Security and data access policy

This document outlines what customer data the DoiT Platform accesses, why, and what and how data are stored.

Google Cloud

Note

The permissions are to be granted at the Google Cloud Organization or Project level. While they allow us to get information about your resources, none of them give us access to your data.

Core functionality

Below is the minimum set of read-only permissions required by the DoiT platform.

Access level: Organization, Project

Permissions to get information about your Google Cloud resource hierarchy and correlate it with billing:

resourcemanager.projects.get
compute.addresses.list
compute.disks.get
compute.disks.list
compute.images.get
compute.images.list
compute.instances.get
compute.instances.list
compute.projects.get
compute.regions.get
compute.regions.list
compute.snapshots.get
compute.snapshots.list
compute.zones.get
compute.zones.list
compute.commitments.get
compute.commitments.list

Permissions to check the status (and enable if required) Google Cloud APIs (e.g., Recommender API):

serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

Access level: Organization only

resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.list

Access level: Project only

resourcemanager.projects.getIamPolicy

Google Cloud Rightsizing

Access level: Organization only

Permissions required to provide Rightsizing Recommendations for Google Compute Engine instances across your organization:

recommender.computeInstanceMachineTypeRecommendations.list
compute.instances.list

Permissions required to implement Rightsizing recommendations:

compute.instances.setMachineType
compute.instances.stop
compute.instances.start

BigQuery Lens

Access level: Organization only

Why does BigQuery Lens need permissions at the organization level?

The BigQuery Lens creates an audit log sink at the organization level to monitor and analyze logs across projects. We do not support fetching logs from project-level sinks.

These permissions allow the BigQuery Lens to access the structure of your projects, datasets, and tables in order to show the costs and optimization recommendations on the dashboard with resources names. None of them give us access to your BigQuery data.

BigQuery Lens permissions are grouped into several categories.

BigQuery Lens

Permissions required to get cost optimization recommendations for BigQuery environment:

Permission	Description
bigquery.datasets.create	Create new empty datasets.
bigquery.datasets.get	Get metadata and permissions about a dataset.
bigquery.tables.get	Get table metadata.
bigquery.tables.list	List tables and metadata on tables.
bigquery.jobs.get	Get data and metadata on any job.
bigquery.jobs.list	List all jobs and retrieve metadata on any job submitted by any user. Details and metadata for jobs submitted by other users are redacted.
bigquery.jobs.listAll	List all jobs and retrieve metadata on any job submitted by any user.
bigquery.jobs.create	Run jobs (including queries) within the project.
bigquery.routines.list	List routines and metadata on routines.
bigquery.routines.get	Get routine definitions and metadata.
logging.sinks.create	Create new sinks in Cloud Logging.
logging.sinks.get	Get information about sinks in Cloud Logging.

BigQuery Lens Editions

Additional permissions required for BigQuery Lens to work with Google BigQuery editions.

Permission	Description
bigquery.capacityCommitments.list	Query the INFORMATION_SCHEMA.CAPACITY_COMMITMENTS view for all current capacity commitments in a project.
bigquery.capacityCommitments.get	Retrieve the capacity commitment in a project.
bigquery.reservations.list	Query the INFORMATION_SCHEMA.RESERVATIONS view for a list of all slot reservations in a project.
bigquery.reservations.get	Retrieve details about a slot reservation.
bigquery.reservationAssignments.list	Query the INFORMATION_SCHEMA.ASSIGNMENTS view for all reservation assignments in a project.
bigquery.reservationAssignments.search	Find a reservation assignment for a given project, folder, or organization.

BigQuery Lens Insights

Permissions required to get additional BigQuery Lens Insights.

Permission	Description
recommender.bigqueryCapacityCommitmentsInsights.get recommender.bigqueryCapacityCommitmentsInsights.list recommender.bigqueryCapacityCommitmentsRecommendations.get recommender.bigqueryCapacityCommitmentsRecommendations.list	Access cost-optimal commitment slots recommendations.
recommender.bigqueryMaterializedViewInsights.get recommender.bigqueryMaterializedViewInsights.list recommender.bigqueryMaterializedViewRecommendations.get recommender.bigqueryMaterializedViewRecommendations.list	Access materialized view recommendations.
recommender.bigqueryPartitionClusterRecommendations.get recommender.bigqueryPartitionClusterRecommendations.list recommender.bigqueryTableStatsInsights.get recommender.bigqueryTableStatsInsights.list	Access partition and cluster recommendations.

Kubernetes insights

DoiT Insights requires the following permissions to interact with Kubernetes clusters for actionable recommendations. See also Google Kubernetes Engine (GKE): API permissions.

