Skip to main content

Security & Data Protection

Cloud cost data is sensitive: it maps your infrastructure, your vendors, and your priorities. KOSTRA protects it with strong controls whether you use the managed SaaS or run KOSTRA self-hosted — and for organizations that require data to remain in their own infrastructure, self-hosting makes that guarantee explicit.

Managed SaaS

On the managed service, KOSTRA operates the platform for you with security as a first-class concern: credentials and cost data are encrypted, access is governed by role-based permissions, and traffic is served over TLS. You get the platform’s full capability without operating any infrastructure yourself.

Self-hosted for data residency

When policy, regulation, or sovereignty requires that data never leave your environment, KOSTRA can be deployed self-hosted into a Kubernetes cluster you own — including in the same cloud region as the workloads it analyzes. In this model, billing records, resource inventory, recommendations, and every derived analytic are stored in databases running inside your infrastructure, and nothing is transmitted to a KOSTRA-operated service. You choose the model that fits your requirements; the software is identical.

How credentials are protected

Connecting a cloud account requires credentials scoped for reading billing and describing resources. KOSTRA stores these credentials encrypted at rest. Sensitive values submitted through the interface — such as API keys — are write-only from the user’s perspective: they can be set and rotated, but are not read back. Where KOSTRA integrates a language model for modernization narration, the provider key is likewise stored encrypted and used only to make the calls you have configured.

Encryption in transit

KOSTRA’s web and API traffic is served over HTTPS, with certificates provisioned and auto-renewed through cert-manager and a public certificate authority. Internal service-to-service communication runs within the platform’s network.

Access control

KOSTRA uses role-based access so that analysts, engineers, and managers see and do what their role permits. Organizations are subdivided into pools that mirror your team and budget structure, and permissions are checked on every privileged action. This lets you give finance broad visibility while restricting configuration changes to the people responsible for them.

Identity integration

KOSTRA issues and validates its own tokens for platform access and can be operated with your existing sign-in expectations in mind. For enterprise identity requirements — such as connecting to a corporate identity provider — engage the KOSTRA team to confirm the integration path that fits your environment.

AI insights and your data

AI-assisted narration of modernization findings is optional and disabled until you enable it. When enabled, KOSTRA calls the language-model provider you select using a key you supply; the model only explains numbers the engine has already computed and cannot alter your data. Because the feature is opt-in and provider-configurable, you decide whether any workload metadata is described to an external model at all. If your policy is that nothing leaves your environment, leave the AI disabled and rely on the evidence-based content — and if you self-host, the rest of the platform keeps your data in place regardless.

Compliance considerations

The self-hosted option gives you the control needed to align KOSTRA with a strict compliance regime: you own the data-residency decision, the retention policy, the network boundary, and the audit surface. On the managed SaaS, KOSTRA operates the equivalent controls on your behalf. KOSTRA provides the technical foundation — encryption, access control, and, when self-hosted, an in-your-network deployment — which your organization applies within its own governance framework.