Security

Security and data handling

FinOpsVyn is a read-only analytics layer on top of your billing exports. It does not execute code in your environment, does not modify cloud resources, and does not auto-scale or terminate instances on your behalf. Here is exactly what we access and how we protect it.

Read-only IAM scope

FinOpsVyn connects to your AWS account using an IAM role scoped to billing read: CUR bucket read on S3 and Cost Explorer read-only API access. The exact IAM policy is documented in our onboarding guide. We do not request write permissions of any kind. We do not deploy agents, Lambda functions, or EC2 instances into your account. FinOpsVyn does not auto-scale, terminate, or modify any cloud resource.

Encryption in transit and at rest

All data transmitted between your billing exports and our ingestion pipeline uses TLS 1.3. Billing data stored in our database is encrypted with AES-256. Credentials are stored in encrypted secret storage, never in plaintext.

Least-privilege access

Internal access to customer billing data requires MFA and is logged. Our engineering team operates on a need-to-know basis. Customer billing data is isolated per tenant with no cross-account data access possible.

Audit logging

All data ingestion events, query operations, and admin actions are logged with timestamps and user context. Logs are immutable and retained for 90 days. Access to logs is restricted to security-cleared team members.

Infrastructure

FinOpsVyn runs on AWS in a dedicated VPC with no public-facing compute nodes. Ingestion pipelines run in isolated containers. Our infrastructure is defined in Terraform and reviewed through pull request before deployment.

Responsible disclosure

If you discover a security vulnerability, contact us at [email protected] with the subject "Security disclosure." We commit to acknowledging within 48 hours and responding within 5 business days.

What we read

FinOpsVyn ingests billing export data only — AWS Cost and Usage Reports (CUR) from S3, and GCP Billing Export from BigQuery. We read resource tag data associated with billing line items. For Kubernetes attribution, we read cluster metrics via the Kubernetes API (read-only kubeconfig scope).

We do not read application code, source control, or runtime logs. The only operational data we access beyond billing are resource ownership signals: Terraform state (read-only), GitHub CODEOWNERS files (read-only repo access), and PagerDuty service ownership (read-only API token).

Data retention

Billing data is retained for the lookback period of your plan (7 / 30 / 90 days for Starter / Growth / Scale) plus an additional 30 days for anomaly baseline computation. After termination of your account, all customer billing data is deleted within 30 days.

Boundary: what FinOpsVyn does not do

FinOpsVyn does not modify your infrastructure — no resource termination, no instance scaling, no volume deletion, no tag updates.
FinOpsVyn is not a replacement for your cloud provider's billing console. It adds a team-attribution layer that the console cannot provide; it does not replace AWS Cost Explorer or the GCP Billing reports for account-level analysis.
FinOpsVyn does not enforce tagging policies or block resource creation. Tag gap discovery is surfaced as a report; remediation is your team's decision.
FinOpsVyn does not train or fine-tune machine learning models on your billing data.
We do not share your billing data with other customers or with third parties, except sub-processors under contract (cloud hosting, application monitoring) listed in our Privacy Policy.
We do not sell your data in any form.
We do not access your cloud infrastructure beyond billing read APIs, read-only Terraform state, read-only GitHub (CODEOWNERS files), read-only PagerDuty API, and read-only Kubernetes API (pods, nodes, namespaces, resource quota).

Questions

For security and data handling questions, contact [email protected].