Access level: Organization, Project

Permission	Description
container.clusters.get	Retrieve information about a specific GKE cluster.
container.clusters.list	List all GKE clusters in a specific project.
container.clusters.connect	Connect to a GKE cluster. This is necessary for connecting to the Kubernetes API server. See also Authenticate to the Kubernetes API server.

Insights from BigQuery export

Below are the permissions required to connect a dataset for insights from GCP Recommender BigQuery export.

Access level: Project

Permission	Description
bigquery.jobs.create	Run jobs (including queries) within the project.

Access level: Dataset

Permission	Description
bigquery.tables.get	Get table metadata.
bigquery.tables.list	List tables and metadata on tables.
bigquery.tables.getData	Get table data. This permission is required for querying table data.

Amazon Web Services

The sections below list the permissions we require to your AWS account.

Core functionality

Below is the minimum set of read-only permissions we need for features in DoiT Platform.

Permissions required to access the billing data and the security posture of your AWS account:

arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess
arn:aws:iam::aws:policy/job-function/Billing

AWS quota monitoring

Permissions required to proactively monitor your AWS Quotas:

support:DescribeTrustedAdvisorCheckSummaries
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorChecks
support:DescribeSeverityLevels
support:RefreshTrustedAdvisorCheck
support:DescribeSupportLevel
support:DescribeCommunications
support:DescribeServices
support:DescribeIssueTypes
support:DescribeTrustedAdvisorCheckResult
trustedadvisor:DescribeNotificationPreferences
trustedadvisor:DescribeCheckRefreshStatuses
trustedadvisor:DescribeCheckItems
trustedadvisor:DescribeAccount
trustedadvisor:DescribeAccountAccess
trustedadvisor:DescribeChecks
trustedadvisor:DescribeCheckSummaries

Cloud Diagrams

Cloud Diagrams generates diagrams of your AWS cloud infrastructure for your AWS accounts.

Permission	Description
apigateway:GET	Retrieves a specific gateway.
ec2:SearchTransitGatewayRoutes	Searches for routes in the specified transit gateway route table.
eks:ListTagsForResource	Lists the tag for an Amazon EKS resource.
eks:ListFargateProfiles	Lists the AWS Fargate profiles associated with the specified cluster in your AWS account in the specified region.
eks:DescribeFargateProfile	Deletes an AWS Fargate profile.
elasticfilesystem:DescribeTags	Returns the tags associated with a file system.
glacier:ListTagsForVault	Lists all the tags attached to a vault.
glacier:GetVaultNotifications	Retrieves the notification-configuration subresource set on the vault.
glue:GetConnections	Retrieves a list of connection definitions from the Data Catalog.
glue:GetCrawler	Retrieves metadata for a specified crawler.
glue:GetDatabase	Retrieves the definition of a specified database.
health:DescribeEventDetails	Returns detailed information about one or more specified events.
networkmanager:Get*	Gets network performance data.
networkmanager:List*	Lists network performance data.
ram:GetResourceSharest*	Retrieves details about the resource shares that you own or that are shared with you.
wafv2:GetLoggingConfiguration	Returns the LoggingConfiguration for the specified web ACL.
wafv2:GetRuleGroup	Retrieves the specified RuleGroup.
waf:GetLoggingConfiguration	Returns the LoggingConfiguration for the specified web ACL.
waf-regional:GetLoggingConfiguration	Returns the LoggingConfiguration for the specified web ACL.
eks:ListAccessPolicies	Lists the available access policies.
eks:ListAccessEntries	Lists the access entries for your cluster.
eks:DescribeCluster	Describes an Amazon EKS cluster.
eks:ListClusters	Lists the Amazon EKS clusters in your AWS account in the specified AWS Region.

Spot Scaling

Spot Scaling analyzes your Auto Scaling Groups based on cost and usage and get recommendations to replace On-Demand EC2 instances with Spot instances.

ec2:Describe*
ec2:CreateLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:ModifyLaunchTemplate
ec2:RunInstances
ec2:TerminateInstances
ec2:CreateTags
ec2:DeleteTags
ec2:CreateLaunchTemplateVersion
ec2:CancelSpotInstanceRequests
autoscaling:CreateOrUpdateTags
autoscaling:UpdateAutoScalingGroup
autoscaling:Describe*
autoscaling:AttachInstances
autoscaling:BatchDeleteScheduledAction
autoscaling:BatchPutScheduledUpdateGroupAction
cloudformation:ListStacks
cloudformation:Describe*
iam:PassRole
events:PutRule
events:PutTargets
events:PutEvents

Real-time anomaly

DoiT real-time cost anomaly detection requires the following permissions to monitor cost spikes in near real time.

