Security Questionnaire Response

CloudVista is a multi-cloud resource inventory, compliance, and cost management platform. It connects to cloud providers (AWS, Azure, OCI, GCP, VMware vSphere) via read-only API credentials and collects resource metadata only — names, types, configurations, tags, and billing aggregates. It does not process personal data from customer workloads, and does not access the contents of customer storage buckets, databases, or application data.

CloudVista is available as: (1) SaaS — hosted by Ossvisor on OCI (Oracle Cloud Infrastructure) UK/EU regions; (2) Self-hosted — deployed by the customer on their own infrastructure using a Docker Compose package available on all plans. Self-hosting means no data ever leaves the customer's environment.

Yes. All data stored in CloudVista databases is encrypted at rest using AES-256. Cloud provider credentials (API keys, service principal secrets, etc.) are additionally encrypted at the application layer before being written to the database, providing envelope encryption for the most sensitive data.

Yes. All communication between end-users and CloudVista is encrypted using TLS 1.2 or higher. HTTP traffic is automatically redirected to HTTPS. Internal service-to-service communication within the CloudVista backend runs over private networks.

Cloud provider credentials (AWS IAM access keys, Azure service principal client secrets, OCI API private keys, vCenter passwords, etc.) are: (1) encrypted with AES-256 at the application layer before being written to the database; (2) never returned via the CloudVista API — once saved, they are write-only from the user's perspective; (3) decrypted only in-memory, inside isolated backend processes, during scheduled sync operations; (4) scoped to read-only access by default in all CloudVista-provided IAM role templates.

SaaS deployments are hosted on Oracle Cloud Infrastructure (OCI) in UK/EU regions by default. A US-region deployment option is available for North American customers on request. Enterprise and self-hosted customers run CloudVista on their own infrastructure — no data residency constraints apply.

Yes, strict multi-tenancy is enforced. Every database query in the CloudVista API is scoped to the authenticated tenant's ID. The data model makes cross-tenant access architecturally impossible — there is no shared data store or shared cache between tenants.

Customer data is retained for the duration of the subscription. On contract termination or account deletion, customer data (resources, credentials, findings, audit logs) is deleted within 30 days. Customers may request immediate deletion at any time by contacting [email protected]. Anonymised aggregate statistics may be retained for product improvement.

Yes. MFA (TOTP-based authenticator app) is available for all user accounts. Administrators can enforce MFA organisation-wide via the security settings panel.

Yes. SSO via SAML 2.0 and OAuth 2.0 / OIDC is available on the Enterprise plan. Supported identity providers include Microsoft Azure Active Directory, Okta, Google Workspace, and any SAML 2.0 / OIDC-compliant IdP.

Yes. CloudVista includes fine-grained RBAC covering every page and action in the platform. Predefined roles include Admin, InventoryManager, SecurityAnalyst, CostManager, and Viewer. Custom roles with per-resource, per-action permissions are available on the Enterprise plan.

Yes. An immutable audit log records all user actions, API calls, configuration changes, sync operations, and login events with timestamps, user IDs, and IP addresses. Audit logs are available for export (CSV/JSON) and are retained for the duration of the subscription. Enterprise plan customers get extended 12-month audit log retention.

Access to customer data by Ossvisor staff is limited to: (1) support engineers who are explicitly granted access during a support engagement, with customer consent; (2) automated monitoring systems that alert on service health metrics only (no data content). Production database access is restricted to a small number of senior engineers and requires explicit authorisation. Self-hosted customers have zero data exposure to Ossvisor — our staff have no access whatsoever.

The CloudVista SaaS platform is hosted on Oracle Cloud Infrastructure (OCI) in UK/EU regions. OCI holds ISO 27001, SOC 1, SOC 2, SOC 3, PCI DSS, and CSA STAR Level 2 certifications. OCI infrastructure details are available at oracle.com/cloud/compliance.

CloudVista is deployed as Docker containers managed by Docker Compose: (1) nginx — TLS termination, reverse proxy; (2) FastAPI backend — REST API, Python 3.11; (3) React frontend — served as static assets; (4) PostgreSQL 15 — primary data store; (5) Redis — task queue broker; (6) Celery workers — asynchronous sync and compliance tasks. All containers run on isolated virtual machines with no public database or cache ports exposed.

