Skip to main content

How We Protect Your Data

Security isn't a feature — it's the foundation of everything we build. CloudArq is designed from the ground up to protect your AWS credentials and audit data with industry-standard encryption and strict access controls.

AES-256-GCM Encryption
TLS 1.2 / 1.3
Read-Only Access
No Plaintext Secrets
2FA / TOTP
EU Data Centers

How We Access Your AWS Account

CloudArq uses AWS IAM Roles with STS AssumeRole — the same mechanism AWS recommends for cross-account access. We never ask for or store long-lived credentials.

1

You create a read-only IAM Role

In your AWS account, you create a role with only the permissions CloudArq needs. We provide the CloudFormation template.

2

STS AssumeRole with External ID

CloudArq assumes the role using AWS STS with your unique External ID — preventing confused deputy attacks. Credentials are temporary and expire in 1 hour.

3

Read-only scan, nothing stored

We scan your infrastructure using read-only API calls. No modifications are ever made. Temporary credentials are discarded after the scan completes.

Your Data, Our Responsibility

We follow the principle of least privilege — collecting only what's needed and encrypting everything.

What We Store

Audit results, finding metadata, and compliance scores. We store the minimum data needed to show you results and track trends over time.

What We Never Store

Raw AWS credentials in plaintext, customer application data, database contents, S3 object data, or any secrets from your infrastructure.

Data Retention

Audit data is retained as long as your account is active. When you delete a connection or your account, all associated data is permanently removed within 30 days.

Security in Every Layer

From the network edge to the database — every layer is hardened.

Encryption at Rest

  • All data encrypted with AES-256-GCM at rest
  • Database encryption using PostgreSQL native encryption
  • Encryption keys managed with strict access controls and rotation
  • Automated daily database backups with retention policy

Encryption in Transit

  • TLS 1.2 or higher enforced on all connections
  • SSL termination via Cloudflare Full (Strict) mode
  • HSTS enabled with preload for all domains
  • Internal services communicate over isolated Docker network

Credential Handling

  • IAM Role-based access is the recommended method
  • Access keys encrypted with AES before storage — never stored in plaintext
  • External IDs prevent confused deputy attacks
  • Temporary STS credentials expire after 1 hour

Infrastructure

  • Hosted on Hetzner dedicated servers in EU data centers
  • All services run in isolated Docker containers
  • Network access restricted with strict firewall rules
  • Content Security Policy headers enforced on all responses

Access Control

  • Role-based access control (RBAC) with admin and client roles
  • Two-factor authentication (TOTP) with backup codes
  • JWT session management with short-lived access tokens
  • Audit logging for all administrative actions

Application Security

  • Rate limiting on all sensitive endpoints
  • SQL injection prevention via parameterized queries (SQLAlchemy ORM)
  • XSS prevention via strict CSP headers
  • CORS restricted to authorized origins only

Security Contact

If you discover a security vulnerability or have concerns about our security practices, please contact us directly. We take every report seriously and respond within 24 hours.

[email protected]

Ready to audit your AWS?

Read-only access. 169+ scans. Results in minutes.