Security - CertifyClouds

🔒

Self-Hosted

Runs in your Azure subscription. Nothing leaves your tenant.

👁️

Read-Only Access

We read metadata only. Never secret values.

🛡️

Not Another Vault

We enhance your Key Vaults. We don't replace them.

Key principle: CertifyClouds runs entirely in YOUR Azure environment. Your data never leaves your tenant. We only validate your license key - nothing else.

Deployment Architecture

CertifyClouds deploys as a Docker container in your Azure subscription, with all data stored in your own PostgreSQL database.

Data Handling

✓ We See

Your license key (for validation)
Your license tier and features
Version check requests

✗ We Never See

Your secret values
Your scan results
Your Azure credentials
Your database contents
Your AWS credentials (VaultShield)

Authentication

CertifyClouds uses Azure Managed Identity - no credentials are stored in the container or configuration files.

How It Works

User-Assigned Managed Identity: Created during deployment, attached to your container
Azure RBAC: Identity is granted specific roles on Key Vaults and subscriptions
Token-based: Azure AD issues short-lived tokens automatically
No secrets stored: No service principal passwords or certificates in config

Permission Matrix

CertifyClouds requests only the minimum permissions needed for each feature.

Permission	Scope	Purpose	Required For
`Reader`	Subscription	List Key Vaults and resources	All features
`Key Vault Reader`	Per Key Vault	Read vault metadata and properties	VaultVision
`Key Vault Secrets User`	Per Key Vault	Read secret metadata (NOT values)	VaultVision
`Key Vault Secrets Officer`	Per Key Vault	Create and update secrets	VaultShift (Silver)
`Key Vault Certificates Officer`	Per Key Vault	Create and update certificates	VaultShift (Silver)
`Application.ReadWrite.All`	Graph API (Tenant)	Rotate App Registration secrets	VaultShift (Silver)

Important: VaultVision (Bronze tier) uses read-only permissions. The application reads secret metadata (names, expiry dates) but never the actual secret values. VaultShift (Silver tier) requires write permissions only to rotate credentials.

Encryption

Data at Rest

Database: Azure PostgreSQL Flexible Server with encryption at rest (Azure-managed keys)
AWS Credentials (VaultShield): Encrypted with Fernet (AES-128-CBC + HMAC-SHA256) before storage
Encryption Key: Derived from your SECRET_KEY environment variable using PBKDF2 (100,000 iterations)

Data in Transit

Azure APIs: TLS 1.2+ (enforced by Azure)
Database: TLS connection (enforced by Azure PostgreSQL)
License Server: HTTPS/TLS 1.3 (Cloudflare)

Network Security

No public IP: Container Apps/ACI deployed with internal-only ingress
VNet integrated: Application runs in your VNet subnet
Private endpoints: Supported for Key Vault and PostgreSQL
Firewall compatible: Setup script adds subnet to Key Vault firewall rules

Outbound Connections

CertifyClouds makes these outbound calls:

Destination	Purpose	Frequency
`license.certifyclouds.com`	License validation	On startup + daily
`management.azure.com`	Azure Resource Manager API	During scans/operations
`*.vault.azure.net`	Key Vault data plane	During scans/rotations
`graph.microsoft.com`	App Registration rotation	VaultShift only
`secretsmanager.*.amazonaws.com`	AWS Secrets Manager	VaultShield only

Compliance Support

CertifyClouds helps organizations meet compliance requirements:

Audit logging: Every action is logged with timestamp, actor, and details
Compliance scoring: Pre-built rules aligned with industry standards
Exportable reports: Generate reports for SOC2 and ISO27001 audits
Secret rotation: Automated rotation helps meet credential lifecycle requirements

Note: CertifyClouds is designed to support compliance requirements but is not itself SOC2 or ISO27001 certified. The application helps you demonstrate controls; your overall compliance depends on your implementation and processes.

License Server

The license server is a Cloudflare Worker that validates your license key.

What Happens

Your container sends your license key (e.g., CC-XXXX-XXXX-XXXX)
Server returns: tier, features, expiry date
No other data is transmitted

Offline / Grace Period

License is cached locally after successful validation
If license server is unreachable, cached license is used for up to 7 days
Application continues to function during network outages

Security Questions?

If you have security questions or need additional documentation for your security review, contact us at security@certifyclouds.com.

We Never See Your Secrets