Self-Hosted
Runs in your Azure subscription. Nothing leaves your tenant.
Read-Only Discovery
Scanning reads metadata only: names, expiry dates, properties. Never secret values.
Not Another Vault
We enhance your Key Vaults. We don't replace them.
Key principle: CertifyClouds runs entirely in YOUR Azure environment. Your data never leaves your tenant. We only validate your license key - nothing else.
Deployment Architecture
CertifyClouds deploys as a Docker container in your Azure subscription, with all data stored in your own PostgreSQL database.
Data Handling
We See
- Your license key (for validation)
- Your license tier and features
- Version check requests
Never Leaves Your Tenant
- Your secret values*
- Your scan results
- Your Azure credentials
- Your database contents
- Your AWS/GCP credentials (Automation Sync)
*During rotation, new credentials are generated via Azure APIs and propagated to dependent resources, all within your environment over TLS using Managed Identity. Values are held in memory only and never persisted or transmitted externally.
Authentication
CertifyClouds uses Azure Managed Identity - no credentials are stored in the container or configuration files.
How It Works
- User-Assigned Managed Identity: Created during deployment, attached to your container
- Azure RBAC: Identity is granted specific roles on Key Vaults and subscriptions
- Token-based: Azure AD issues short-lived tokens automatically
- No secrets stored: No service principal passwords or certificates in config
Permission Matrix
CertifyClouds requests only the minimum permissions needed for each feature.
| Permission | Scope | Purpose | Required For |
|---|---|---|---|
Reader | Subscription | List Key Vaults and resources | All features |
Key Vault Reader | Per Key Vault | Read vault metadata and properties | Assets Discovery |
Key Vault Secrets User | Per Key Vault | Read secret metadata (NOT values) | Assets Discovery |
Key Vault Secrets Officer | Per Key Vault | Create and update secrets | Automation Rotation (Pro) |
Key Vault Certificates Officer | Per Key Vault | Create and update certificates | Automation Rotation (Pro) |
Application.ReadWrite.All | Graph API (Tenant) | Rotate App Registration secrets | Automation Rotation (Pro) |
Important: Assets Discovery (Starter tier) uses read-only permissions - the application reads secret metadata (names, expiry dates) but never the actual secret values. Automation Rotation (Pro tier) generates new credentials via Azure APIs and propagates them to dependent resources. Secret values are handled in memory within your environment and never persisted or transmitted externally.
Encryption
Data at Rest
- Database: Azure PostgreSQL Flexible Server with encryption at rest (Azure-managed keys)
- AWS/GCP Credentials (Automation Sync): Encrypted at rest using your application secret before being stored
Data in Transit
- Azure APIs: TLS 1.2+ (enforced by Azure)
- Database: TLS connection (enforced by Azure PostgreSQL)
- License Server: HTTPS/TLS 1.3
Network Security
- No public IP: Container Apps/ACI deployed with internal-only ingress
- VNet integrated: Application runs in your VNet subnet
- Private endpoints: Supported for Key Vault and PostgreSQL
- Firewall compatible: Setup script adds subnet to Key Vault firewall rules
Outbound Connections
CertifyClouds makes these outbound calls:
| Destination | Purpose | Frequency |
|---|---|---|
license.certifyclouds.com | License validation | On startup + daily |
management.azure.com | Azure Resource Manager API | During scans/operations |
*.vault.azure.net | Key Vault data plane | During scans/rotations |
graph.microsoft.com | App Registration rotation | Automation Rotation only |
secretsmanager.*.amazonaws.com | AWS Secrets Manager | Automation Sync only |
secretmanager.googleapis.com | GCP Secret Manager | Automation Sync only |
Compliance Support
CertifyClouds helps organizations meet compliance requirements:
- Audit logging: Every action is logged with timestamp, actor, and details
- Compliance scoring: Pre-built rules aligned with industry standards
- Exportable reports: Generate reports for SOC2 and ISO27001 audits
- Secret rotation: Automated rotation helps meet credential lifecycle requirements
Note: CertifyClouds is designed to support compliance requirements but is not itself SOC2 or ISO27001 certified. The application helps you demonstrate controls; your overall compliance depends on your implementation and processes.
License Server
The license server validates your license key and returns your entitlements.
What Happens
- Your container sends your license key (e.g.,
CC-XXXX-XXXX-XXXX) - Server returns: tier, features, expiry date
- No other data is transmitted
Offline Operation
- License is cached locally after successful validation
- If the license server is temporarily unreachable, the cached license is used for a configurable grace period
- Application continues to function during network outages
Security Questions?
If you have security questions or need additional documentation for your security review, contact us at security@certifyclouds.com.