Security

Safe to connect to your billing accounts

StackSpend requests only the permissions needed to read cost data. No write access, no infrastructure changes, and no risk to your provider accounts.

Read-only accessAES-256 encryptedTenant-isolated
Provider access

Least-privilege credentials, per provider

Each connection uses read-only credentials scoped to billing data. StackSpend follows least privilege — every integration requests the minimum permissions required and nothing more.

AWS

Cost Explorer–scoped IAM role. No EC2, S3, Lambda, or resource modification. Billing read only.

AWS setup guide

GCP

BigQuery billing export read access plus billing account viewer. No project or infrastructure changes.

GCP setup guide

AI & API providers

Usage-scoped keys where supported. No model training, deletion, or account administration.

All providers

Read-only means StackSpend cannot create, modify, or delete anything in your accounts.

Data security

Encrypted, isolated, and logged

Your billing data is protected in transit and at rest, isolated per organisation, and backed by audit trails for sensitive actions.

Credentials at rest

Provider credentials encrypted with AES-256-GCM. Keys are managed separately from application data.

Data in transit

TLS for all API and database connections between StackSpend and your data.

Tenant isolation

Row-level security at the database layer. Another organisation cannot access your cost data.

Audit logging

Sensitive actions — auth, provider changes, team updates — are recorded in an immutable log.

Operational model

What StackSpend does — and doesn't do

StackSpend is observe-and-report. It has no ability to act on your infrastructure or change provider accounts.

StackSpend can

  • Read billing history and daily cost data
  • Compute forecasts and baselines from your spend
  • Send Slack and email reports you configure
  • Detect spend anomalies and alert your team
  • Export cost data to CSV (plan permitting)

StackSpend cannot

  • Modify, create, or delete cloud resources
  • Change billing settings or payment methods
  • Access provider APIs beyond what billing and usage require
  • Enforce policies or apply automated spend limits in your accounts
  • Make automated decisions or changes on your behalf

Data handling & GDPR. We support data export and account deletion on request. Cost data is retained in line with your subscription and our retention policy; we do not sell your data to third parties. Privacy policy.

Common questions

Security FAQ

Can StackSpend modify my cloud resources or accounts?
No. StackSpend uses read-only credentials scoped to billing and usage data only. It cannot create, modify, or delete resources, change billing settings, or take actions in your provider accounts.
What AWS IAM permissions does StackSpend require?
A least-privilege IAM role limited to Cost Explorer and related read-only billing APIs. The exact policy is documented in our AWS setup guide.
How are provider credentials stored?
Credentials are encrypted at rest using AES-256-GCM. Encryption keys are managed separately from application data.
Can other organisations see my cost data?
No. Data is isolated per organisation with row-level security at the database layer. One tenant cannot access another tenant’s data.
What happens to my data when I cancel?
After cancellation, data is retained for a limited period consistent with our policy, then removed. You can request export or deletion under GDPR.
Is StackSpend GDPR compliant?
We support GDPR-aligned practices including data export, deletion on request, and audit logging of sensitive actions. Contact us for a DPA if your organisation requires one.

Connect safely. See clearly.

Read-only access, encrypted credentials, isolated data. Setup takes about five minutes and does not change your infrastructure.

Start Free TrialHow it works
14-day free trial. No credit card required.