Compliance
SOC 2 Type II
Please email hello@infracost.io to request our audit report or to submit a security questionnaire.
Security process
Infrastructure
Infracost uses Amazon Web Services to host our applications. We utilize AWS services for Intrusion Detection and Audit Logging and utilize VPCs and Security Groups to isolate our infrastructure.
Production environments are separated from development environments.
Application
Infracost uses code analysis and vulnerability scanning tools, including GitHub CodeQL, Dependabot and Snyk.
We implement best practices for our Software Development Lifecycle including continuous integration and deployment, review requests and code branch protection.
Data
All customer data stored by Infracost is encrypted at rest and during transit. All Infracost’s databases have regular backups enabled and periodically tested.
See our FAQ for more information about how Infracost handles user data to ensure security and privacy.
Responsible disclosure
If you believe you have found a security vulnerability within Infracost, please let us know right away. We’ll try and fix the problem as soon as possible.
Do not report vulnerabilities using public GitHub issues. Instead, email security@infracost.io with a detailed account of the issue. Please submit one issue per email, this helps us triage vulnerabilities.
Once we’ve received your email we’ll keep you updated as we fix the vulnerability.