Permission	Description
ec2:DescribeImages	This permission is required to retrieve EC2 instance attributes information in private images owned by the AWS account.
kms:Decrypt	Decrypts ciphertext that was encrypted by a KMS key.
s3:GetBucketLocation	Required only if you Create an IAM role automatically. Returns the Region the bucket resides in.
s3:GetBucketNotification	Returns the notification configuration of a bucket.
s3:GetObject	Retrieves an object from Amazon S3.
s3:ListBucket	Allows the user to use the Amazon S3 ListObjectsV2 operation. see Policies and permissions in Amazon S3.
s3:PutBucketNotification	Required only if you Create an IAM role automatically. Enables notifications of specified events for a bucket.

Trusted Advisor insights

DoiT Insights requires the following permissions to interact with AWS Trusted Advisor API.

Permission	Description
trustedadvisor:GetRecommendation	Retrieves a specific global recommendation.
trustedadvisor:ListRecommendations	Lists a filterable set of global recommendations.

Cost Optimization Hub insights

DoiT Insights requires the following permissions to interact with AWS Cost Optimization Hub API.

Permission	Description
cost-optimization-hub:ListRecommendations	Returns a list of recommendations.

Microsoft Azure

Azure advisor insights

DoiT Insights requires the following permissions to interact with h Azure Advisor REST API.

Permission	Description
Management Group/Reader	Lists existing management group hierarchy settings.

Ava security compliance

Ava, our generative AI chatbot, is designed with top-tier security measures to ensure the confidentiality, integrity, and availability of customer data.

OpenAI organization subscription

Our organization holds an enterprise subscription with OpenAI, providing us with additional layers of security and control:

• Enhanced security measures: Extra layers of security protocols exclusive to enterprise subscribers.

• Dedicated data hub: All the data processed by Ava is stored in a private, secure data hub, ensuring that it cannot be accessed or leaked by unauthorized parties. Additionally, we never submit the data for training purposes by OpenAI.

Customer data handling

Billing Data

For the generation of Cloud Analytics reports:

• Authentication requirement: Billing data can only be accessed and generated by customers who are logged in through our secure authentication system.

• API security: We leverage existing Cloud Analytics APIs that ensure data is securely processed and cannot be breached or accessed by unauthorized users.

Customer context and asset management

For customer-specific context, assets, and general information:

• Vector database usage: We utilize a vector database to store and embed customer data securely, according to the customer's usage and relevance.

• Data segmentation: Each customer's data is isolated using robust filtering mechanisms, ensuring that customers cannot access or view each other's data.

By adhering to these security practices, Ava ensures that all customer data is handled with the highest level of security, preventing unauthorized access and maintaining data integrity across all operations.

Privacy and data protection

What we store

We only store data required for DoiT Platform functionality.

• Cloud Billing exports — required for core Billing functionality; stored in BigQuery

• User information — required for core DoiT Platform functionality; stored in Firestore

• Assets created via using DoiT console (Invoices, Billing Profiles, etc.) — required for core DoiT Platform functionality; stored in Firestore

• Contracts — required for core DoiT Platform functionality; stored in Google Cloud Storage

• Service Account Keys — required for BigQuery Lens; stored in Firestore and encrypted with KMS

How we handle and store your data

All data we handle are encrypted in transit using industry-standard protocols like HTTPS (TLS).

All data we store are encrypted at rest:

• Google BigQuery — using Google-managed encryption keys and Advanced Encryption Standard (AES)

• Google Firestore — using Google-managed encryption keys and AES

• Google Cloud Storage — using Google-managed encryption keys and AES

• Service Account Keys — encrypted using Google Cloud KMS and stored in Google Secret Manager

Who can access your data

DoiT employees in customer-facing roles, such as Account managers and Support engineers, can access your data in the DoiT Platform. A small team of core DoiT Platform developers is able to access your data directly in the underlying storage.

Service Account keys are used only by backend systems to retrieve relevant data from Google Cloud. Only a small team of core DoiT Platform developers has access to the KMS keys.

Third parties

With the exceptions listed below required for core DoiT Platform functionality, we do not provide your data to any third-party.

• DoiT Platform Support — We use Zendesk as a backend for our support request system. Ticket-related data are stored in Zendesk and retrieved using Zendesk APIs [1].

• Payments — We use Stripe for payments. All payment-related data (such as Credit card or bank account details) are stored in the Stripe platform and used via Stripe APIs [2].

Compliance

Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards. We're constantly working to expand our coverage.

• EU and GDPR Compliance — we have customers in the European Economic Area and we handle data in compliance with the General Data Protection Regulation (GDPR) [3].

• The SOC 2 and SOC 3 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The report evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

• ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.

The DoiT Platform ISO/IEC 27001 and SOC 2/3 certificates may be requested via trust.doit.com.

External references

• [1]: Zendesk Privacy and Data Protection
• [2]: Stripe Global Privacy Policy
• [3]: EU Data Protection page