Yes. OS-level security patches are applied within 30 days of release for standard patches, and within 72 hours for critical/zero-day patches. Container base images (python:3.11-slim, node:20) are rebuilt and redeployed on each release cycle. Dependencies are monitored for known CVEs.

Yes. Production infrastructure is protected by OCI Security Lists (firewall rules) that allow only ports 443 (HTTPS) and 80 (HTTP redirect) inbound from the public internet. Database, Redis, and internal service ports are not publicly exposed. Administrative access to the host is via SSH key authentication only, restricted to authorised IP ranges.

Yes. Ossvisor maintains an internal Incident Response Plan covering: detection and classification (P1–P4 severity), escalation procedures, containment and recovery steps, post-incident review, and regulatory notification obligations. The plan is reviewed annually.

Ossvisor will notify affected customers of a confirmed personal data breach within 72 hours of becoming aware of it, in compliance with UK GDPR Article 33 requirements. Notification will be sent to the registered admin email address and will include: nature of the breach, categories of data affected, likely consequences, and measures taken or proposed.

No. Ossvisor has not suffered any confirmed security breaches or notifiable data incidents in the past 12 months. This statement is accurate as of May 2026.

RPO (Recovery Point Objective): 24 hours — daily automated database backups are retained for 30 days.
RTO (Recovery Time Objective): 4 hours for the SaaS platform following a major infrastructure failure.
Enterprise customers with self-hosted deployments define their own RPO/RTO targets based on their backup strategy.

Yes. PostgreSQL database backups run automatically every 24 hours. Backups are encrypted and stored in a separate OCI region. Backup restoration is tested quarterly as part of our operational procedures.

A working BCP covering the CloudVista SaaS service is in place, addressing key personnel dependencies, infrastructure failover procedures, and communication protocols. A formal, auditor-reviewed BCP document is being developed as part of our SOC 2 preparation, expected Q1 2027.

Formal third-party penetration testing has not yet been conducted. An annual external penetration test by a CREST-accredited firm is planned for H2 2026, as part of our SOC 2 preparation programme. Results will be available under NDA on request once completed. Internal security reviews are conducted as part of every feature release.

Python backend dependencies are scanned using pip-audit and Dependabot alerts on the GitHub repository. Frontend JavaScript dependencies are scanned with npm audit on each build. Container base images are rebuilt from latest upstream releases on each deployment cycle.

Ossvisor accepts responsible disclosure reports via [email protected]. We commit to acknowledging reports within 5 business days and providing a resolution timeline. A formal bug bounty programme is planned for H2 2026.

Yes. CloudVista development follows a secure SDLC: (1) code is stored in private GitHub repositories with branch protection; (2) all changes are made via pull requests with mandatory peer review; (3) automated linting (flake8, ESLint) and dependency scanning run on every PR; (4) production deployments are made from tagged releases only, via CI/CD pipelines.

Yes. Development, staging, and production environments are separated. Developers do not have direct access to the production database. Production deployments are performed via automated CI/CD pipelines with a defined approval process.

No. Development and testing environments use synthetic, auto-generated demo data only. Real customer data is never copied to non-production environments.

Yes. Ossvisor Ltd is subject to UK GDPR and the Data Protection Act 2018. We are registered with the ICO (Information Commissioner's Office). A Data Processing Agreement (DPA) is available on request — email [email protected] with the subject "GDPR DPA Request".

Not yet. SOC 2 Type II is on our certification roadmap, with an audit planned for Q4 2026 and report expected Q1 2027. We are building the required controls and evidence collection infrastructure now as part of our SOC 2 readiness programme. A SIG Lite questionnaire response is available in the meantime.

Not yet. ISO 27001 certification is planned for Q2 2027. Our Information Security Management System (ISMS) is being developed as a precursor to both the SOC 2 and ISO 27001 audits.

CSA STAR Level 1 self-assessment (CAIQ) is currently in progress. We expect to be listed on the public CSA STAR Registry by Q3 2026. Once listed, the entry will be available at cloudsecurityalliance.org/star.

Yes. All Ossvisor employees receive security awareness training on joining and annually thereafter, covering: phishing awareness, secure coding practices, password management, data handling, and incident reporting procedures.