Security and data access policy
This document outlines what customer data the DoiT Platform accesses, why, and what and how data are stored.
Google Cloud
The permissions are to be granted at the Google Cloud Organization or Project level. While they allow us to get information about your resources, none of them give us access to your data.
Core functionality
Below is the minimum set of read-only permissions required by the DoiT platform.
Access level: Organization, Project
Permissions to get information about your Google Cloud resource hierarchy and correlate it with billing:
resourcemanager.projects.get
compute.addresses.list
compute.disks.get
compute.disks.list
compute.images.get
compute.images.list
compute.instances.get
compute.instances.list
compute.projects.get
compute.regions.get
compute.regions.list
compute.snapshots.get
compute.snapshots.list
compute.zones.get
compute.zones.list
compute.commitments.get
compute.commitments.list
Permissions to check the status (and enable if required) Google Cloud APIs (e.g., Recommender API):
serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use
Access level: Organization only
resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.list
Access level: Project only
resourcemanager.projects.getIamPolicy
Google Cloud Rightsizing
Access level: Organization only
Permissions required to provide Rightsizing Recommendations for Google Compute Engine instances across your organization:
recommender.computeInstanceMachineTypeRecommendations.list
compute.instances.list
Permissions required to implement Rightsizing recommendations:
compute.instances.setMachineType
compute.instances.stop
compute.instances.start
BigQuery Lens
Access level: Organization only
The BigQuery Lens creates an audit log sink at the organization level to monitor and analyze logs across projects. We do not support fetching logs from project-level sinks.
These permissions allow the BigQuery Lens to access the structure of your projects, datasets, and tables in order to show the costs and optimization recommendations on the dashboard with resources names. None of them give us access to your BigQuery data.
BigQuery Lens permissions are grouped into several categories.
BigQuery Lens
Permissions required to get cost optimization recommendations for BigQuery environment:
| Permission | Description |
|---|---|
bigquery.datasets.create | Create new empty datasets. |
bigquery.datasets.get | Get metadata and permissions about a dataset. |
bigquery.tables.get | Get table metadata. |
bigquery.tables.list | List tables and metadata on tables. |
bigquery.jobs.get | Get data and metadata on any job. |
bigquery.jobs.list | List all jobs and retrieve metadata on any job submitted by any user. Details and metadata for jobs submitted by other users are redacted. |
bigquery.jobs.listAll | List all jobs and retrieve metadata on any job submitted by any user. |
bigquery.jobs.create | Run jobs (including queries) within the project. |
bigquery.routines.list | List routines and metadata on routines. |
bigquery.routines.get | Get routine definitions and metadata. |
logging.sinks.create | Create new sinks in Cloud Logging. |
logging.sinks.get | Get information about sinks in Cloud Logging. |
BigQuery Lens Editions
Additional permissions required for BigQuery Lens to work with Google BigQuery editions.
| Permission | Description |
|---|---|
bigquery.capacityCommitments.list | Query the INFORMATION_SCHEMA.CAPACITY_COMMITMENTS view for all current capacity commitments in a project. |
bigquery.capacityCommitments.get | Retrieve the capacity commitment in a project. |
bigquery.reservations.list | Query the INFORMATION_SCHEMA.RESERVATIONS view for a list of all slot reservations in a project. |
bigquery.reservations.get | Retrieve details about a slot reservation. |
bigquery.reservationAssignments.list | Query the INFORMATION_SCHEMA.ASSIGNMENTS view for all reservation assignments in a project. |
bigquery.reservationAssignments.search | Find a reservation assignment for a given project, folder, or organization. |
BigQuery Lens Insights
Permissions required to get additional BigQuery Lens Insights.
| Permission | Description |
|---|---|
recommender.bigqueryCapacityCommitmentsInsights.getrecommender.bigqueryCapacityCommitmentsInsights.listrecommender.bigqueryCapacityCommitmentsRecommendations.getrecommender.bigqueryCapacityCommitmentsRecommendations.list | Access cost-optimal commitment slots recommendations. |
recommender.bigqueryMaterializedViewInsights.getrecommender.bigqueryMaterializedViewInsights.listrecommender.bigqueryMaterializedViewRecommendations.getrecommender.bigqueryMaterializedViewRecommendations.list | Access materialized view recommendations. |
recommender.bigqueryPartitionClusterRecommendations.getrecommender.bigqueryPartitionClusterRecommendations.listrecommender.bigqueryTableStatsInsights.getrecommender.bigqueryTableStatsInsights.list | Access partition and cluster recommendations. |
Kubernetes insights
DoiT Insights requires the following permissions to interact with Kubernetes clusters for actionable recommendations. See also Google Kubernetes Engine (GKE): API permissions.
