Security
Is FinOps software secure? Here is our posture
Costanalyst is built to be the lowest-risk tool a finance team can plug in. We connect with least-privilege, read-only access, we encrypt your data in transit and at rest, and we never move money or change anything in your environment.
In short
Yes. Costanalyst requests the minimum read-only scopes to see your billing and usage data, such as an AWS Cost and Usage Report or Cost Explorer read role and read-only SaaS admin or API access. It cannot change anything in your cloud account, cannot move money, and cannot touch your cards. Data is encrypted in transit and at rest, credentials are least-privilege and scoped, and you can revoke access at any time.
Security posture
Read-only by design, money-neutral on purpose
Every choice below is made so finance can connect Costanalyst without expanding their attack surface or handing anyone the ability to spend.
Read-only access
We request the minimum read scopes only: an AWS Cost and Usage Report or Cost Explorer read role, equivalent GCP and Azure billing read roles, and read-only SaaS admin or API access. Costanalyst cannot resize an instance, delete a resource, or cancel a subscription. It reads, it recommends, your team acts.
We never move money
Costanalyst holds no funds, processes no payments, and stores no card numbers. There is no accounts-payable rail and no checkout. It is an analyst, not an actor, so even a worst-case compromise cannot spend a dollar of yours.
Encryption in transit and at rest
All data is encrypted in transit with TLS and encrypted at rest. Credentials and tokens are stored encrypted and are never exposed in logs or to other tenants.
Least-privilege, scoped credentials
Connections use scoped, least-privilege credentials with the narrowest permissions that still let us read your billing and usage. We do not ask for write or admin scopes we do not need.
Revoke access anytime
You can disconnect any source and revoke our access at any moment from your own cloud or SaaS console. Access is yours to grant and yours to remove.
Regional data handling
We are deliberate about where billing and usage data is processed and stored. Enterprise customers can scope data residency and request a security review and custom terms.
Scope
What we read, and what we never do
What we read
- Cloud billing and usage (AWS, GCP, Azure cost and usage data)
- SaaS subscriptions through read-only admin or API access
- Resource and seat utilization, so we can find idle spend and unused seats
- Tags and metadata, to attribute every dollar to a team or project
What we never do
- Move money, pay invoices, or hold funds
- Touch, store, or charge your cards
- Change anything in your cloud account or cancel a subscription
- Request write or admin scopes we do not need
Costanalyst is read-only decision support, not financial advice. Every recommendation is for a human on your team to review and act on in your own accounts.
Security questions
The questions finance asks first
Yes. Costanalyst connects with least-privilege, read-only credentials and encrypts your data in transit and at rest. We request the minimum read scopes, like an AWS Cost Explorer and Cost and Usage Report read role, and you can revoke access at any time. See our security page for the full posture.
No. Costanalyst is read-only. It requests the minimum read scopes to see your billing and usage, and read-only admin or API access to your SaaS tools. It cannot change anything in your environment, resize an instance, or cancel a subscription. It shows you the recommendation, and your team acts.
Never. We do not process payments, hold funds, pay invoices, or touch your cards. Costanalyst is an analyst: it reads your spend, finds the savings, and shows you the recommendation. Every action happens in your own accounts, by your own team.
No. Costanalyst is decision-support tooling. Its recommendations are computed from your real usage and billing data, and they are for a human on your team to review and decide. It is not financial, tax, or accounting advice.
More on accuracy, money, and what we connect on the full FAQ.
The lowest-risk tool to plug in
Connect your cloud and SaaS spend read-only and see your savings in dollars. We never move money, and you can revoke access anytime.