Security

Built read-only by design

CloudSaver AI is engineered so a compromise of our service cannot harm your AWS account. We assume a role you control, with a policy you approve, and only read.

IAM role + External ID

We never store AWS access keys. Connections use STS AssumeRole with a unique external ID per account.

Read-only permissions

The IAM policy we ask for is scoped to billing, Cost Explorer, and Describe* APIs. We cannot modify your resources.

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256) on Lovable Cloud / Supabase.

Row-level security

Every table enforces RLS so a user can only ever read their own AWS data — never another tenant's.

Report a vulnerability

Found a security issue? Email Report a security issue and we will respond within 1 business day.