Security at Infracost

Infracost’s software is trusted by thousands of companies around the world, including many of the Fortune 500.

Responsible disclosure

If you believe you have found a security vulnerability within Infracost, please let us know right away. We'll try and fix the problem as soon as possible.

Do not report vulnerabilities using public GitHub issues. Instead, email with a detailed account of the issue. Please submit one issue per email, this helps us triage vulnerabilities.

Once we've received your email we'll keep you updated as we fix the vulnerability.


SOC 2 Type II
SOC 2 Type II

Please email to request our audit report or to submit a security questionnaire.

Security process


Infracost uses Amazon Web Services to host our applications. We utilize AWS services for Intrusion Detection and Audit Logging and utilize VPCs and Security Groups to isolate our infrastructure. Production environments are separated from development environments.

We use Vanta to continually monitor our AWS configurations are meeting our high security standards.


Infracost uses code analysis and vulnerability scanning tools, including GitHub CodeQL, Dependabot and Snyk.

We implement best practices for our Software Development Lifecycle including continuous integration and deployment, review requests and code branch protection.


All customer data stored by Infracost is encrypted at rest and during transit. All Infracost's databases have regular backups enabled and periodically tested.

See our FAQ for more information about how Infracost handles user data to ensure security and privacy.

Used by teams at

  • GitLab logo
  • HPE logo
  • Mango logo
  • BMW logo
  • HelloFresh logo
  • Clariant logo
  • Accenture logo
  • DAZN logo
  • Daimler logo
  • PicPay logo
  • J.P. Morgan logo
  • NBC Sports Group logo