cloud-evidence
DemoPricingPartnersSign InGet Started

Trust & Security

How Cloud Evidence protects your data and maintains the security posture your team expects from a compliance vendor.

1Architecture

  • All data is stored in our AWS account in us-east-1.
  • Encrypted at rest using AES-256 via AWS KMS.
  • Tenant isolation enforced via DynamoDB partition key — no shared tables, no cross-tenant access paths.
  • All infrastructure defined in AWS CDK and deployed via CloudFormation.

2Access Model

  • Our scanner uses a read-only IAM role deployed in your account via CloudFormation.
  • We collect configuration metadata only — we never read S3 object contents, database records, or application data.
  • Each tenant receives a cryptographically unique External ID for cross-account role assumption.
  • You can revoke access instantly by deleting the CloudFormation stack.

3Authentication

  • User authentication managed by AWS Cognito with JWT tokens.
  • Passwords require minimum 14 characters with symbol complexity.
  • Per-tenant scoping enforced at the API layer — tokens carry tenant context.

4Evidence Integrity

  • Every scan result is SHA-256 hashed at collection time.
  • Evidence packages include verifiable integrity hashes — your auditor can independently confirm no tampering occurred.
  • 400-day retention supports audit lookback requirements across all major frameworks.

5Encryption

  • Data at rest: AES-256 via AWS KMS with envelope encryption for stored credentials.
  • Data in transit: TLS 1.2+ enforced on all API endpoints.
  • KMS keys are rotated automatically. Stored credentials use envelope encryption with per-tenant data keys.

6Network & API Security

  • API rate limiting enforced per tenant to prevent abuse.
  • CORS lockdown — API only accepts requests from authorized origins.
  • Credential rotation supported and enforced for scanner role assumptions.

7Auditor Compatibility

Evidence packages are generated as structured JSON with SHA-256 integrity verification. The format is compatible with evidence requirements from major audit firms. Each scan includes:

  • Timestamped configuration state at collection time
  • Control-level pass/fail assessments per framework
  • Verifiable SHA-256 integrity hashes
  • 400+ days of historical evidence for lookback

Have security questions? We're happy to walk through our architecture with your team.

Contact Security TeamStart Free Trial