We Never See Your Secrets

CertifyClouds runs in YOUR environment. Your data never leaves your network.

Self-Hosted

Runs in your Azure subscription. Nothing leaves your tenant.

Read-Only Access

We read metadata only. Never secret values.

Not Another Vault

We enhance your Key Vaults. We don't replace them.

Key principle: CertifyClouds runs entirely in YOUR Azure environment. Your data never leaves your tenant. We only validate your license key - nothing else.

Deployment Architecture

CertifyClouds deploys as a Docker container in your Azure subscription, with all data stored in your own PostgreSQL database.

YOUR AZURE SUBSCRIPTION Container App / ACI CertifyClouds Application Managed Identity Azure PostgreSQL (Your Database) • Scan results • Rotation history • Alert rules • Audit logs Your Key Vaults Read metadata (Assets Discovery) Rotate secrets (Automation Rotation - Pro) AWS Secrets Manager (Automation Sync - Pro) Multi-cloud DR sync GCP Secret Manager (Automation Sync - Pro) Multi-cloud DR sync license.certifyclouds.com (Cloudflare) Sends: License key Returns: Tier info Returns: Latest version License validation + update checks

Data Handling

We See

  • Your license key (for validation)
  • Your license tier and features
  • Version check requests

We Never See

  • Your secret values
  • Your scan results
  • Your Azure credentials
  • Your database contents
  • Your AWS/GCP credentials (Automation Sync)

Authentication

CertifyClouds uses Azure Managed Identity - no credentials are stored in the container or configuration files.

How It Works

Permission Matrix

CertifyClouds requests only the minimum permissions needed for each feature.

Permission Scope Purpose Required For
Reader Subscription List Key Vaults and resources All features
Key Vault Reader Per Key Vault Read vault metadata and properties Assets Discovery
Key Vault Secrets User Per Key Vault Read secret metadata (NOT values) Assets Discovery
Key Vault Secrets Officer Per Key Vault Create and update secrets Automation Rotation (Pro)
Key Vault Certificates Officer Per Key Vault Create and update certificates Automation Rotation (Pro)
Application.ReadWrite.All Graph API (Tenant) Rotate App Registration secrets Automation Rotation (Pro)

Important: Assets Discovery (Starter tier) uses read-only permissions. The application reads secret metadata (names, expiry dates) but never the actual secret values. Automation Rotation (Pro tier) requires write permissions only to rotate credentials.

Encryption

Data at Rest

Data in Transit

Network Security

Outbound Connections

CertifyClouds makes these outbound calls:

Destination Purpose Frequency
license.certifyclouds.com License validation On startup + daily
updates.certifyclouds.com Version update checks (optional) On startup
management.azure.com Azure Resource Manager API During scans/operations
*.vault.azure.net Key Vault data plane During scans/rotations
graph.microsoft.com App Registration rotation Automation Rotation only
secretsmanager.*.amazonaws.com AWS Secrets Manager Automation Sync only
secretmanager.googleapis.com GCP Secret Manager Automation Sync only

Compliance Support

CertifyClouds helps organizations meet compliance requirements:

Note: CertifyClouds is designed to support compliance requirements but is not itself SOC2 or ISO27001 certified. The application helps you demonstrate controls; your overall compliance depends on your implementation and processes.

License Server

The license server is a Cloudflare Worker that validates your license key.

What Happens

Offline / Grace Period

Security Questions?

If you have security questions or need additional documentation for your security review, contact us at security@certifyclouds.com.