We know how critical your data is to you, therefore security is at the forefront of everything we do.
- No Cloudcraft staff will access your data unless required for support reasons. When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum data needed to resolve your issue.
- All the data, such as any diagrams, that you create is by default private and only accessible by you. If you explicitly share something with someone else, you can always revoke the access.
- All communication with Cloudcraft is always over TLS/SSL (HTTPS). This includes the public web site, web application and all APIs.
- We actively monitor our TLS/SSL security and always aim for an 'A' score on the Qualys SSL Labs Report.
- All user passwords are secured with SCrypt and stored salted and strongly hashed and cannot be recovered by Cloudcraft staff.
- When using a Google account to access Cloudcraft, no credentials are stored on the Cloudcraft servers.
- Two-Factor Authentication (2FA) is available for users of Cloudcraft via the Google or Google Apps for Work account login options.
- Customer data is backed up hourly and stored encrypted. We also test our data recovery procedures regularly.
- All Cloudcraft servers are continuously kept up to date with the latest security errata.
Cloudcraft Live allows you to optionally sync your AWS environments with your diagrams. Live was designed from the start to take maximum advantage of the latest AWS security best practices. Specifically, Cloudcraft makes use of cross-account roles, the secure way to access your AWS environment:
- No IAM users need to be created or access keys exchanged. Exchanging access keys is an outdated practice with security risks.
- Instead, you create a read-only role in your AWS account that is specific to Cloudcraft that can easily be revoked by you at any time.
- As an alternative to the basic read-only role, the you can also use an even stricter minimal access policy to further restrict the amount of data Cloudcraft could theoretically access.
- Cloudcraft always uses an external ID when assuming the cross-account role, to protect against the so called "confused deputy" problem.
- Cloudcraft does not persist any of the live data from your AWS environment. Cloudcraft simply stores ARNs, unique identifiers for resources in AWS, together with your diagram and then streams data from your AWS environment to your browser via Cloudcraft's own AWS environment using the role based access.
All combined, Cloudcraft Live is a safe and secure way for you to explore your AWS environment through our diagrams and visualizations.
If you subscribe to Cloudcraft, your credit card data is not transmitted through nor stored on our systems. Instead, we use a payment processor called Stripe, a company entirely dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Read more about Stripe’s security information online.
Please email us directly at firstname.lastname@example.org
We strive to keep Cloudcraft safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner. We will work with you to assess and understand the scope of the issue and fully address any concerns. Emails are directly sent to our engineering staff to ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.
If you have any questions regarding a specific policy that could be made clearer or any general inquiries regarding security, please contact Cloudcraft support.