Read-only. Encrypted. Isolated.
StackSpend reads cost data. It does not modify your infrastructure, enforce policies, or make changes on your behalf.
Read-only access
No write permissions to your cloud or API accounts. StackSpend only reads cost data.
AES-256-GCM encryption
Credentials encrypted at rest with separated key management.
Tenant isolation
Row-level security at the database layer. Your data is never accessible to other organizations.
No enforcement
Observe and report only. No automated infrastructure changes, kill switches, or policy enforcement.
GDPR compliant
Full data export and account deletion on request. All sensitive operations logged.
Audit logging
Every sensitive action — auth, provider changes, team modifications — recorded in an immutable log.
Access
All provider connections use read-only credentials. For AWS, this means a cost-explorer-only IAM role. For GCP, a BigQuery reader. For API providers like OpenAI, a usage-scoped key. Credentials follow the principle of least privilege — each integration requests only the permissions required to fetch billing data.
Data
Provider credentials are encrypted at rest using AES-256-GCM. Encryption keys are managed separately from application data. All data is isolated per organisation with row-level security policies ensuring one tenant's data is never accessible to another at the database level. Cost data is retained for the duration of your subscription and permanently removed within 30 days of account deletion.
Actions
StackSpend does not take automated actions on your infrastructure. There are no kill switches, auto-scaling overrides, or policy enforcement mechanisms. The system observes and reports. Decisions remain with your team.