Infrawatcher AI stores AWS IAM keys, MongoDB Atlas credentials, and third-party API tokens on your behalf. Here is exactly how we protect them.
Every AWS IAM key, MongoDB Atlas API key, and third-party credential stored in Infrawatcher AI is encrypted using AES-256-GCM — the same standard used by AWS KMS and Google Cloud KMS. Each credential is encrypted with a unique 12-byte random IV so identical data produces different ciphertext on every write. The encryption key is stored separately from the credential data and is never logged or transmitted.
All communication between your browser, the Infrawatcher AI servers, and third-party APIs (AWS, MongoDB Atlas, GitHub, Notion) is encrypted with TLS 1.2 or higher. We enforce HSTS on all domains and do not support SSLv3, TLS 1.0, or TLS 1.1. Certificate validity is monitored continuously — we practice what we preach.
Infrawatcher AI uses read-only IAM permissions for all AWS health checks. We call DescribeEnvironments, DescribeDBInstances, and GetMetricStatistics — never CreateInstance, TerminateInstance, or any write operation. For MongoDB Atlas, we use the Atlas API with read-only project access. We never modify your infrastructure. The Detect & Propose feature generates advisory text only — no action is taken without your explicit approval.
Credentials are stored per-account and are never shared between tenants. Each account's credentials are encrypted with a key derived from the platform-level encryption secret combined with the account ID, ensuring that a credential belonging to one account cannot be decrypted in the context of another. Credentials are never included in logs, error reports, or analytics events.
Authentication sessions use JWT tokens signed with HS256, stored in HttpOnly, Secure, SameSite=None cookies. Sessions expire after 30 days of inactivity. OAuth flows with Google and GitHub use the standard authorization code flow — we never see or store your Google or GitHub password. All session cookies are cleared on logout.
Infrawatcher AI uses Sentry for server-side error monitoring. Before any error event is sent to Sentry, a scrubbing filter removes all fields that could contain credentials: encryptedData, secretAccessKey, privateKey, token, apiKey, and password. Stack traces and request metadata are retained for debugging, but credential data is never included in error reports.
When you connect AWS credentials to Infrawatcher AI, we recommend creating a dedicated read-only IAM user with only the permissions listed below. We never request or use write permissions.
If you discover a security vulnerability in Infrawatcher AI, please disclose it responsibly by emailing [email protected]. We aim to acknowledge all reports within 24 hours and resolve confirmed vulnerabilities within 7 days.