Tovin.io is designed around read-only billing permissions, explicit tenant boundaries, and tenant-bound KMS envelope encryption. The posture is meant to be defensible at a security review — and short enough to read in one sitting.
Each item below is implemented and tested in production today. The backend test suite covers KMS round-trip, cross-context rejection, magic-link single-use, rate limiting, provider error sanitization, and the aggregator's idempotency.
Every supported integration uses read-only scopes: an AWS IAM role with an external ID, a GCP service account with billing/BigQuery read, and a DigitalOcean personal token with read-only permissions. Tovin.io can never mutate your cloud.
Credential blobs are encrypted with per-blob AES-256-GCM keys generated by KMS. The encryption context (org_id, kind) is bound to both the data-key generation and the AES-GCM AAD — a leaked envelope cannot decrypt into another organization.
Normalized project totals keep enough source fields to trace back to provider billing data. Every dollar on the ledger has a verifiable provider row underneath.
Each integration is verified with a no-op call (STS GetCallerIdentity, GCP billingAccounts.list, DO /v2/account) before any cost data is fetched. Provider errors are sanitized before reaching the UI.
Sign-in links are 32-byte URL-safe tokens, HMAC-SHA256 at rest, 15-minute TTL, single-use, and capped at 3 requests per email per 15 minutes. We do not leak which addresses exist.
Body-size limit (5 MiB), per-org rule and sync cooldowns, ReDoS-guarded user regex (100ms canary thread), HttpOnly refresh cookies scoped to /auth, and HS256 JWTs with short access + long refresh windows.
All customer data at rest is stored in AWS US East (N. Virginia, us-east-1): DynamoDB for application data, KMS for credential keys. The API runs on DigitalOcean Kubernetes and holds nothing at rest. Subprocessors are listed in the Privacy Policy.
Deleting a connection permanently deletes its envelope-encrypted credential blob. There is no soft-delete copy to leak later.
Project deletion synchronously removes the project's cost aggregates, so deleted projects never leak spend onto dashboards or exports.
Org deletion cascades: connections, credentials, rules, projects, cost rows, alerts, and memberships are removed. Email hello@tovin.io for written confirmation or a data export first.
We do not run a paid bounty yet — but if you find a vulnerability, report it to security@tovin.io and we will reply quickly, fix promptly, and credit you publicly if you'd like. The tighter that loop is, the safer the product.