SOC 2 Type II

Please email to request our audit report or to submit a security questionnaire.

Security process


Infracost uses Amazon Web Services to host our applications. We utilize AWS services for Intrusion Detection and Audit Logging and utilize VPCs and Security Groups to isolate our infrastructure.

Production environments are separated from development environments.


Infracost uses code analysis and vulnerability scanning tools, including GitHub CodeQL, Dependabot and Snyk.

We implement best practices for our Software Development Lifecycle including continuous integration and deployment, review requests and code branch protection.


All customer data stored by Infracost is encrypted at rest and during transit. All Infracost’s databases have regular backups enabled and periodically tested.

See our FAQ for more information about how Infracost handles user data to ensure security and privacy.

Responsible disclosure

If you believe you have found a security vulnerability within Infracost, please let us know right away. We’ll try and fix the problem as soon as possible.

Do not report vulnerabilities using public GitHub issues. Instead, email with a detailed account of the issue. Please submit one issue per email, this helps us triage vulnerabilities.

Once we’ve received your email we’ll keep you updated as we fix the vulnerability.