Self-Hosted
Runs in your Azure subscription. Nothing leaves your tenant.
Read-Only Discovery
Scanning reads metadata only: names, expiry dates, properties. Never secret values.
Not Another Vault
We enhance your Key Vaults. We don't replace them.
Key principle: CertifyClouds runs entirely in YOUR Azure environment. Your data never leaves your tenant. We only validate your license key - nothing else.
Deployment Architecture
CertifyClouds deploys as a Docker container in your Azure subscription, with all data stored in your own PostgreSQL database.
Data Handling
We See
- Your license key (for validation)
- Your license tier and features
- Version check requests
Never Leaves Your Tenant
- Your secret values*
- Your scan results
- Your Azure credentials
- Your database contents
- Your AWS/GCP credentials (Automation Sync)
*During rotation, new credentials are generated via Azure APIs and propagated to dependent resources, all within your environment over TLS using Managed Identity. Values are held in memory only and never persisted or transmitted externally.
Authentication
CertifyClouds uses Azure Managed Identity - no credentials are stored in the container or configuration files.
How It Works
- User-Assigned Managed Identity: Created during deployment, attached to your container
- Azure RBAC: Identity is granted specific roles on Key Vaults and subscriptions
- Token-based: Azure AD issues short-lived tokens automatically
- No secrets stored: No service principal passwords or certificates in config
Application Security
CertifyClouds includes built-in defences against brute-force and session hijacking attacks. All values are configurable via environment variables:
- Account lockout: Configurable threshold and duration after repeated failed logins
- Session management: Configurable maximum session duration and idle timeout
- Login rate limiting: Per-IP rate limit on login attempts
- HttpOnly cookies: Auth tokens not accessible to JavaScript — prevents XSS token theft
- Secure cookies: HTTPS-only transmission
Permission Matrix
CertifyClouds requests only the minimum permissions needed for each feature.
| Permission | Scope | Purpose | Required For |
|---|---|---|---|
Reader | Subscription | List Key Vaults and resources | All features |
Key Vault Reader | Per Key Vault | Read vault metadata and properties | Assets Discovery |
Key Vault Secrets User | Per Key Vault | Read secret metadata (NOT values) | Assets Discovery |
Key Vault Secrets Officer | Per Key Vault | Create and update secrets | Automation Rotation (Pro) |
Key Vault Certificates Officer | Per Key Vault | Create and update certificates | Automation Rotation (Pro) |
Application.ReadWrite.All | Graph API (Tenant) | Rotate App Registration secrets | Automation Rotation (Pro) |
Important: Assets Discovery uses read-only permissions - the application reads secret metadata (names, expiry dates) but never the actual secret values. Automation Rotation in Pro and Enterprise generates new credentials via Azure APIs and propagates them to dependent resources. Secret values are handled in memory within your environment and never persisted or transmitted externally.
Encryption
Data at Rest
- Database: Azure PostgreSQL Flexible Server with encryption at rest (Azure-managed keys)
- AWS/GCP Credentials (Automation Sync): Encrypted at rest using your application secret before being stored
Data in Transit
- Azure APIs: TLS 1.2+ (enforced by Azure)
- Database: TLS connection (enforced by Azure PostgreSQL)
- License Server: HTTPS/TLS 1.3
Network Security
- No public IP: Container Apps/ACI deployed with internal-only ingress
- VNet integrated: Application runs in your VNet subnet
- Private endpoints: Supported for Key Vault and PostgreSQL
- Firewall compatible: Setup script adds subnet to Key Vault firewall rules
Outbound Connections
CertifyClouds makes these outbound calls:
| Destination | Purpose | Frequency |
|---|---|---|
license.certifyclouds.com | License validation | On startup + hourly heartbeat |
management.azure.com | Azure Resource Manager API | During scans/operations |
*.vault.azure.net | Key Vault data plane | During scans/rotations |
graph.microsoft.com | App Registration rotation | Automation Rotation only |
secretsmanager.*.amazonaws.com | AWS Secrets Manager | Automation Sync only |
secretmanager.googleapis.com | GCP Secret Manager | Automation Sync only |
Compliance Support
CertifyClouds helps organizations gather evidence for credential-lifecycle controls across multiple frameworks:
- Audit logging: Every action is logged with timestamp, actor, and details
- Compliance scoring: Pre-built rules aligned with industry standards
- Exportable evidence packages: Auditor-ready bundles (CSV data plus PDF wrapper with customer management assertion) for HIPAA, PCI-DSS, SOC 2, ISO 27001, NIST 800-53, and CIS Azure Foundations Benchmark
- Secret rotation: Automated rotation helps meet credential lifecycle requirements
Important: CertifyClouds is an evidence aggregator for Azure credential-lifecycle controls. We are not a certified compliance product. We do not hold SOC 2, ISO 27001, HIPAA, or PCI-DSS certification, and we are not a Business Associate under HIPAA (we do not require, accept, or process PHI). The framework mappings we provide identify what violates each control and recommend customer-side remediation. Your overall compliance depends on your Azure tenant configuration, your processes, and audits performed by your own auditors. Full compliance disclaimer →
License Server
The license server validates your license key and returns your entitlements.
What Happens
- Your container sends your license key (e.g.,
CC-XXXX-XXXX-XXXX) and current version - Server returns: tier, features, expiry date
- If Fleet Visibility is enabled (default on; opt-out in Advanced Settings → App Behaviour), the heartbeat also carries aggregate operational counts: total vault, secret, cert and key counts, rotation success-rate, and feature-adoption counts. No asset names, no PII, no compliance findings, no customer data. The payload is rejected if it exceeds 4 KB or isn't a plain object. See the Privacy Policy § Fleet Visibility for the complete list and the opt-out path.
Offline Operation
- License is cached locally after successful validation
- If the license server is temporarily unreachable, the cached license is used for a configurable grace period
- Application continues to function during network outages
Security Questions?
If you have security questions or need additional documentation for your security review, contact us at security@certifyclouds.com.