Security & Data Protection

How we protect your data and ensure your AWS infrastructure stays secure

How We Access Your AWS Account

IAM Role Assumption (Most Secure Method)

AuditBeam uses IAM role assumption, the industry-standard secure method recommended by AWS. We never ask for your AWS access keys or passwords.

What This Means:

  • You stay in control: You create an IAM role in your AWS account with specific permissions
  • Read-only access: We can only view your infrastructure, never modify it
  • No stored credentials: We don't store your AWS access keys - we request temporary credentials each time
  • Revoke anytime: Delete the IAM role in your AWS console and we lose access immediately

What We Access:

✅ What We CAN See:

  • • IAM users, roles, and policies
  • • S3 bucket configurations (not contents)
  • • EC2 instances and security groups
  • • CloudTrail and CloudWatch settings
  • • VPC and network configurations
  • • Encryption settings (KMS keys)
  • • Resource metadata and tags

❌ What We CANNOT See:

  • • Your application data
  • • S3 bucket contents (files)
  • • Database contents
  • • EC2 file systems
  • • Secrets or passwords
  • • Customer PII
  • • Anything not related to infrastructure configuration

What We Store

Data We Collect:

  • Account Information: Your email, name, password (encrypted with bcrypt)
  • AWS Metadata: Account IDs, region names, resource ARNs, IAM role ARNs
  • Scan Results: Compliance check results, timestamps, pass/fail status
  • Infrastructure Details: Resource configurations (e.g., "S3 bucket has encryption enabled")

We Do NOT Store:

  • • AWS access keys or secret keys
  • • Your application data or customer data
  • • File contents from S3 or EC2
  • • Database records or backups
  • • Any PII from your customers

EU Data Residency

Your data never leaves the European Union.

  • Application hosted in: European Union (Germany)
  • Database hosted in: European Union (same server)
  • Backups stored in: European Union (encrypted)
  • GDPR compliant: Built to meet EU privacy standards

Our Security Practices

Encryption in Transit

All data is encrypted using TLS 1.2+ when transmitted between your browser and our servers.

Encryption at Rest

Database is encrypted at rest. All backups are encrypted before storage.

Password Security

Passwords are hashed using bcrypt with strong work factors. We never store plaintext passwords.

Session Management

Secure, HttpOnly cookies with 12-hour timeout. Sessions invalidated on logout.

Infrastructure Security

Firewall configured with strict ruling. Regular security updates applied.

Access Control

Minimal user access. All access is validated, monitored and reported.

Your Rights & Controls

Revoke Access Anytime

Delete the IAM role from your AWS console and we immediately lose access. Or remove your AWS account from AuditBeam dashboard.

Delete Your Data (GDPR Right to Erasure)

Request account deletion via support@auditbeam.eu. We'll delete all your data within 30 days.

Export Your Data (GDPR Right to Portability)

Request a copy of your data in JSON format. We'll provide it within 30 days.

Data Retention

Free tier: Scan results retained for 30 days
Paid tiers: Scan results retained for 365 days
Account data: Retained until you request deletion

Compliance & Standards

GDPR Compliant

We follow EU General Data Protection Regulation requirements including data minimization, purpose limitation, and your rights to access and deletion.

AWS Security Best Practices

Our AWS access patterns follow AWS Well-Architected Framework security pillar using IAM roles and least-privilege access.

Security Incident Response

If you discover a security vulnerability or have security concerns:

  • Email: support@auditbeam.eu with subject "SECURITY"
  • Response time: We'll respond within 24 hours
  • Disclosure: We'll work with you on responsible disclosure

Questions?

If you have questions about our security practices, contact us at support@auditbeam.eu