Skip to main content

Security and data access policy

This document outlines what customer data the DoiT Platform accesses, why, and what and how data are stored.

Google Cloud

Note

The permissions are to be granted at the Google Cloud Organization or Project level. While they allow us to get information about your resources, none of them give us access to your data.

Core functionality

Below is the minimum set of read-only permissions required by the DoiT platform.

Access level: Organization, Project

Permissions to get information about your Google Cloud resource hierarchy and correlate it with billing:

resourcemanager.projects.get
compute.addresses.list
compute.disks.get
compute.disks.list
compute.images.get
compute.images.list
compute.instances.get
compute.instances.list
compute.projects.get
compute.regions.get
compute.regions.list
compute.snapshots.get
compute.snapshots.list
compute.zones.get
compute.zones.list
compute.commitments.get
compute.commitments.list

Permissions to check the status (and enable if required) Google Cloud APIs (e.g., Recommender API):

serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

Access level: Organization only

resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.list

Access level: Project only

resourcemanager.projects.getIamPolicy

Google Cloud Rightsizing

Access level: Organization only

Permissions required to provide Rightsizing Recommendations for Google Compute Engine instances across your organization:

recommender.computeInstanceMachineTypeRecommendations.list
compute.instances.list

Permissions required to implement Rightsizing recommendations:

compute.instances.setMachineType
compute.instances.stop
compute.instances.start

BigQuery Lens

Access level: Organization only

Why does BigQuery Lens need permissions at the organization level?

The BigQuery Lens creates an audit log sink at the organization level to monitor and analyze logs across projects. We do not support fetching logs from project-level sinks.

These permissions allow the BigQuery Lens to access the structure of your projects, datasets, and tables in order to show the costs and optimization recommendations on the dashboard with resources names. None of them give us access to your BigQuery data.

BigQuery Lens permissions are grouped into several categories.

BigQuery Lens

Permissions required to get cost optimization recommendations for BigQuery environment:

PermissionDescription
bigquery.datasets.createCreate new empty datasets.
bigquery.datasets.getGet metadata and permissions about a dataset.
bigquery.tables.getGet table metadata.
bigquery.tables.listList tables and metadata on tables.
bigquery.jobs.getGet data and metadata on any job.
bigquery.jobs.listList all jobs and retrieve metadata on any job submitted by any user. Details and metadata for jobs submitted by other users are redacted.
bigquery.jobs.listAllList all jobs and retrieve metadata on any job submitted by any user.
bigquery.jobs.createRun jobs (including queries) within the project.
bigquery.routines.listList routines and metadata on routines.
bigquery.routines.getGet routine definitions and metadata.
logging.sinks.createCreate new sinks in Cloud Logging.
logging.sinks.getGet information about sinks in Cloud Logging.

BigQuery Lens Editions

Additional permissions required for BigQuery Lens to work with Google BigQuery editions.

PermissionDescription
bigquery.capacityCommitments.listQuery the INFORMATION_SCHEMA.CAPACITY_COMMITMENTS view for all current capacity commitments in a project.
bigquery.capacityCommitments.getRetrieve the capacity commitment in a project.
bigquery.reservations.listQuery the INFORMATION_SCHEMA.RESERVATIONS view for a list of all slot reservations in a project.
bigquery.reservations.getRetrieve details about a slot reservation.
bigquery.reservationAssignments.listQuery the INFORMATION_SCHEMA.ASSIGNMENTS view for all reservation assignments in a project.
bigquery.reservationAssignments.searchFind a reservation assignment for a given project, folder, or organization.

BigQuery Lens Insights

Permissions required to get additional BigQuery Lens Insights.

PermissionDescription
recommender.bigqueryCapacityCommitmentsInsights.get
recommender.bigqueryCapacityCommitmentsInsights.list
recommender.bigqueryCapacityCommitmentsRecommendations.get
recommender.bigqueryCapacityCommitmentsRecommendations.list
Access cost-optimal commitment slots recommendations.
recommender.bigqueryMaterializedViewInsights.get
recommender.bigqueryMaterializedViewInsights.list
recommender.bigqueryMaterializedViewRecommendations.get
recommender.bigqueryMaterializedViewRecommendations.list
Access materialized view recommendations.
recommender.bigqueryPartitionClusterRecommendations.get
recommender.bigqueryPartitionClusterRecommendations.list
recommender.bigqueryTableStatsInsights.get
recommender.bigqueryTableStatsInsights.list
Access partition and cluster recommendations.

Kubernetes insights

DoiT Insights requires the following permissions to interact with Kubernetes clusters for actionable recommendations. See also Google Kubernetes Engine (GKE): API permissions.

