When initiating a free scan, you can either use an AWS access key and secret or a key, secret, and session token. While we would prefer you to use session tokens with a short expiration, we understand that generating these is more time-consuming and requires use of the AWS API. Regardless of which method you choose, CloudSploit does not store your secret or session token on its servers, in storage, in logs, or anywhere else besides the in-memory process required to execute the AWS API calls. The same is true for all scan results; they are processed in-memory and sent back as part of the web request. The results are not stored persistently by CloudSploit in any manner and cannot be retrieved after they are returned to the browser.
CloudSploit has disabled the storage and use of access keys and secrets within its accounts. Instead, all AWS accounts can now be connected via third-party cross-account IAM roles, as recommended by AWS. This feature is a security enhancement that allows users to share limited access to their AWS accounts (access enforced with IAM policies) with the CloudSploit AWS account. CloudSploit can then make API calls within the user's account by generating temporary session credentials using an external ID. This method of access is much more secure than key-based access because it only allows API calls originating from CloudSploit. If an attacker were to steal the external ID or the IAM role ARN, they still could not make calls to the user's account because AWS would not validate those calls.
To facilitate the detection of abuse, we log: timestamps, IP addresses, user agents, keys, and URL paths. This information is encrypted at rest and deleted after 30 days. For free scans, this is also used to limit the number of concurrent scans run by any single user in order to ensure a reliable service for everyone. We also use Google Analytics to determine usage patterns and improve site performance, but you may easily opt out of this by installing Ghostery, Disconnect, or other tracking-blocking ad-ons. We do not and will not, under any circumstance, sell or release this information unless required by court order.
When signing up for an account, you agree to give CloudSploit some information and the right to store that information in exchange for the convenience of a service-based product. The only information required to create an account is an email address and password. We validate the email address to ensure that sensitive scan results are being sent to the correct account.
Payments and Billing
CloudSploit offers several paid services, which require us to collect payment information. To do this, we utilize Stripe, a PCI-compliant, security-focused payments company. When you enter your payment information on CloudSploit, it is submitted directly to Stripe which then returns a temporary token. Our servers use this token to subscribe your account to a particular plan. Our servers never see your payment information.
Tracking and Cookies
If you would like more information about how CloudSploit manages your data, please contact us at firstname.lastname@example.org.