Costanalyst

Security

Is FinOps software secure? Here is our posture

Costanalyst is built to be the lowest-risk tool a finance team can plug in. We connect with least-privilege, read-only access, we encrypt your data in transit and at rest, and we never move money or change anything in your environment.

Read-only Never moves money Encrypted in transit and at rest Revoke anytime

In short

Yes. Costanalyst requests the minimum read-only scopes to see your billing and usage data, such as an AWS Cost and Usage Report or Cost Explorer read role and read-only SaaS admin or API access. It cannot change anything in your cloud account, cannot move money, and cannot touch your cards. Data is encrypted in transit and at rest, credentials are least-privilege and scoped, and you can revoke access at any time.

// HOW WE PROTECT DATA

Security posture

Read-only by design, money-neutral on purpose

Every choice below is made so finance can connect Costanalyst without expanding their attack surface or handing anyone the ability to spend.

Read-only access

We request the minimum read scopes only: an AWS Cost and Usage Report or Cost Explorer read role, equivalent GCP and Azure billing read roles, and read-only SaaS admin or API access. Costanalyst cannot resize an instance, delete a resource, or cancel a subscription. It reads, it recommends, your team acts.

We never move money

Costanalyst holds no funds, processes no payments, and stores no card numbers. There is no accounts-payable rail and no checkout. It is an analyst, not an actor, so even a worst-case compromise cannot spend a dollar of yours.

Encryption in transit and at rest

All data is encrypted in transit with TLS and encrypted at rest. Credentials and tokens are stored encrypted and are never exposed in logs or to other tenants.

Least-privilege, scoped credentials

Connections use scoped, least-privilege credentials with the narrowest permissions that still let us read your billing and usage. We do not ask for write or admin scopes we do not need.

Revoke access anytime

You can disconnect any source and revoke our access at any moment from your own cloud or SaaS console. Access is yours to grant and yours to remove.

Regional data handling

We are deliberate about where billing and usage data is processed and stored. Enterprise customers can scope data residency and request a security review and custom terms.

// READ vs NEVER

Scope

What we read, and what we never do

What we read

  • Cloud billing and usage (AWS, GCP, Azure cost and usage data)
  • SaaS subscriptions through read-only admin or API access
  • Resource and seat utilization, so we can find idle spend and unused seats
  • Tags and metadata, to attribute every dollar to a team or project

What we never do

  • Move money, pay invoices, or hold funds
  • Touch, store, or charge your cards
  • Change anything in your cloud account or cancel a subscription
  • Request write or admin scopes we do not need

Costanalyst is read-only decision support, not financial advice. Every recommendation is for a human on your team to review and act on in your own accounts.

// FAQ

Security questions

The questions finance asks first

Yes. Costanalyst connects with least-privilege, read-only credentials and encrypts your data in transit and at rest. We request the minimum read scopes, like an AWS Cost Explorer and Cost and Usage Report read role, and you can revoke access at any time. See our security page for the full posture.

No. Costanalyst is read-only. It requests the minimum read scopes to see your billing and usage, and read-only admin or API access to your SaaS tools. It cannot change anything in your environment, resize an instance, or cancel a subscription. It shows you the recommendation, and your team acts.

Never. We do not process payments, hold funds, pay invoices, or touch your cards. Costanalyst is an analyst: it reads your spend, finds the savings, and shows you the recommendation. Every action happens in your own accounts, by your own team.

No. Costanalyst is decision-support tooling. Its recommendations are computed from your real usage and billing data, and they are for a human on your team to review and decide. It is not financial, tax, or accounting advice.

More on accuracy, money, and what we connect on the full FAQ.

The lowest-risk tool to plug in

Connect your cloud and SaaS spend read-only and see your savings in dollars. We never move money, and you can revoke access anytime.

How it works