How we access your environment
ZapStack uses an AWS CloudFormation stack to create an IAM role in your AWS account. This IAM role:- Has tightly scoped, read-only permissions to billing data and resource utilization metadata
- Your AWS administrator can review and verify it before connecting to ZapStack
- Uses IAM role assumption mechanism for access
- Does not provide access to data stored in S3 buckets, databases, or volumes
- Can be removed from your AWS account by your AWS administrator at any time — this will immediately disable our access to your account
CloudFormation Templates
Review the exact permissions ZapStack requests and why each is needed
Data in transit
All data transferred between ZapStack and your AWS account, and between ZapStack and your browser, uses encrypted HTTPS (TLS 1.2 minimum).Data storage
- All data is stored and processed exclusively in EU datacenters
- No data is transferred outside the European Union
- All data is encrypted at rest
Data processing
ZapStack is the only processor of customer cloud data. There are no sub-processors. We do not use AI or machine learning to process your data. ZapStack:- Analyzes billing data and resource utilization metrics using deterministic algorithms
- Identifies optimization opportunities through rule-based analysis
- Generates specific recommendations to reduce costs and improve efficiency
Data retention
- Your AWS billing and resource metadata is retained for as long as your ZapStack account is active
- On request, we will purge your data from our systems within 24 hours
Data backups
- We back up our systems every 24 hours and retain a rolling set of backups for 7 days
- Backups are encrypted and stored in EU datacenters