Security at Infracost

If you believe you have found a security vulnerability within Infracost, please let us know right away. We'll try and fix the problem as soon as possible.

Do not report vulnerabilities using public GitHub issues. Instead, email security@infracost.io with a detailed account of the issue. Please submit one issue per email, this helps us triage vulnerabilities.

Once we've received your email we'll keep you updated as we fix the vulnerability.

SOC 2 Type II

Please email hello@infracost.io to request our audit report or to submit a security questionnaire.

Infrastructure

Infracost uses Amazon Web Services to host our applications. We utilize AWS services for Intrusion Detection and Audit Logging and utilize VPCs and Security Groups to isolate our infrastructure. Production environments are separated from development environments.

We use Vanta to continually monitor our AWS configurations are meeting our high security standards.

Application

Infracost uses code analysis and vulnerability scanning tools, including GitHub CodeQL, Dependabot and Snyk.

We implement best practices for our Software Development Lifecycle including continuous integration and deployment, review requests and code branch protection.

Data

All customer data stored by Infracost is encrypted at rest and during transit. All Infracost's databases have regular backups enabled and periodically tested.

See our FAQ for more information about how Infracost handles user data to ensure security and privacy.