Trust & Security
How CloudJaeger protects your data and your cloud. Built for the security and procurement teams who review us before we ever touch an account — read-only by design, EU-hosted, encrypted end to end.
- At rest: AES-256 via AWS KMS-managed keys on every database, object store, and backup.
- In transit: TLS 1.3 for all client and service-to-service traffic; HTTP is redirected to HTTPS.
- Stored cloud credentials are additionally encrypted at the application layer before they ever touch the database.
- Primary hosting region: AWS Europe (Frankfurt) — eu-central-1.
- Database, object storage, and backups for the CloudJaeger application stay in-region.
- The only data that leaves the region is the narrow, validated LLM context described below (US-based model providers).
- AWS is connected via a customer-owned IAM role you create from our CloudFormation / Terraform template — read-only, scoped to cost & inventory APIs.
- We assume that role with short-lived STS credentials; there are no long-lived access keys to leak.
- Azure and GCP use equivalently scoped, read-only service principals / service accounts.
- You can revoke our access at any time by deleting the role — independent of CloudJaeger.
- Database URLs, API tokens, and signing keys live in AWS Secrets Manager and are injected at runtime.
- Application logs are scrubbed of credentials; error traces sent to monitoring are stripped of secrets.
- No customer cloud credentials are written to logs, ever.
Every recommendation is presented with the math behind it. Nothing is applied to your cloud without an explicit, human approval — there is no silent autopilot.
- Optional autonomous execution is opt-in, gated behind a safety case (owner, ticket/PR, blast-radius proof, canary metric, rollback plan), and proceeds one reversible step at a time through the Safe-Autonomy Conveyor.
- Every consequential action is written to a tamper-evident, SHA-256 hash-chained activity log (who did what, when) — each entry commits to the previous one, so any edit or deletion is detectable on demand.
- Access to your account is read-only unless you explicitly enable a scoped, reversible action.
- Observe
- Read-only visibility.
- Advise
- Ranked recommendations with evidence.
- Dry-run
- Rehearses the exact action against your caps — nothing changes.
- Approve-to-apply
- A named human approves; you make the change; CloudJaeger tracks and measures it.
- Armed (with approval)
- One approved action at a time, inside an owner-signed mandate.
- Autonomous (within mandate)
- No per-action approval — only inside a narrow, expiring, capped mandate; reversible actions only.
Live purchasing is un-armed by choice — hardcoded off in this build. It arms behind a mandate you write, not a toggle we flip.
- Owner / admin / member / viewer roles scope what each teammate can see and do.
- Every workspace is tenant-isolated; queries are scoped by organization so one customer can never read another's data.
- Enterprise SSO (SAML / OIDC) and automated provisioning (SCIM 2.0) are available.
- The audit log is restricted to owners and admins.
- We read cost & usage data and resource inventory metadata — not the contents of your workloads.
- Our LLM providers receive only validated recommendation summaries and aggregated cost figures — never credentials or raw line items.
- LLM providers operate under API terms that do not permit training on data we submit.
- See the full subprocessor list for every third party and exactly what each one processes.
We are preparing our control set for a future SOC 2 Type II audit. No auditor is engaged yet and the observation window has not started — we do not claim SOC 2 compliance. We'll publish the report if and when an audit completes.
On our roadmap to follow SOC 2. No certification is claimed today.
EU-hosted with a Data Processing Agreement available. See the DPA.
Email security@cloudjaeger.com to report a security issue or request our latest documentation.
For product questions, account issues, or beta feedback, email support@cloudjaeger.com. Vulnerability reports belong to security@ above.
Our legal documents are available for your team to review before you connect an account.
