Built for Azure cost data your security team can sign off on.
Cloud Halo connects to Azure with read-only access, isolates every workspace, and keeps a clear audit trail. This page summarises how we handle your data and how to reach us for a security review.
Compliance posture
UK GDPR aligned
We act as a processor of the Azure cost data you connect. A Data Processing Addendum with our sub-processor list is available to every customer.
SOC 2 — on our roadmap
We are not yet SOC 2 certified. We can share our current security posture and complete a security questionnaire on request — just contact us.
Data residency
Production data is held in a managed Postgres database in an EU/UK region. International sub-processor transfers rely on UK adequacy, the UK IDTA, or EU Standard Contractual Clauses.
Security controls
Tenant-isolated workspaces
Every workspace is isolated by membership and Supabase row-level security, enforced on customer-facing tables throughout the application.
Least-privilege Azure access
Cloud Halo requests read-only Cost Management and Reader access only. We never request permission to create, change, or delete resources in your tenant.
Encryption in transit
All traffic is served over TLS. Azure client secrets for service-principal connections are stored encrypted at rest in Supabase Vault.
Managed backups
Production data runs on managed Supabase Postgres with provider-managed backups. Restore access is limited to the production owner group.
Operational alerting
Billing, sync, role, budget, and anomaly events are surfaced through email, in-app notifications, and Slack/Teams webhooks.
Audit trail
Billing events, onboarding state, recommendation actions, report runs, and account-deletion steps are captured for support and audit review.
What data we access
- Read-only Azure cost, usage, and resource metadata from the subscriptions you connect.
- Account data: names, work emails, workspace roles. Passwords are stored hashed by our auth provider.
- Billing metadata via Stripe — card details are held by Stripe, never by Cloud Halo.
Retention & deletion
You can delete your account at any time. Deletion removes workspace data and cancels active Stripe subscriptions. We retain only the billing, audit, and incident records required for security, legal, tax, or dispute-handling purposes, as described in our Privacy Policy.
Responsible disclosure
We welcome reports from security researchers. If you believe you have found a vulnerability, email security@cloud-halo.io with steps to reproduce. Please give us a reasonable window to remediate before public disclosure, and avoid accessing or modifying other customers' data. We will acknowledge your report and keep you updated on our progress.