Access level: Organization, Project

PermissionDescription
container.clusters.getRetrieve information about a specific GKE cluster.
container.clusters.listList all GKE clusters in a specific project.
container.clusters.connectConnect to a GKE cluster. This is necessary for connecting to the Kubernetes API server. See also Authenticate to the Kubernetes API server.

Insights from BigQuery export

Below are the permissions required to connect a dataset for insights from GCP Recommender BigQuery export.

Access level: Project

PermissionDescription
bigquery.jobs.createRun jobs (including queries) within the project.

Access level: Dataset

PermissionDescription
bigquery.tables.getGet table metadata.
bigquery.tables.listList tables and metadata on tables.
bigquery.tables.getDataGet table data. This permission is required for querying table data.

Amazon Web Services

The sections below list the permissions we require to your AWS account.

Core functionality

Below is the minimum set of read-only permissions we need for features in DoiT Platform.

Permissions required to access the billing data and the security posture of your AWS account:

arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess
arn:aws:iam::aws:policy/job-function/Billing

AWS quota monitoring

Permissions required to proactively monitor your AWS Quotas:

support:DescribeTrustedAdvisorCheckSummaries
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorChecks
support:DescribeSeverityLevels
support:RefreshTrustedAdvisorCheck
support:DescribeSupportLevel
support:DescribeCommunications
support:DescribeServices
support:DescribeIssueTypes
support:DescribeTrustedAdvisorCheckResult
trustedadvisor:DescribeNotificationPreferences
trustedadvisor:DescribeCheckRefreshStatuses
trustedadvisor:DescribeCheckItems
trustedadvisor:DescribeAccount
trustedadvisor:DescribeAccountAccess
trustedadvisor:DescribeChecks
trustedadvisor:DescribeCheckSummaries

Cloud Diagrams

Cloud Diagrams generates diagrams of your AWS cloud infrastructure for your AWS accounts.

PermissionDescription
apigateway:GETRetrieves a specific gateway.
ec2:SearchTransitGatewayRoutesSearches for routes in the specified transit gateway route table.
eks:ListTagsForResourceLists the tag for an Amazon EKS resource.
eks:ListFargateProfilesLists the AWS Fargate profiles associated with the specified cluster in your AWS account in the specified region.
eks:DescribeFargateProfileDeletes an AWS Fargate profile.
elasticfilesystem:DescribeTagsReturns the tags associated with a file system.
glacier:ListTagsForVaultLists all the tags attached to a vault.
glacier:GetVaultNotificationsRetrieves the notification-configuration subresource set on the vault.
glue:GetConnectionsRetrieves a list of connection definitions from the Data Catalog.
glue:GetCrawlerRetrieves metadata for a specified crawler.
glue:GetDatabaseRetrieves the definition of a specified database.
health:DescribeEventDetailsReturns detailed information about one or more specified events.
networkmanager:Get*Gets network performance data.
networkmanager:List*Lists network performance data.
ram:GetResourceSharest*Retrieves details about the resource shares that you own or that are shared with you.
wafv2:GetLoggingConfigurationReturns the LoggingConfiguration for the specified web ACL.
wafv2:GetRuleGroupRetrieves the specified RuleGroup.
waf:GetLoggingConfigurationReturns the LoggingConfiguration for the specified web ACL.
waf-regional:GetLoggingConfigurationReturns the LoggingConfiguration for the specified web ACL.
eks:ListAccessPoliciesLists the available access policies.
eks:ListAccessEntriesLists the access entries for your cluster.
eks:DescribeClusterDescribes an Amazon EKS cluster.
eks:ListClustersLists the Amazon EKS clusters in your AWS account in the specified AWS Region.

Spot Scaling

Spot Scaling analyzes your Auto Scaling Groups based on cost and usage and get recommendations to replace On-Demand EC2 instances with Spot instances.

ec2:Describe*
ec2:CreateLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:ModifyLaunchTemplate
ec2:RunInstances
ec2:TerminateInstances
ec2:CreateTags
ec2:DeleteTags
ec2:CreateLaunchTemplateVersion
ec2:CancelSpotInstanceRequests
autoscaling:CreateOrUpdateTags
autoscaling:UpdateAutoScalingGroup
autoscaling:Describe*
autoscaling:AttachInstances
autoscaling:BatchDeleteScheduledAction
autoscaling:BatchPutScheduledUpdateGroupAction
cloudformation:ListStacks
cloudformation:Describe*
iam:PassRole
events:PutRule
events:PutTargets
events:PutEvents

Real-time anomaly

DoiT real-time cost anomaly detection requires the following permissions to monitor cost spikes in near real time.

