Why Trust Thalaxo
Read-only by default. Revocable in one click.
Zero long-term credential storage.
What Thalaxo can — and cannot — do
Every cloud connection starts with the lowest possible permission level. You decide if and when to grant more.
Read-only by default
New connections start at OBSERVER level: discovery, dashboards, FinOps insights — no mutations without your explicit upgrade.
Revocable in one click
Disconnect → secrets purged → step-by-step teardown instructions for AWS, Azure, and GCP. No ticket. No support call.
Zero credential storage
HashiCorp Vault HA + AWS KMS envelope encryption (AES-256-GCM). No plaintext secrets. Ever.
Full audit trail
Every action logged: who, when, from which IP, before/after state, job ID. Immutable history with rollback linkage.
Encryption everywhere
Standardized protection across every layer — in transit and at rest.
You can remove Thalaxo’s access in one click.
We purge your secrets immediately.
You get step-by-step teardown instructions.
No ticket. No migration project.
Revoke in Thalaxo console
Single button disconnect.
Secrets purged immediately
Vault wiped. KMS key context invalidated.
Provider teardown instructions
AWS CloudFormation / Azure role / GCP WIF — clean on your side too.
Certifications & compliance
SOC 2 Type II
AICPA SSAE 18 — Trust Services Categories: Security, Availability, Confidentiality, Processing Integrity. Kick-off June 2026. Auditor identity shared under NDA.
ISO 27001
ISMS engagement initiated. Gap assessment and roadmap underway. Target: December 2026. Auditor identity shared under NDA.
GDPR & Data Residency
Production: AWS eu-west-3 (Paris, France) — deployment in progress. KMS, S3, backups: Paris. Your cloud workloads stay in your accounts.
Frequently asked questions
What CTOs and security teams ask before connecting their cloud.
Do you store my AWS access keys?
No — as the recommended path. We use AssumeRole (AWS), delegated roles (Azure), or Workload Identity Federation (GCP). No long-lived access keys stored as primary path. Any credential in transit is envelope-encrypted with AWS KMS and purged on revocation.
Are you SOC 2 certified today?
We are under SOC 2 Type II audit since June 2026. We do not claim a completed Type II report until the auditor issues it. The auditor’s identity is available on request under NDA. Controls are documented, evidenced, and under independent review — not self-attested.
Where is data hosted?
Production target: AWS eu-west-3 (Paris, France) — deployment in progress. KMS, S3, and backups are already in eu-west-3. Your cloud workloads stay in the regions you choose — Thalaxo never becomes data controller of your infrastructure payloads.
Can we stay read-only forever?
Yes. OBSERVER is the default capability level and is sufficient for all FinOps features: full inventory discovery, cost dashboards, rightsizing insights, and PDF audit reports. Write operations require an explicit upgrade you choose per credential.
What happens if we stop using Thalaxo?
Revoke credentials in the console → secrets purged immediately → you receive provider-specific teardown instructions (AWS CloudFormation stack delete, Azure role removal, GCP WIF unbind). Your cloud account has no remaining Thalaxo principal. No migration project required.
Need the detailed control matrix?
Request our SOC 2 security pack and control evidence under NDA.
Available for enterprise security reviews and procurement questionnaires.