Security & Trust

Built for enterprise. Secured by design.

CloudVista is built on a foundation of encryption, tenant isolation, and auditability. Here's exactly how we protect your data — and where we're heading on certifications.

View Security Questionnaire GDPR Data Processing Agreement

Security Architecture

Four pillars of CloudVista security

Every layer of CloudVista is designed to protect your cloud credentials, inventory data, and user access — whether you're on our cloud or self-hosted.

Encryption at Rest & in Transit

All data is encrypted at rest using AES-256. Every API call and browser session is protected by TLS 1.2 or higher. Cloud credentials are encrypted before being written to the database and are never returned via the API.

Strict Tenant Isolation

CloudVista is a fully multi-tenant platform where each organisation's data is logically isolated. All database queries are scoped to the authenticated tenant — cross-tenant data access is architecturally impossible.

Fine-Grained Access Control

Role-Based Access Control (RBAC) covers every page and action in CloudVista. Enterprise plans add SSO (SAML 2.0 / OAuth 2.0) and custom roles with per-resource, per-action permissions. All access is recorded in an immutable audit log.

Immutable Audit Logging

Every user action, sync operation, and configuration change is recorded in an append-only audit log with timestamps, IP addresses, and user attribution. Audit logs can be exported for compliance evidence.

Compliance Engine

Frameworks CloudVista checks for you

The following are compliance frameworks built into CloudVista's scanning engine — helping your team assess and evidence compliance across your cloud estate.

These are frameworks CloudVista helps customers comply with — independent of Ossvisor's own organisational certifications (listed below).
🛡️

CIS Benchmarks

AWS, Azure, OCI & VMware hardening checks

🔐

SOC 2

Trust Services Criteria evidence collection

💳

PCI-DSS

Cardholder data environment checks

🏥

HIPAA

Healthcare data security controls

📋

ISO 27001

Information security control mapping

🇪🇺

GDPR

Data residency and access monitoring

Ossvisor Certifications

Our certification roadmap

We believe in being transparent about where we are on our certification journey. Below is our current status and planned timeline.

Certification Status Expected Notes
GDPR Data Processing Agreement Available Now Available on request — email [email protected]
CSA STAR Level 1 In Progress Q3 2026 CAIQ self-assessment underway; will be publicly listed on the CSA STAR Registry
Cyber Essentials (UK) In Progress Q3 2026 UK government-backed security certification
SOC 2 Type II Planned Q1 2027 Independent audit of security, availability, and confidentiality controls
ISO 27001 Planned Q2 2027 International information security management standard

Questions about our compliance posture? Email [email protected] — we're happy to discuss in detail.

Data Handling

What we store and where

CloudVista connects to your cloud providers to read resource metadata. We store the minimum necessary to power the platform.

What is stored

  • Cloud resource metadata (names, types, tags, configurations)
  • Compliance check results and finding history
  • Cost and billing data aggregated by service
  • Audit logs of all user and system actions

What is never stored

  • Your actual workload data or application payloads
  • Cloud provider credentials in plaintext
  • Personal data from your cloud workloads
  • SSH keys, certificates, or secrets from your resources

Data residency

CloudVista SaaS runs on UK/EU infrastructure by default. A US-region deployment is available for North American customers on request. Enterprise customers can choose fully self-hosted deployment where no data ever leaves their environment.

Credential security

Cloud provider API credentials are AES-256 encrypted before storage and decrypted only in-memory during sync operations. Credentials are scoped to read-only access by default and are never returned via the CloudVista API.

Enterprise procurement ready

We know enterprise procurement teams need documentation. We're set up to help — with completed security questionnaires, DPAs, and custom responses.

SIG Lite questionnaire response
GDPR Data Processing Agreement
Security architecture overview
Custom questionnaire responses
View Pre-filled Questionnaire Response

Typically responded to within 3 business days · [email protected]

Frequently Asked Questions

Security questions answered

Does CloudVista have SOC 2 certification?
CloudVista is not yet SOC 2 certified — we're being transparent about that. SOC 2 Type II is on our roadmap, planned for Q1 2027. In the meantime, we are pursuing CSA STAR Level 1 registration (Q3 2026) and can provide a completed security questionnaire and a GDPR Data Processing Agreement on request.
Where is CloudVista data stored?
By default, CloudVista stores data in UK/EU infrastructure. A US-region option is available for North American customers. Enterprise customers can opt for a fully self-hosted deployment where all data stays within their own environment — Ossvisor never has access to it.
Can we self-host CloudVista?
Yes. CloudVista is available as a self-hosted deployment on the Enterprise plan. You install it on your own infrastructure using our Docker-based deployment package. Your cloud credentials, inventory data, and audit logs never leave your environment.
How are cloud credentials protected?
Cloud provider credentials (AWS IAM keys, Azure service principals, OCI API keys, vCenter passwords, etc.) are encrypted at rest using AES-256 before being stored in the database. They are never exposed via the API and are only decrypted in-memory during scheduled sync operations running inside the CloudVista backend service.
Does CloudVista support Single Sign-On (SSO)?
Yes. SSO via SAML 2.0 and OAuth 2.0 is available on the Enterprise plan, allowing integration with Azure Active Directory, Okta, Google Workspace, and other SAML/OIDC-compatible identity providers. Contact us to set up an SSO integration.
How do I request a security questionnaire response?
Email [email protected] with the subject "Security Questionnaire" or use the button above. We provide completed SIG Lite and custom security questionnaire responses for enterprise procurement teams, typically within 3 business days. We can also provide a GDPR Data Processing Agreement (DPA) on the same request.