Cloudcraft security


We know how critical your data is to you, therefore security is at the forefront of everything we do.

We’re committed to keeping your data secure and your private information private. If you have any questions, please contact us.

Steps we take to ensure your security include

Compliance Program

SOC 2 Certified

Cloudcraft recently achieved its first SOC 2 Type I report, and is currently preparing for our Type II report. Our SOC 2 Security, Availability & Confidentiality Report is available to current and prospective customers by request, please contact us at

All of Cloudcraft's infrastructure is hosted on Amazon Web Services (AWS). Cloudcraft uses AWS data centers in the US East (N. Virginia) and GovCloud (US-West, for our government customers) regions that are SOC 1, SOC 2 and ISO/IEC 27001 certified.

Penetration Tests

Cloudcraft hires an external company annually for penetration and security testing. Our test reports are available on demand to current and prospective customers, please contact us at


All Cloudcraft data and communications are encrypted using industry best practices.

  • Encryption At-Rest. All databases and disk volumes are encrypted using AWS KMS (FIPS 140-2 validated) and the industry-standard AES-256 algorithm.
  • Encryption In-Transit. All communications with Cloudcraft services and APIs use Transport Layer Security (SSL/TLS 1.2+) for secure connections.
  • Encrypted Backups. All customer data is continuously backed up in an encrypted form, with point-in-time recovery capabilities. We also validate our data recovery procedures regularly as part of our business continuity and disaster recovery processes.

Privacy and Confidentiality

No Cloudcraft staff will access your data unless required for support reasons. When working a support issue we only access the minimum data needed to resolve your issue while respecting your privacy. Access to data is restricted by job function and monitored.

Access Controls

All the data, such as your diagrams, is by default private and only accessible by you. If you explicitly share something with someone, you can always revoke the access later. Cloudcraft Pro and Enterprise editions also include role-based access controls for teams.

Single Sign-On

Cloudcraft Enterprise integrates with your existing corporate directory and authentication methods through the use of SAML 2.0 for SSO. Just-in-Time user provisioning, IdP and SP-initiated logins, as well as strict SAML-only modes are also supported.

Secure Authentication

All user passwords are stored salted and hashed (using scrypt) and cannot be recovered by Cloudcraft staff.

When using Enterprise SSO/SAML 2.0 or a Google Account to access Cloudcraft, no user credentials are stored by Cloudcraft, and identity assertions are signed and verified.

Optional Two-Factor Authentication (2FA/MFA) support is available for an additional layer of protection of your account.

Secure Configuration and Change Management

Cloudcraft uses code reviews, vulnerability scans, automated testing and automated deployments, with servers continuously kept up to date with the latest security errata. Our configuration and change management processes are documented and audited as part of our SOC 2 certification.

Cloudcraft Live security

Cloudcraft Live allows you to auto-generate and sync your AWS environments with your diagrams. Live was designed from the start to take full advantage of the latest AWS security best practices. Specifically, Cloudcraft makes use of cross-account roles, the secure way to access your AWS environment:

  • No IAM users or access keys need to be created and shared. Exchanging access keys is an outdated practice with inherent security risks.
  • Instead, you create a secure read-only IAM role in your AWS account that is specific to Cloudcraft, and easily revoked at any time.
  • As an alternative to the basic read-only role, the you can also use a strict minimal access policy to further minimize the amount of data the Cloudcraft role could theoretically access.
  • Cloudcraft always uses an external ID when assuming the cross-account role, to protect against so called "confused deputy" attacks. Roles are not transferable across AWS accounts or between Cloudcraft users and therefore have no accidental disclosure risk, unlike secret access keys.
  • Cloudcraft does not store the live data from your AWS environment. Cloudcraft saves ARNs, unique identifiers for resources in AWS, within your diagram that allows us to link the live data to components at runtime. The data from your AWS environment is streamed in real-time to your browser via Cloudcraft's own AWS environment and the role based access, and is stored client-side while you're using the application. When you close the application, the live data is gone.

Cloudcraft Live provides a safe and secure way for you to visually explore your AWS environment.

Credit card security

If you subscribe to Cloudcraft's paid plans, your credit card data is not transmitted through nor stored on our systems. We use a payment processor called Stripe, a company entirely dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Read more about Stripe’s security online.

Need to report a security vulnerability?

Please email us directly at

Responsible Disclosure

We strive to keep Cloudcraft safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner. We will work with you to assess and understand the scope of the issue and fully address any concerns. Emails are directly sent to our engineering staff to ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.


If you have questions regarding a specific policy or general inquiries regarding security, please contact Cloudcraft support.