Security

Enterprise-Grade Security. Zero Production Access.

We only need billing data to find waste. Here's exactly how we protect it.

Access Model

🔒

Read-Only IAM

We request Billing + Cost Explorer read-only roles. No access to EC2, S3, RDS, or production workloads. You can revoke anytime.

🗑️

Data Deletion SLA

All billing exports and analysis artifacts are permanently deleted within 7 days of report delivery. Signed DPA available.

🛡️

Encryption

AES-256 at rest, TLS 1.3 in transit. Analysis runs in isolated VPC. No third-party data sharing.

Compliance & Certifications

SOC 2 Type II

In Progress · Q4 2026 Target

FinOps Certified Practitioner

The Linux Foundation

Microsoft AI Cloud Partner

Security-reviewed co-sell partner

Sample IAM Policy

For AWS, we only need this. Copy/paste into IAM:

{
  "Version": "2012-10-17",
  "Statement": [{
    "Effect": "Allow",
    "Action": [
      "ce:Get*",
      "ce:Describe*",
      "ce:List*",
      "aws-portal:ViewBilling",
      "aws-portal:ViewUsage"
    ],
    "Resource": "*"
  }]
}
        

For Azure: Cost Management Reader role only. For GCP: billing.viewer.

Questions?

Email security@nimbusoptimized.com for our DPA or to schedule a security review.