Private beta — owner-approved access

Security posture

No badge wall — we name the actual controls, and where a certification is roadmap, this page says roadmap. SOC 2 is on the roadmap, not claimed.

The role we ask for

The first scan uses a read-only IAM role. We publish the exact policy before you connect, you can delete the role any time, and no agents run on your workloads. On our estate, first findings landed in sixteen seconds.

Execution is capable and ships off. Arming it takes a written mandate with caps and a named approver on every run — and live purchases are hard-blocked today.

Your data leaves in open formats — CSV, JSON, and FOCUS — and deletion is a button, not a support ticket. Every deletion is audited.

Read-only cloud cost scan · IAM policy excerpt
{
  "Effect": "Allow",
  "Action": [
    "ce:Get*", "cur:Describe*",
    "ec2:Describe*", "organizations:List*"
  ]
}  // full policy published before you connect
read-only0:16 first findings — on our estatedelete the role any time
AWS
Azure
Google Cloud

AWS proven on our own money · Azure/GCP connected on real credentials, zero-spend estates

The control matrix

Ten controls, stated as facts. Each status is the strongest form we are allowed to claim — nothing here names a certification we do not hold, a customer we do not have, or an armed execution path.

ControlWhat it meansStatus
Public homepageAnyone can read this page; the product itself is gated.Open
Platform accessEvery account is manually reviewed and approved by the owner.Owner-approved
Public signupEvery workspace was let in on purpose — no self-serve account creation.None during beta
Provider permissionsFirst scan uses a read-only IAM role — we publish the exact policy; delete it any time.Read-only
ExecutionShips off. Arming needs a written mandate with caps; live purchases are hard-blocked.Off by default
BillingNo card on file and no live charges during the private beta.No live billing
Savings verificationProjected until your bill moves — graded against the real bill after you act.Bill-graded
Audit trailAppend-only activity log, hash-chained and verifiable.Hash-chained
Data exportTake your data out any time — including the FinOps Foundation's open FOCUS format.CSV · JSON · FOCUS
ComplianceSOC 2 is on the roadmap; today's posture is documented openly instead.Roadmap — not claimed

Execution rail anatomy

Execution is capable and ships off. A live run would require all of: an active written mandate, its caps passing, and a named approver on that run — and even then live purchases are hard-blocked today. Until you arm it, findings leave as Jira tickets, not as changes, and every step writes a hash-chained audit row.

Commitment mandatethe arming contract
Max monthly commit$2,000
Term1yr, no upfront
Approvernamed, per run
live run → BLOCKED — live purchases not implemented
dry run → dry_run_ok · $0 moved
Until you arm it — findings leave as tickets
#1Rightsize 12 over-provisioned instances
advisory — nothing executes
outbound · live-proven (sandbox)
Jira · sandbox
CJ-3In Progress
inbound · fail-closed · 401 without your secret
Status · back on the recIn Progress — synced back
advisorydry-runmandate-gatedhash-chained audit row on every step

Illustrative product view — not customer data.

The audit chain

Every action writes an append-only activity row, and each row stores sha256(prevHash + row) — so edits, deletes, and reorders are catchable, not deniable. Verification is exposed in the product; the mechanism is documented publicly.

Hash-chained audit logevery action logged
#41role.connected#42rec.accepted#43execution.dry_runprevHash 9f2c…hash ← sha256(prevHash + row)#44report.sent
verify it yourself on /trustappend-only

Illustrative product view — not customer data.

Data lifecycle

Leaving is a button, not a negotiation — which makes staying a choice.

Export

Your data leaves in open formats — CSV, JSON, and FOCUS, the FinOps Foundation's open format — with coverage and validation shown on export.

Delete

Deletion is a button, not a support ticket — organization deletion is owner-gated, account deletion is server-confirmed, and every deletion is audited.

Secrets

Secret columns are excluded from every export by an allowlist — with a canary test pinning that they stay excluded.

What we do not claim

The absence list matters as much as the matrix — three things this page deliberately does not say:

  • SOC 2 / ISO / HIPAA

    On the roadmap, not claimed. Today's posture is documented openly on this page and on /trust instead of behind a badge wall.

  • SLA

    No SLA during the beta — stated, not hidden. The pricing matrix says “none (beta)” in every column; an SLA arrives when we can stand behind one.

  • Customer counts

    None published — no logos, no references, no “trusted by”. You would be the design partner: first, with the attention that implies.

Posture documents

The due-diligence reading list — public before the first call:

Security questions answered in writing.

A founder reads every request — start with a read-only pilot and keep the findings report either way.