Security Overview

CloudSaver is committed to maintaining the highest standards of security for our platform and the data our customers entrust to us. This overview describes the security practices, certifications, and controls in place across our organization.

SOC 2 Type II Certification

CloudSaver has an AICPA SOC 2 Type II examination performed on an annual basis based on the trust services criteria relevant to security. The SOC 2 Type II report validates the design and operational effectiveness of CloudSaver's security processes supporting our SaaS solutions.

Product Security

CloudSaver prioritizes product security through an Agile software development lifecycle. We integrate security throughout the release cycle to rapidly identify and address defects. Software patches are released as part of our continuous integration process.

Our continuous integration practices enable quick responses to both functional and security issues. Well-defined change management policies govern when and how modifications occur. This DevOps-centered philosophy allows CloudSaver to achieve extremely short mean time to resolution for security vulnerabilities.

Data Protection

CloudSaver implements multiple encryption strategies and access controls to safeguard customer information:

Encryption

• Encryption at rest utilizing AES-256 standards
• KMS-based protections for sensitive elements including passwords, access tokens, and API keys

Access Controls

• Data access restricted to personnel with documented business justification
• Multiple administrative access layers implemented
• Multi-Factor Authentication (MFA) required for environments containing customer data
• Least privilege and need-to-know principles enforced
• Continuous monitoring and logging of access to customer data environments
• Administrative credential integrity controls established
• Full-disk encryption mandated for workstations
• Unique credentials required per workstation

Authentication

CloudSaver enables user login through platform-established credentials or Sign-in with Google via OpenID Connect. The company authenticates internal users through a central identity provider and leverages two-factor authentication wherever possible.

Data Collection

CloudSaver collects only the data necessary to deliver our services:

Billing Data

CloudSaver retrieves billing information through AWS Cost and Usage Reports (CUR) stored in an organization's management account. The platform creates a dedicated S3 bucket to hold this data with a 90-day lifecycle policy that automatically manages bucket size and costs. The system configures CUR to deliver reports twice daily to this bucket.

Tag Data

The application accesses environmental and operational information via AWS standard APIs. CloudSaver's permissions enable reading tags on resources and performing list, create and delete tag actions. Additional capabilities include read, list, and describe functions for specific resources like EC2 instances and RDS databases.

Resource and Log Data

The system leverages Amazon EventBridge to capture real-time resource changes. EventBridge notifies the CloudSaver application via API whenever relevant resource data changes in the client's environment. Daily resource data intake occurs as a baseline, against which EventBridge events are compared for detecting changes as they happen.

Physical Security

CloudSaver infrastructure operates within Cloud Service Provider (CSP) environments. Physical and environmental security related controls for CloudSaver production servers, which includes buildings and locks or keys used on doors, are managed by these CSPs.

Corporate Security

All CloudSaver personnel undergo regular security and privacy awareness training that weaves security into technical and non-technical roles. All employees participate in securing our customer data and company assets.

Disaster Recovery

CloudSaver ensures minimal service interruption during disasters through platform design focused on high availability and dependable, secure backup systems.

Backup Strategy

• Daily backups: Full backups are taken daily to capture the entire dataset
• Retention: Backups are retained for a minimum of 90 days, allowing for point-in-time recovery
• Security: All backup data undergoes encryption and secure storage to maintain integrity and prevent unauthorized access

Solution Mobility

The platform operates independently of specific cloud providers or geographic regions, enabling rapid deployment across different providers and regions to protect service availability during disasters. Customers may choose to self-host CloudSaver or deploy it to specific regions independently, allowing organizations to meet data residency requirements by keeping information within designated geographic areas.

For security inquiries or to request a copy of our SOC 2 Type II report, contact us at security@cloudsaver.com.