enginebasicbasic
Starting Price$$$$Free (limited)Free (limited)$49/mo

Security FAQs

Does FinOps Co-Pilot store our cloud credentials?

AWS uses IAM AssumeRole, so no static access keys are stored. Azure and GCP credentials are stored encrypted at rest using Fernet and are never exposed in logs, API responses, or the UI.

What data do you access?

Only cost and usage metadata. We read from Cost Explorer, Cost Management API, and BigQuery billing exports. We never access your application data, logs, or secrets.

Can auto-remediation break production?

We have multiple safety layers: protected-tag exclusion, human approval gates, rate limiting (10 actions/min), and dry-run mode. Critical resources tagged as protected are never touched.

Are you SOC 2 certified?

We built the platform for SOC 2 readiness from day one, with controls mapped to all 9 Common Criteria (CC1–CC9). Formal certification is in progress.

How do you handle data residency?

Cost data is processed and stored in the region you choose during onboarding. Enterprise plans support custom data residency requirements.

What happens if you have a breach?

Because AWS uses AssumeRole and Azure/GCP credentials are encrypted with strict exposure controls, the blast radius is limited to cost metadata and approved execution paths. Incident response, notification, and immutable audit trails support forensic review.

Secure. Compliant. Ready.

Start your free trial with enterprise-grade security from day one.

Start Free TrialView Pricing →