Security posture
No badge wall — we name the actual controls, and where a certification is roadmap, this page says roadmap. SOC 2 is on the roadmap, not claimed.
The role we ask for
The first scan uses a read-only IAM role. We publish the exact policy before you connect, you can delete the role any time, and no agents run on your workloads. On our estate, first findings landed in sixteen seconds.
Execution is capable and ships off. Arming it takes a written mandate with caps and a named approver on every run — and live purchases are hard-blocked today.
Your data leaves in open formats — CSV, JSON, and FOCUS — and deletion is a button, not a support ticket. Every deletion is audited.
{
"Effect": "Allow",
"Action": [
"ce:Get*", "cur:Describe*",
"ec2:Describe*", "organizations:List*"
]
} // full policy published before you connectAWS proven on our own money · Azure/GCP connected on real credentials, zero-spend estates
The control matrix
Ten controls, stated as facts. Each status is the strongest form we are allowed to claim — nothing here names a certification we do not hold, a customer we do not have, or an armed execution path.
| Control | What it means | Status |
|---|---|---|
| Public homepage | Anyone can read this page; the product itself is gated. | Open |
| Platform access | Every account is manually reviewed and approved by the owner. | Owner-approved |
| Public signup | Every workspace was let in on purpose — no self-serve account creation. | None during beta |
| Provider permissions | First scan uses a read-only IAM role — we publish the exact policy; delete it any time. | Read-only |
| Execution | Ships off. Arming needs a written mandate with caps; live purchases are hard-blocked. | Off by default |
| Billing | No card on file and no live charges during the private beta. | No live billing |
| Savings verification | Projected until your bill moves — graded against the real bill after you act. | Bill-graded |
| Audit trail | Append-only activity log, hash-chained and verifiable. | Hash-chained |
| Data export | Take your data out any time — including the FinOps Foundation's open FOCUS format. | CSV · JSON · FOCUS |
| Compliance | SOC 2 is on the roadmap; today's posture is documented openly instead. | Roadmap — not claimed |
Execution rail anatomy
Execution is capable and ships off. A live run would require all of: an active written mandate, its caps passing, and a named approver on that run — and even then live purchases are hard-blocked today. Until you arm it, findings leave as Jira tickets, not as changes, and every step writes a hash-chained audit row.
Illustrative product view — not customer data.
The audit chain
Every action writes an append-only activity row, and each row stores sha256(prevHash + row) — so edits, deletes, and reorders are catchable, not deniable. Verification is exposed in the product; the mechanism is documented publicly.
Illustrative product view — not customer data.
Data lifecycle
Leaving is a button, not a negotiation — which makes staying a choice.
Export
Your data leaves in open formats — CSV, JSON, and FOCUS, the FinOps Foundation's open format — with coverage and validation shown on export.
Delete
Deletion is a button, not a support ticket — organization deletion is owner-gated, account deletion is server-confirmed, and every deletion is audited.
Secrets
Secret columns are excluded from every export by an allowlist — with a canary test pinning that they stay excluded.
What we do not claim
The absence list matters as much as the matrix — three things this page deliberately does not say:
- SOC 2 / ISO / HIPAA
On the roadmap, not claimed. Today's posture is documented openly on this page and on /trust instead of behind a badge wall.
- SLA
No SLA during the beta — stated, not hidden. The pricing matrix says “none (beta)” in every column; an SLA arrives when we can stand behind one.
- Customer counts
None published — no logos, no references, no “trusted by”. You would be the design partner: first, with the attention that implies.
Posture documents
The due-diligence reading list — public before the first call:
Security questions answered in writing.
A founder reads every request — start with a read-only pilot and keep the findings report either way.
