🔒
Security & Trust
We are a security company. How we handle your infrastructure access is something we take extremely seriously.
Credential security
- ✓Cloud credentials encrypted at rest with AES-256
- ✓Credentials never logged or exposed in error messages
- ✓Credentials deleted immediately when a connection is removed
- ✓IAM roles preferred over long-lived access keys
Least privilege access
- ✓Read-only permissions during all scans
- ✓Remediation requires explicit per-finding approval
- ✓No write access ever requested during scanning
- ✓Minimum IAM permission set documented for each provider
Infrastructure security
- ✓All data encrypted in transit with TLS 1.2+
- ✓Database encrypted at rest
- ✓Workers run in isolated containers
- ✓Production access requires MFA
Auditability
- ✓Full audit log of all admin and super admin actions
- ✓Scan history retained for 12 months
- ✓AI-suggested rule changes require human approval
- ✓All remediation actions logged with user and timestamp
Responsible disclosure
If you discover a vulnerability in FixMyCloud, please report it to security@fixmycloud.ai. We acknowledge reports within 48 hours and aim to resolve confirmed vulnerabilities within 30 days. We do not pursue legal action against researchers who follow responsible disclosure principles.