What We Collect
- Account information: email address and hashed password (managed by AWS Cognito).
- AWS configuration metadata: IAM policies, S3 bucket settings, VPC rules, encryption status, and similar resource configuration data collected via a read-only IAM role you deploy.
- Scan results: compliance scores, control-level pass/fail assessments, and evidence packages generated from your metadata.
What We Do Not Collect
- S3 object contents, database records, or application data.
- CloudWatch logs, Lambda function code, or secrets values.
- Any customer data stored within your AWS resources.
Our scanner operates on configuration metadata only. We read resource settings — we never read your data.
How We Use Your Data
- To generate compliance evidence mapped to SOC 2, NIST 800-53, HIPAA, PCI-DSS, GLBA, ISO 27001, CIS Benchmark, and AI/Agentic Risk frameworks.
- To produce SHA-256 integrity-verified evidence packages for your auditor.
- To display compliance posture in your dashboard.
We do not sell, rent, or share your data with third parties for marketing purposes.
Data Retention
- Evidence & scan results: retained for 400 days to support audit lookback requirements.
- Account data: retained until you delete your account.
Infrastructure & Third Parties
Cloud Evidence runs entirely on AWS infrastructure (us-east-1). We do not use third-party analytics SDKs, tracking pixels, or advertising networks. Authentication is handled by AWS Cognito. Data is encrypted at rest using AES-256 via AWS KMS.
Data Deletion
You may request deletion of your account and all associated data at any time by contacting us. Upon deletion, all scan results, evidence packages, and account metadata are permanently removed from our systems within 30 days.