SECURE BY DESIGN

Read-only
by construction.

Costframe cannot modify your cloud resources, delete infrastructure, or read application data. The Azure, AWS, and GCP clients are built read-only, so the boundary is structural, not a policy promise.

01 · SECURE IDENTITY & ROLE PERMISSIONS

Clear, bounded permissions.

Least-privilege read-only permissions: Azure Service Principals (Reader + Cost Management Reader), AWS IAM Roles (read-only audit scopes), and GCP Workload Identity Federation. All roles are configured on your side, so scopes are enforced directly by your cloud providers, not by our promises.

Requested & Allowed Scopes

Cloud provider read-only roles: Reader, IAM audit role, and Workload Identity Federation OIDC
Azure Service Principal RolesScope: Reader + Cost Management Reader

Used to safely inspect resource inventory, SKU types, utilization metrics, and cost management records across connected Azure subscriptions.

AWS IAM Audit RoleScope: Auditable Read-Only Permissions

Used to analyze resource parameters and gather cost datasets under a secure, customer-controlled External ID policy.

GCP Workload Identity / Service AccountScope: OIDC / BigQuery Billing Read Scope

Used to securely connect Google Cloud billing exports and query resource configurations without long-lived credentials.

Refused & Blocked Scopes

Contributor / Owner / Write Roles

Write or update permissions are strictly refused. Ingestion clients across Azure, AWS, and GCP are structurally read-only, preventing any resource modification or deployment.

Storage / Database Payload Access

We never request write or deletion access on storage blocks, databases, or keys. We ingest cost metadata only, never raw application or customer database payloads.

02 · DATA-FLOW PIPELINE

Where credentials touch.

Service Principal keys are decrypted in one place: inside worker processes. The public-facing API never holds decrypted credentials in memory.

Vault security structure · decrypted inside workers
Security encrypted ledger vault visual
01
Clerk JWT · Org Scoped

Client Browser

Every request carries a Clerk JWT. The organization ID is read from the verified token, never from the request body, so one tenant cannot address another's data.

02
SSL/TLS · Envelope Encryption

NestJS API Gateway

Submitted Service Principal, IAM role configurations, and access keys are encrypted with AES-256-GCM before they are stored. The API does not decrypt them.

03
Task Queue · Reference Only

BullMQ / Redis

Audit jobs are dispatched to workers by reference ID. Credentials, decrypted payloads, and billing records never enter the queue.

04
AES-256-GCM In-Memory Decryption

Isolated Workers

Workers are the only processes that decrypt credentials, in memory and only while a job runs. They are separate from the public-facing web servers.

05
HTTPS REST APIs · Read-Only Scopes

Cloud Provider REST APIs

Workers query cloud endpoints over TLS using only read-only roles and APIs. Resulting metadata is stored in Postgres with deny-by-default row-level security.

03 · CRYPTOGRAPHY & ISOLATION

Security specifications

How credential storage, tenant isolation, billing, and operator access work in production. Each claim maps to a specific mechanism.

Credential Isolation

Credentials are encrypted with AES-256-GCM at rest. Decryption happens only inside worker processes, never in the web or API tier.

Multi-Tenancy

The organization comes from the verified Clerk JWT on every call. Every database query filters by organizationId, reinforced by row-level security policies.

No-Write Code Paths

The Azure, AWS, and GCP packages construct read-only clients exclusively. No write client is imported anywhere, so an accidental write is not a bug we could ship.

Billing Integrity

Payments run through Stripe. Costframe never handles or stores card details or bank credentials.

Data Deletion & Revocation

Deleting a connection purges its credentials from our storage. Revoking the Service Principal, IAM role, or OIDC federation on your side cuts access completely.

Operator Access

Platform administrators have cross-tenant read-only access, limited to an explicit PLATFORM_ADMIN_USER_IDS allowlist read by the API.

04 · TRANSPARENT LIMITATIONS

What Costframe cannot do.

Costframe analyzes cost and utilization data. It does not touch infrastructure, and the limits below are structural, not configuration.

Here is what is mechanically impossible for Costframe to do in your Azure, AWS, and GCP subscriptions:

No Resource State Changes

We cannot shut down virtual machines, pause Kubernetes clusters, delete snapshots, or alter scale sets.

No Network & Security Access

We cannot adjust Network Security Group (NSG) rules, modify firewall scopes, or change routing configurations.

No Active Node Deployment

We cannot deploy new nodes, allocate databases, provision subscription limits, or scale pricing tiers.

05 · TRUST FAQ

Frequently asked security questions

Is Costframe SOC-2 Certified?

Aligned Costframe is built from day one in strict alignment with SOC-2 Type II trust principles, including robust environment separation, encryption at rest, and least-privilege access, preparing for formal third-party audits.

How is my data deleted?

Deleting a connection in your settings purges its credentials from our database. To sever access on your cloud provider side as well, revoke the Azure Service Principal, AWS IAM role, or GCP Workload Identity Federation OIDC connection.

Does Costframe collect or read database payloads?

No. Costframe queries read-only cloud APIs for resource metadata (ARM, AWS Config, GCP Cloud APIs), utilization metrics, and billing exports. There is no mechanism to query your application databases, file shares, or user data.

Who should I contact for a formal security review?

Use the contact page to scope a review. We complete security worksheets and provide architecture detail for enterprise evaluations.

Turn cloud waste into a verified action list.

Configure read-only access, run the first audit, and review the findings with engineering and finance at the same table.