SECURE BY DESIGN
Read-only
by construction.
Costframe cannot modify your cloud resources, delete infrastructure, or read application data. The Azure, AWS, and GCP clients are built read-only, so the boundary is structural, not a policy promise.
Clear, bounded permissions.
Least-privilege read-only permissions: Azure Service Principals (Reader + Cost Management Reader), AWS IAM Roles (read-only audit scopes), and GCP Workload Identity Federation. All roles are configured on your side, so scopes are enforced directly by your cloud providers, not by our promises.
Requested & Allowed Scopes

Used to safely inspect resource inventory, SKU types, utilization metrics, and cost management records across connected Azure subscriptions.
Used to analyze resource parameters and gather cost datasets under a secure, customer-controlled External ID policy.
Used to securely connect Google Cloud billing exports and query resource configurations without long-lived credentials.
Refused & Blocked Scopes
Write or update permissions are strictly refused. Ingestion clients across Azure, AWS, and GCP are structurally read-only, preventing any resource modification or deployment.
We never request write or deletion access on storage blocks, databases, or keys. We ingest cost metadata only, never raw application or customer database payloads.
Where credentials touch.
Service Principal keys are decrypted in one place: inside worker processes. The public-facing API never holds decrypted credentials in memory.

Client Browser
Every request carries a Clerk JWT. The organization ID is read from the verified token, never from the request body, so one tenant cannot address another's data.
NestJS API Gateway
Submitted Service Principal, IAM role configurations, and access keys are encrypted with AES-256-GCM before they are stored. The API does not decrypt them.
BullMQ / Redis
Audit jobs are dispatched to workers by reference ID. Credentials, decrypted payloads, and billing records never enter the queue.
Isolated Workers
Workers are the only processes that decrypt credentials, in memory and only while a job runs. They are separate from the public-facing web servers.
Cloud Provider REST APIs
Workers query cloud endpoints over TLS using only read-only roles and APIs. Resulting metadata is stored in Postgres with deny-by-default row-level security.
Security specifications
How credential storage, tenant isolation, billing, and operator access work in production. Each claim maps to a specific mechanism.
Credentials are encrypted with AES-256-GCM at rest. Decryption happens only inside worker processes, never in the web or API tier.
The organization comes from the verified Clerk JWT on every call. Every database query filters by organizationId, reinforced by row-level security policies.
The Azure, AWS, and GCP packages construct read-only clients exclusively. No write client is imported anywhere, so an accidental write is not a bug we could ship.
Payments run through Stripe. Costframe never handles or stores card details or bank credentials.
Deleting a connection purges its credentials from our storage. Revoking the Service Principal, IAM role, or OIDC federation on your side cuts access completely.
Platform administrators have cross-tenant read-only access, limited to an explicit PLATFORM_ADMIN_USER_IDS allowlist read by the API.
What Costframe cannot do.
Costframe analyzes cost and utilization data. It does not touch infrastructure, and the limits below are structural, not configuration.
Here is what is mechanically impossible for Costframe to do in your Azure, AWS, and GCP subscriptions:
No Resource State Changes
We cannot shut down virtual machines, pause Kubernetes clusters, delete snapshots, or alter scale sets.
No Network & Security Access
We cannot adjust Network Security Group (NSG) rules, modify firewall scopes, or change routing configurations.
No Active Node Deployment
We cannot deploy new nodes, allocate databases, provision subscription limits, or scale pricing tiers.
Frequently asked security questions
Is Costframe SOC-2 Certified?
Aligned Costframe is built from day one in strict alignment with SOC-2 Type II trust principles, including robust environment separation, encryption at rest, and least-privilege access, preparing for formal third-party audits.
How is my data deleted?
Deleting a connection in your settings purges its credentials from our database. To sever access on your cloud provider side as well, revoke the Azure Service Principal, AWS IAM role, or GCP Workload Identity Federation OIDC connection.
Does Costframe collect or read database payloads?
No. Costframe queries read-only cloud APIs for resource metadata (ARM, AWS Config, GCP Cloud APIs), utilization metrics, and billing exports. There is no mechanism to query your application databases, file shares, or user data.
Who should I contact for a formal security review?
Use the contact page to scope a review. We complete security worksheets and provide architecture detail for enterprise evaluations.
Turn cloud waste into a verified action list.
Configure read-only access, run the first audit, and review the findings with engineering and finance at the same table.
