CloudRift

Security & Trust Center

How CloudRift protects your data and cloud credentials

AES-256
Credentials Encrypted
Full
Audit Logging
5 Roles
RBAC
TOTP
MFA Support
1.2+
TLS in Transit
In Progress
SOC 2

Credential Security

All Azure and AWS service principal credentials stored in CloudRift are encrypted at rest using AES-256 Fernet symmetric encryption before being written to the database. Encryption keys are managed at the application layer and rotated periodically.

Credentials are decrypted only at the moment they are needed for an API call and are never logged, transmitted to third parties, or stored in plaintext.

Encryption algorithmAES-256 (Fernet)
Credentials visible to CloudRift employeesNo — encrypted at rest
Credentials transmitted to third partiesNever
Credential storageMongoDB Atlas, encrypted

Access Control

CloudRift implements Role-Based Access Control (RBAC) with five defined roles: Owner, Admin, Developer, Analyst, and Viewer. Each role has precisely scoped permissions — viewers cannot delete resources, analysts cannot modify configurations.

Multi-Factor Authentication (TOTP) is available for all accounts and can be enforced organization-wide by administrators.

RBAC roles5 tiers (Owner → Viewer)
MFA supportTOTP (Google/Microsoft Authenticator)
Organization-wide MFA enforcementSupported
Session timeout30 minutes inactivity
Backup codes10 codes generated on MFA setup

Audit Logging

Every significant action in CloudRift is recorded in an immutable audit log — including logins, scans, resource deletions, plan changes, and governance assessments. Audit logs are accessible to owners and admins within the platform.

Actions loggedLogin, scan, delete, resize, settings changes
Log retention90 days minimum
Tamper protectionAppend-only, no user deletion
Admin visibilityOwner/Admin roles only

Infrastructure & Network

CloudRift runs on a managed Kubernetes infrastructure with TLS 1.2+ enforced on all endpoints. The platform uses HTTPS exclusively — no unencrypted HTTP connections are accepted.

Transport encryptionTLS 1.2+
HTTP allowedNo — redirected to HTTPS
DatabaseMongoDB with encryption at rest
InfrastructureManaged Kubernetes (hardened)
DDoS protectionLayer 3/4 via platform

What CloudRift Reads vs. What It Writes

CloudRift operates with a minimal permission model. The Permission Setup Wizard lets administrators choose exactly which level of access to grant:

FeatureRead-Only TierStandard TierFull Access Tier
Resource scanning
Cost analysis
Identity/MFA audit
Governance assessments
VM resize / deletion
Monitoring setup
Policy deployment
Governance auto-fix

Data Handling

CloudRift processes Azure/AWS metadata (resource names, types, costs, configurations) to provide optimization recommendations. We do not access, read, or store the contents of your workloads — databases, file storage, application code, or user data within your cloud resources.

Workload data accessNever — metadata only
Data sold to third partiesNever
Scan data retention90 days rolling
Data deletion on requestSupported — contact legal@cloudrift.tech

Compliance Roadmap

SOC 2 Type IIn progress (Q3 2026 target)
SOC 2 Type IIPlanned Q4 2026
GDPRControls in place, DPA available on request
HIPAABAA available for enterprise customers
Penetration testingAnnual third-party, on roadmap

Vulnerability Disclosure

If you discover a security vulnerability in CloudRift, please report it responsibly to security@cloudrift.tech. We commit to acknowledging reports within 48 hours and resolving critical issues within 14 days.

Do not publicly disclose vulnerabilities without giving us reasonable time to respond.

Questions about security? Contact our security team.

security@cloudrift.tech

Terms of Service · Privacy Policy · cloudrift.tech