Security

Read-only access.
Full transparency.

We understand you're granting access to your AWS environment. We take that responsibility seriously with minimal permissions and complete visibility into everything we do.

01

Read-only access

We can see your resources and costs but cannot make any changes directly. All implementations require your explicit approval.

02

Your data, your control

Your data stays in your AWS account. We access it for analysis but never store sensitive information like access keys or secrets.

03

Full audit trail

Every recommendation, approval, and implementation is logged. Complete transparency into who did what, when.

AWS access

Cross-account IAM role.
The AWS-recommended way.

You create a read-only IAM role in your account. SmartSpend assumes this role to access your data. No long-lived credentials are stored.

What we can access

EC2 instance metadata
RDS instance details
S3 bucket metadata
CloudWatch metrics
Cost Explorer data
CloudTrail events

What we cannot access

S3 bucket contents
Secrets Manager secrets
Parameter Store values
Database contents
Application data
IAM credentials

Implementation

Nothing happens
without your approval.

1

We identify

AI and experts find optimization opportunities with evidence and impact analysis.

2

You review

Every recommendation requires explicit approval. You see exactly what changes.

3

We implement

Changes made in code (Terraform, CloudFormation). Versioned and reversible.

4

We document

Full audit trail. Who approved what, when it was done, what the impact was.

Data handling

Enterprise-grade
data protection.

All data encrypted in transit and at rest. Strict isolation between customers. We never sell, share, or monetize your data.

Encryption

TLS 1.2+ in transit, AES-256 at rest.

Isolation

Customer data strictly separated. No cross-access.

No selling

Your data is used solely to serve you.

Retention

Delete all data upon request if you cancel.

Our team

We're a partner,
not a watchdog.

Our Solution Engineers work directly with your data to provide optimization recommendations. Here's how we manage that access.

Limited access

Engineers only see data you've granted access to through the IAM role.

Named engineers

Dedicated engineer assigned to your account. You know who's working with your data.

Here to help

We're here to help you save money, not to judge or report on your team.

Questions about security?

We're happy to discuss our practices in detail or set up a call with our engineering team.

Contact us