Security

CloudCostIQ analyzes your cloud bill. The data is sensitive — it reveals what you run and where. Here's how we handle it.

Encryption

Every byte is encrypted in transit (HTTPS everywhere — your browser to us, your browser to object storage, our servers to every third-party API).

Every byte is encrypted at rest. Your uploaded CSVs and rendered PDFs sit on Cloudflare R2, which encrypts every object with AES-256 automatically. Your organization, membership, and analysis records live in Supabase Postgres, which encrypts the underlying disk and every backup.

Access control

Sign-in supports email one-time codes, password accounts, and configured OAuth providers. Once signed in, every database read goes through Postgres row-level security, which enforces that you can only see your own organization's data. Cross-tenant reads return zero rows, full stop. Cross-tenant writes are rejected by the database itself, not by our application code.

Owner-only screens (audit log, billing, organization settings) are gated server-side; non-owners can't reach them even by guessing URLs.

What touches your data

  • Cloudflare R2 — stores your uploaded CSVs and the PDFs we generate.
  • Supabase — stores your account, organization, and the structured metadata we derive from each report.
  • Anthropic — receives the aggregated, anonymized payload that drives the narrative on each report. Never raw line items, never resource IDs that identify your environment.
  • Stripe — handles billing. We never see your card details; they go directly to Stripe.
  • Resend — sends the report-ready email. Subject and link only — the report itself is fetched from our authenticated dashboard.

Cloud access boundary

CloudCostIQ supports connected billing where configured and upload fallback when cloud access is not ready. The product is designed to read cost and billing metadata, not operate your infrastructure.

  • AWS: read-only Cost Explorer and billing metadata through an IAM role with external ID. No EC2, RDS, S3, IAM, or deployment write permissions are required.
  • Azure: recurring Cost Management ingestion uses a dedicated service principal with Cost Management Reader at subscription scope. Reader is used only where resource metadata is needed for owner and service context. Uploaded Cost Management exports remain supported when tenant approval is not ready.
  • Google Cloud: uploaded billing export CSVs are the recommended path today. Controlled live access should use Billing Account Viewer and BigQuery dataset read access only.

We do not resize, delete, start, stop, deploy, or purchase cloud resources. Savings Actions, remediation plans, and Executive Briefs are human-reviewed workflows. Verification comes before automation.

Public read-only setup examples are available at /cloud-permissions for AWS, Azure, and Google Cloud.

Audit trail

Every meaningful action — uploads, analyses, owner changes, recommendation decisions, reminders, downloads, billing events, and sign-ins — is recorded in an audit log scoped to your organization. Owners can review the full history at any time at /dashboard/audit. Audit data is retained indefinitely for forensic purposes.

Defense in depth

We ship a strict Content Security Policy that blocks unauthorized third-party scripts, an explicit origin check on the upload endpoint on top of cookie auth, signed download URLs that expire after fifteen minutes, and magic-byte verification on every uploaded file (so renaming a binary to .csvdoesn't fool the parser). Stripe webhooks are signature-verified; Inngest workers use signed envelopes; secrets are rotated on a documented cadence.

Customer rights

Every report PDF is downloadable from the dashboard at any time. To delete your data, the org owner can delete the organization from Settings — this purges R2 objects under the organization prefix and cascades to every related database row.

What we do not yet have

We don't have a SOC 2 report or ISO 27001 certification. We don't support customer-managed encryption keys. We don't have a dedicated security team. These are real limits — they'll change as the company grows. For most teams the current posture is more than enough; if your procurement requires more, get in touch and we can talk about timeline.

Reporting an issue

If you find a security issue, please email [email protected]. We aim to acknowledge within one business day. Please don't publicly disclose until we've had a chance to patch.