How we handle your data

We know you're trusting us with access to your infrastructure. Here's exactly what we do — and don't do — with your credentials and data.

• ✓Credentials are used in-memory only during the diagnostic
• ✓We never write credentials to disk, database, or logs
• ✓We never transmit credentials to third parties
• ✓Credentials are discarded immediately after the diagnostic completes
• ✓We recommend using temporary credentials (STS tokens) with the minimum required permissions

• ✓Secrets, access keys, and obvious credential patterns are redacted before any AI call
• ✓Cloud resource identifiers (for example bucket names, security group IDs, volume and DB IDs, ARNs) are replaced with opaque tokens only for the model — never sent as plain text to the AI
• ✓IAM usernames and emails are masked in report sections where listed
• ✓IP addresses are masked in the payload sent for analysis
• ✓Suggested remediation CLI commands are resolved on your server with real resource names so you can copy/paste accurate commands; the model does not receive those resolved strings unless they appear in your normal report body

• ✓Your account email and authentication info (for login)
• ✓Diagnostic results (the report content) — so you can view history
• ✓Usage counts (for rate limiting on free tier)
• ✓We do NOT store: credentials, raw cloud data, or personal data beyond what's listed above

• ✓AWS: ReadOnlyAccess policy (or equivalent) — no write permissions
• ✓GCP: roles/viewer — no write permissions
• ✓Azure: Reader role — no write permissions
• ✓We never request permissions to create, modify, or delete resources

• ✓OpenAI / Claude API: receives anonymized/masked diagnostic data for AI analysis
• ✓Stripe: handles payment processing — we never see your full card number
• ✓Vercel: hosts our frontend
• ✓We do not sell or share your data with advertisers or data brokers