PermissionDescription
ec2:DescribeImagesThis permission is required to retrieve EC2 instance attributes information in private images owned by the AWS account.
kms:DecryptDecrypts ciphertext that was encrypted by a KMS key.
s3:GetBucketLocationRequired only if you Create an IAM role automatically. Returns the Region the bucket resides in.
s3:GetBucketNotificationReturns the notification configuration of a bucket.
s3:GetObjectRetrieves an object from Amazon S3.
s3:ListBucketAllows the user to use the Amazon S3 ListObjectsV2 operation. see Policies and permissions in Amazon S3.
s3:PutBucketNotificationRequired only if you Create an IAM role automatically. Enables notifications of specified events for a bucket.

Trusted Advisor insights

DoiT Insights requires the following permissions to interact with AWS Trusted Advisor API.

PermissionDescription
trustedadvisor:GetRecommendationRetrieves a specific global recommendation.
trustedadvisor:ListRecommendationsLists a filterable set of global recommendations.

Cost Optimization Hub insights

DoiT Insights requires the following permissions to interact with AWS Cost Optimization Hub API.

PermissionDescription
cost-optimization-hub:ListRecommendationsReturns a list of recommendations.

Microsoft Azure

Azure advisor insights

DoiT Insights requires the following permissions to interact with h Azure Advisor REST API.

PermissionDescription
Management Group/ReaderLists existing management group hierarchy settings.

Ava security compliance

Ava, our generative AI chatbot, is designed with top-tier security measures to ensure the confidentiality, integrity, and availability of customer data.

OpenAI organization subscription

Our organization holds an enterprise subscription with OpenAI, providing us with additional layers of security and control:

  • Enhanced security measures: Extra layers of security protocols exclusive to enterprise subscribers.

  • Dedicated data hub: All the data processed by Ava is stored in a private, secure data hub, ensuring that it cannot be accessed or leaked by unauthorized parties. Additionally, we never submit the data for training purposes by OpenAI.

Customer data handling

Billing Data

For the generation of Cloud Analytics reports:

  • Authentication requirement: Billing data can only be accessed and generated by customers who are logged in through our secure authentication system.

  • API security: We leverage existing Cloud Analytics APIs that ensure data is securely processed and cannot be breached or accessed by unauthorized users.

Customer context and asset management

For customer-specific context, assets, and general information:

  • Vector database usage: We utilize a vector database to store and embed customer data securely, according to the customer's usage and relevance.

  • Data segmentation: Each customer's data is isolated using robust filtering mechanisms, ensuring that customers cannot access or view each other's data.

By adhering to these security practices, Ava ensures that all customer data is handled with the highest level of security, preventing unauthorized access and maintaining data integrity across all operations.

Privacy and data protection

What we store

We only store data required for DoiT Platform functionality.

  • Cloud Billing exports — required for core Billing functionality; stored in BigQuery

  • User information — required for core DoiT Platform functionality; stored in Firestore

  • Assets created via using DoiT console (Invoices, Billing Profiles, etc.) — required for core DoiT Platform functionality; stored in Firestore

  • Contracts — required for core DoiT Platform functionality; stored in Google Cloud Storage

  • Service Account Keys — required for BigQuery Lens; stored in Firestore and encrypted with KMS

How we handle and store your data

All data we handle are encrypted in transit using industry-standard protocols like HTTPS (TLS).

All data we store are encrypted at rest:

  • Google BigQuery — using Google-managed encryption keys and Advanced Encryption Standard (AES)

  • Google Firestore — using Google-managed encryption keys and AES

  • Google Cloud Storage — using Google-managed encryption keys and AES

  • Service Account Keys — encrypted using Google Cloud KMS and stored in Google Secret Manager

Who can access your data

DoiT employees in customer-facing roles, such as Account managers and Support engineers, can access your data in the DoiT Platform. A small team of core DoiT Platform developers is able to access your data directly in the underlying storage.

Service Account keys are used only by backend systems to retrieve relevant data from Google Cloud. Only a small team of core DoiT Platform developers has access to the KMS keys.

Third parties

With the exceptions listed below required for core DoiT Platform functionality, we do not provide your data to any third-party.

  • DoiT Platform Support — We use Zendesk as a backend for our support request system. Ticket-related data are stored in Zendesk and retrieved using Zendesk APIs [1].

  • Payments — We use Stripe for payments. All payment-related data (such as Credit card or bank account details) are stored in the Stripe platform and used via Stripe APIs [2].

Compliance

Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards. We're constantly working to expand our coverage.

  • EU and GDPR Compliance — we have customers in the European Economic Area and we handle data in compliance with the General Data Protection Regulation (GDPR) [3].

  • The SOC 2 and SOC 3 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The report evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

  • ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.

The DoiT Platform ISO/IEC 27001 and SOC 2/3 certificates may be requested via trust.doit.com.

External references