Security controls should be visible before you connect an account.
Securitain connects to AWS read-only, isolates every tenant, and is deliberately honest about what we operate today and what we don't claim.
Read-only, with no shared keys
Securitain assumes a cross-account role you create — there are no long-lived AWS access keys to share or store, and the connection cannot change your environment.
- Read-only cross-account IAM role — no long-lived AWS access keys
- Unique ExternalId on every connection to prevent confused-deputy abuse
- Account verification when a connection is established
- Disconnect and role removal at any time, fully in your control
Your data stays yours
Every layer — accounts, API authorization, and the database — enforces that one tenant's data is never reachable by another.
- Accounts are scoped to your organization
- API access is authorized per tenant on every request
- Data is filtered by tenant at the database layer
- Isolation is exercised as part of our testing
Data protection
- Encryption in transit and at rest
- Per-scan evidence archive, encrypted
- Retention aligned to your plan
- Deletion on request and on account removal
Application security
- Authentication and protected APIs
- Session management
- Least-privilege service roles
- Application logging
- Dependency scanning
- Defined incident handling
We describe only the controls we actually operate. We do not claim 100% security, an unbreakable system, or a specific uptime figure.
Honest about where we are
We do not claim a SOC 2 Type II report or describe Securitain as a “HIPAA-compliant company.” Where a formal report does not yet exist, we say so plainly.
Report a security concern
If you believe you've found a vulnerability, we want to hear from you. Please contact our security team so we can investigate and respond.
security@securitain.comReview the connection before you connect
See exactly how Securitain connects to AWS, what it can read, and what it can never do.