How We Protect Your Data
With the recommended IAM-role connection, CloudArq never holds long-lived credentials — scans use ExternalId-scoped STS AssumeRole. Access-key connections are supported as a fallback; keys are stored AES-256-GCM-encrypted. CloudArq never reads the data inside your resources. The full role policy is published below.
How We Access Your AWS Account
The recommended connection uses an AWS IAM Role with STS AssumeRole — the same mechanism AWS recommends for cross-account access — so CloudArq never holds long-lived credentials. Access-key connections are a supported fallback; keys are stored AES-256-GCM-encrypted, never in plaintext.
You create a read-only IAM Role
In your AWS account, you create a role with only the permissions CloudArq needs. We provide the CloudFormation template.
STS AssumeRole with External ID
CloudArq assumes the role using AWS STS with your unique External ID — preventing confused deputy attacks. Credentials are temporary and expire in 1 hour.
Read-only scan, nothing stored
We scan your infrastructure using read-only API calls. No modifications are ever made. Temporary credentials are discarded after the scan completes.
What we store, what we don't, where
We follow the principle of least privilege — collecting only what's needed and encrypting everything.
What We Store
Audit results, finding metadata, and compliance scores. We store the minimum data needed to show you results and track trends over time.
What We Never Store
Raw AWS credentials in plaintext, customer application data, database contents, S3 object data, or any secrets from your infrastructure.
Data Retention
Audit data is retained as long as your account is active. When you delete a connection or your account, all associated data is permanently removed within 30 days.
Security in Every Layer
Encryption at Rest
- AWS credentials, TOTP secrets, and per-org ExternalIds encrypted at rest with AES-256-GCM (random IV per operation)
- Encryption keys managed with strict access controls and rotation
- Automated daily database backups with retention policy
Encryption in Transit
- TLS 1.2 or higher enforced on all connections
- SSL termination via Cloudflare Full (Strict) mode
- HSTS enabled with preload for all domains
- Internal services communicate over isolated Docker network
Credential Handling
- IAM Role-based access is the recommended method
- Access keys encrypted with AES before storage — never stored in plaintext
- External IDs prevent confused deputy attacks
- Temporary STS credentials expire after 1 hour
Infrastructure
- Hosted on a Hetzner dedicated server in Helsinki, Finland (EU)
- All services run in isolated Docker containers
- Network access restricted with strict firewall rules
- Content Security Policy headers enforced on all responses
Access Control
- Role-based access control (RBAC) with admin and client roles
- Two-factor authentication (TOTP) with backup codes
- JWT session management with short-lived access tokens
- Audit logging for all administrative actions
Application Security
- Rate limiting on all sensitive endpoints
- SQL injection prevention via parameterized queries (SQLAlchemy ORM)
- XSS prevention via strict CSP headers
- CORS restricted to authorized origins only
Security Contact
If you discover a security vulnerability or have concerns about our security practices, please contact us directly. We take every report seriously and respond per our coordinated disclosure policy.
[email protected]