Security & trust

Security you can verify

A security tool has to earn the trust it asks for. CSPM.io connects to your cloud with read-only, least-privilege access, installs nothing, and is built so you can confirm exactly what it can and cannot do — by design, not by promise.

Book a demo Read our privacy policy
Read-only by default No agents installed No inbound access Unique external ID per account
Access model

Least-privilege by design

CSPM.io is granted only what it needs to read your configuration — and nothing that could change it.

Read-only cross-account role

You connect CSPM.io with a cross-account IAM role scoped to security audit and read-only permissions. We assume that role to inspect your configuration — we never get write access by default.

  • Read-only permissions — built on AWS SecurityAudit; no mutating actions.
  • No write access by default — remediation code is generated for you to review and apply yourself.
  • You own the role — revoke access instantly by deleting it in your own account.

A unique external ID per account

Every connected account is assigned its own cryptographically generated external ID. The trust policy on your role requires that exact value, so the role can only be assumed for the account it belongs to.

  • Prevents the confused-deputy attack — the external ID must match exactly, so a role can't be tricked into being assumed on another tenant's behalf.
  • Unguessable and unique — generated with secure randomness and bound to your tenant and account.
  • Self-documenting — every assume-role event is attributable to a specific tenant and account.

No agents to install

CSPM.io scans your cloud through native provider APIs. There is no software to deploy into your workloads, no sidecars, and no kernel modules — nothing new to patch or maintain on your side.

  • Agentless — no binaries running inside your accounts.
  • Nothing to maintain — no agent fleet to upgrade or secure.
  • API-native collection — uses the cloud's own audit interfaces.

No inbound network access

CSPM.io never needs a path into your network. It connects outbound to provider APIs using the role you grant — there are no firewall holes, VPN tunnels or open ports required.

  • No open ports — nothing listening on your side.
  • No VPN or peering — no network bridge into your environment.
  • Outbound only — access flows from us to the cloud control plane, never the reverse.
Data handling

Your data, protected

We collect configuration metadata to assess posture — and protect it at every step.

Encrypted in transit and at rest

All communication with provider APIs and between platform services is protected with TLS. Stored data is encrypted at rest so configuration and findings stay protected throughout their lifecycle.

  • TLS in transit — encrypted connections end to end.
  • Encryption at rest — stored findings and metadata are encrypted.

Strict tenant isolation

CSPM.io is multi-tenant with PostgreSQL row-level security enforcing tenant boundaries at the database layer. Queries are scoped to your tenant, so one customer can never read another's data.

  • Row-level security — isolation enforced in the database, not just the app.
  • Tenant-scoped queries — every read and write is bound to your tenant.

Data minimization

We gather the configuration and security metadata needed to evaluate posture — not your application data. Sensitive identifiers are kept out of stored properties wherever they aren't required for analysis.

  • Metadata, not payloads — focused on configuration and posture.
  • Collect only what's needed — scope limited to what drives findings.

Configurable retention

You control how long historical findings and scan data are kept. Retention windows are configurable so you can align with your own data-governance and compliance requirements.

  • You set the window — tune retention to your policy.
  • Lifecycle managed — older data ages out on your schedule.
Architecture

Architecture & access controls

Authentication, key management and auditing built into the platform's foundations.

RSA / JWT authentication

Service-to-service authentication uses RSA-signed JWTs (RS256). Tokens are signed with a private key and verified against the public key, so trust is cryptographic and centrally controlled.

  • Asymmetric signing — RS256 with separate signing and verifying keys.
  • Scoped issuance — tokens carry a defined issuer and audience.

Scoped API keys

Programmatic access uses API keys with granular permissions and per-key rate limits. Keys are stored hashed — never in plaintext — and can be rotated or revoked instantly without redeploying anything.

  • Rotation & revocation — retire a key the moment it's no longer trusted.
  • Hashed at rest — keys are never stored in the clear.
  • Granular scope — each key grants only the permissions it needs.

Audit logging

Authentication attempts and key usage are tracked for traceability. Because every external ID is bound to a tenant and account, audit records are self-documenting and easy to attribute.

  • Tracked authentication — visibility into who accessed what.
  • Attributable events — actions trace back to tenant and account.

Role-based access

Within your organization, access is governed by roles so people see and do only what their role allows. Combined with tenant isolation, that keeps the right data in front of the right people.

  • Role-scoped permissions — least privilege for your team, too.
  • Approval-gated actions — sensitive workflows require sign-off.
Deployment

Run it where it belongs

Choose the deployment model that fits your data-residency and governance needs.

Fastest start

SaaS

Our fully managed cloud. Connect a read-only role and get your first prioritized findings in minutes — we handle the upgrades, scaling and operational security.

Customer-managed

Self-hosted

Run CSPM.io inside your own environment for full control over where data lives. Ideal for data-residency-sensitive organizations that need findings to stay within their boundary.

Compliance

Compliance & frameworks

Built to align with the standards your auditors care about.

CIS Benchmarks
PCI DSS
AWS Well-Architected

CSPM.io maps its checks to recognized frameworks including CIS Benchmarks, PCI DSS and the AWS Well-Architected Framework, with continuous monitoring and audit-ready reporting. The platform is designed to support your own compliance programs — helping you gather evidence and demonstrate control for obligations such as SOC 2, HIPAA and PCI DSS. CSPM.io is a tool that helps you meet your obligations; it does not, by using it, confer any certification of its own. We're happy to discuss our security practices in detail during evaluation.

Responsible disclosure

Found something? Tell us.

We welcome reports from security researchers and customers. If you believe you've discovered a vulnerability in CSPM.io, please reach out so we can investigate and fix it quickly. We'll work with you in good faith and keep you updated on remediation.

Contact security Privacy policy

Trust, but verify

Connect a read-only role and see exactly what CSPM.io can — and can't — do in your cloud.

Book a demo Read our privacy policy