Security
A candid view of the protections in place today.
What is live today
These controls ship with the current release and are monitored by the core engineering team.
Authentication & session management
- SSO via Google, GitHub, Azure AD, plus passwordless email links
- Server-side session timeout: 30-minute idle timeout + 8-hour absolute timeout
- Session cookies scoped to cloudcostlite.com with secure and HTTP-only flags in production
- NextAuth with Prisma adapter stores minimal identity data
Data retention & privacy
- Automatic data retention enforcement via daily scheduled job
- Retention periods tied to subscription plan (14-395 days for cost data)
- Audit logs retained minimum 365 days regardless of plan
- PostgreSQL point-in-time recovery (7-day window) for disaster recovery
Infrastructure
- Next.js 15 hosted on Vercel with automatic TLS
- PostgreSQL (Prisma) as the system of record; cloud credentials encrypted at rest (AES-256-GCM)
- Sentry instrumented across server routes with trace IDs from the ApiEnvelope middleware
Monitoring, logging & audit
- Structured logging via Pino for ingest jobs and API handlers
- Full audit trail for security-relevant actions (login, permission changes, data access)
- Incident response playbooks for security events and data breaches
Need to report an issue?
Email info@cloudcostlite.com. We triage reports within one business day and keep reporters updated until closure.
Last updated: December 30, 2025