SpendLens cloud bill analysis logoSpendLens
Back home

Vendor review

Security & Compliance Pack

This page summarizes SpendLens controls for early enterprise reviews. It is designed to answer common vendor-security questions without overstating the current compliance posture.

Read-only analysis

SpendLens uses least-privilege read-only cloud access for connected AWS accounts and optional fallback billing-file analysis. We do not request write permissions and do not modify infrastructure.

Rule-based findings

Cost calculations and findings are deterministic. AI is limited to explanation and summarization, not calculation.

Data minimization

Customers should connect only authorized cloud accounts and avoid secrets, keys, passwords, or customer records in cloud resource metadata, tags, or optional uploaded files.

Encryption

Traffic is protected by HTTPS/TLS. Stored data relies on provider-managed encryption at rest in Supabase and hosting infrastructure.

Access control

Administrative access is limited to operational need and follows least-privilege principles.

Retention and deletion

Paid report and opportunity history follows plan retention settings, with authenticated cleanup for expired analyses, findings, verification records, and private PDF exports. Users may delete account data from Settings.

Incident response

Security issues are triaged, investigated, remediated, and communicated to affected customers when legally or contractually required.

Compliance roadmap

SOC 2 and deeper enterprise controls are roadmap items. We do not claim certifications that are not yet complete.

Data flow

  1. 1Customer connects an authorized AWS account through a least-privilege read-only role.
  2. 2The backend validates the role and imports supported cost, recommendation, and resource metadata.
  3. 3Deterministic rules identify potential savings opportunities, ownership gaps, and cost drivers.
  4. 4Optional AI wording explains findings without making the calculations.
  5. 5The customer assigns owners, tracks remediation, verifies savings, and exports reports.
  6. 6Report history is stored only according to plan capabilities and retention settings.

Security page

Controls and roadmap.

Subprocessors

Provider and data-purpose list.

DPA request

Processing terms and request path.