Security

IAM Role Architecture

Cloudtrim connects to your AWS accounts using read-only IAM cross-account roles. These roles follow the principle of least privilege, granting access only to cost, metric, and resource metadata required for analysis. Cloudtrim never requests or uses write permissions on your infrastructure.

Data Encryption

All data is encrypted in transit using TLS and at rest using AES-256 encryption. API communications between Cloudtrim and AWS are secured via HTTPS with STS temporary credentials.

IaC Generation Process

Cloudtrim analyses your resource data to produce CloudFormation and Terraform code. The generation process is purely analytical — Cloudtrim does not make changes to your AWS accounts. You review and apply all generated IaC yourself.

Data Retention

Cost and resource metadata is retained for the duration of your subscription to provide historical analysis and trend reporting. Upon account deletion, all associated data is permanently removed within 30 days.

Infrastructure

Cloudtrim is hosted on Vercel with automatic TLS and edge caching. Our database runs on Supabase (PostgreSQL) with row-level security enabled, ensuring tenant isolation at the database layer.

Incident Response

If you discover a security vulnerability or have concerns about the security of your data, contact us at security@cloudtrim.io. We take all reports seriously and will respond within 48 hours.