Security & Trust
Last Updated: June 2026
MLCostIntel analyzes your AWS cost data to surface AI/ML spend insights. We are built on AWS and designed so that we only ever read the minimum data needed, over least-privilege access, with no ability to change your environment.
1. How we access your AWS account
- Read-only, scoped role. You grant access via a CloudFormation template that creates an IAM role limited to billing and cost-related read actions. We cannot create, modify, or delete any of your resources.
- Cross-account role with ExternalId. The role trusts only our platform account and requires a unique ExternalId (a confused-deputy guard).
- Short-lived sessions. Access uses temporary AWS STS sessions (max 1 hour). We never store your AWS access keys.
- Billing data only. We read your Cost and Usage Report and cost metadata — not application data, source code, databases, or logs.
- Revocable anytime. Delete the IAM role to immediately cut off access.
2. Encryption
- In transit: TLS 1.2+ everywhere; TLS 1.3 at the load balancer and CDN.
- At rest: AES-256. The primary database is encrypted with a customer-managed AWS KMS key (CMK) with automatic key rotation; object storage uses server-side encryption.
3. Tenant isolation
Every customer's data is logically isolated and scoped by tenant on every request. Customers cannot access one another's data; Marketplace and direct customers are not commingled.
4. Network & infrastructure
- Runs on AWS in the United States.
- Databases and application containers run in private subnets and are not publicly reachable; access is constrained by security groups.
- Secrets are stored in AWS Secrets Manager and injected at runtime — never hard-coded.
5. Logging & monitoring
- Account-wide API activity is recorded in AWS CloudTrail with log-file validation.
- Application and audit logs are retained for at least 90 days.
- Operational alarms cover service health, database, and event-processing failures.
6. Application security
- Authentication is fail-closed; sessions expire after one hour.
- Inbound webhooks (billing, identity, Marketplace) are cryptographically verified.
- Dependencies are continuously scanned for known vulnerabilities, with automated update PRs.
7. Subprocessors
We use a small number of vetted providers to operate the service:
| Provider | Purpose | Data |
|---|---|---|
| Amazon Web Services | Hosting, compute, storage, email (SES) | All service data (US region) |
| Clerk | Authentication / identity | Name, email, auth identifiers |
| Stripe | Payment processing (direct plans) | Billing contact & subscription data |
| Svix | Webhook delivery / verification | Webhook event payloads |
We do not sell your data or use it for advertising. See the Privacy Policy for details.
8. Compliance & data processing
- SOC 2 Type II is in progress.
- A Data Processing Addendum (DPA) and security questionnaires (e.g. CAIQ, SIG) are available on request for Enterprise customers.
- Data residency is the United States; data is deleted within 30 days of account closure.
9. Reporting a vulnerability
If you believe you have found a security issue, please email security@mlcostintel.com. We investigate all reports and ask that you give us a reasonable opportunity to remediate before public disclosure.
10. Contact
Security: security@mlcostintel.com · General: contact@mlcostintel.com
MLCostIntel LLC