Access level: Organization, Project
| Permission | Description |
|---|---|
container.clusters.get | Retrieve information about a specific GKE cluster. |
container.clusters.list | List all GKE clusters in a specific project. |
container.clusters.connect | Connect to a GKE cluster. This is necessary for connecting to the Kubernetes API server. See also Authenticate to the Kubernetes API server. |
Amazon Web Services
The sections below list the permissions we require to your AWS account.
Core functionality
Below is the minimum set of read-only permissions we need for features in DoiT Platform.
Permissions required to access the billing data and the security posture of your AWS account:
arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess
arn:aws:iam::aws:policy/job-function/Billing
AWS quota monitoring
Permissions required to proactively monitor your AWS Quotas:
support:DescribeTrustedAdvisorCheckSummaries
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorChecks
support:DescribeSeverityLevels
support:RefreshTrustedAdvisorCheck
support:DescribeSupportLevel
support:DescribeCommunications
support:DescribeServices
support:DescribeIssueTypes
support:DescribeTrustedAdvisorCheckResult
trustedadvisor:DescribeNotificationPreferences
trustedadvisor:DescribeCheckRefreshStatuses
trustedadvisor:DescribeCheckItems
trustedadvisor:DescribeAccount
trustedadvisor:DescribeAccountAccess
trustedadvisor:DescribeChecks
trustedadvisor:DescribeCheckSummaries
Spot Scaling
Spot Scaling analyzes your Auto Scaling Groups based on cost and usage and get recommendations to replace On-Demand EC2 instances with Spot instances.
ec2:Describe*
ec2:CreateLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:ModifyLaunchTemplate
ec2:RunInstances
ec2:TerminateInstances
ec2:CreateTags
ec2:DeleteTags
ec2:CreateLaunchTemplateVersion
ec2:CancelSpotInstanceRequests
autoscaling:CreateOrUpdateTags
autoscaling:UpdateAutoScalingGroup
autoscaling:Describe*
autoscaling:AttachInstances
autoscaling:BatchDeleteScheduledAction
autoscaling:BatchPutScheduledUpdateGroupAction
cloudformation:ListStacks
cloudformation:Describe*
iam:PassRole
events:PutRule
events:PutTargets
events:PutEvents
Real-time anomaly
DoiT real-time cost anomaly detection requires the following permissions to monitor cost spikes in near real time.
| Permission | Description |
|---|---|
s3:GetObject | Retrieves an object from Amazon S3. |
s3:ListBucket | Allows the user to use the Amazon S3 ListObjectsV2 operation. see Policies and permissions in Amazon S3. |
s3:PutBucketNotification, s3:PutBucketNotificationConfiguration | Enables notifications of specified events for a bucket. |
s3:GetBucketNotification | Returns the notification configuration of a bucket. |
ec2:DescribeImages | This permission is required to retrieve EC2 instance attributes information in private images owned by the AWS account. |
kms:Decrypt | Decrypts ciphertext that was encrypted by a KMS key. |
Trusted Advisor insights
DoiT Insights requires the following permissions to interact with AWS Trusted Advisor API.
| Permission | Description |
|---|---|
trustedadvisor:GetRecommendation | Retrieves a specific global recommendation. |
trustedadvisor:ListRecommendations | Lists a filterable set of global recommendations. |
Cost Optimization Hub insights
DoiT Insights requires the following permissions to interact with AWS Cost Optimization Hub API.
| Permission | Description |
|---|---|
cost-optimization-hub:ListRecommendations | Returns a list of recommendations. |
Ava security compliance
Ava, our generative AI chatbot, is designed with top-tier security measures to ensure the confidentiality, integrity, and availability of customer data.
OpenAI organization subscription
Our organization holds an enterprise subscription with OpenAI, providing us with additional layers of security and control:
-
Enhanced security measures: Extra layers of security protocols exclusive to enterprise subscribers.
-
Dedicated data hub: All the data processed by Ava is stored in a private, secure data hub, ensuring that it cannot be accessed or leaked by unauthorized parties. Additionally, we never submit the data for training purposes by OpenAI.
Customer data handling
Billing Data
For the generation of Cloud Analytics reports:
-
Authentication requirement: Billing data can only be accessed and generated by customers who are logged in through our secure authentication system.
-
API security: We leverage existing Cloud Analytics APIs that ensure data is securely processed and cannot be breached or accessed by unauthorized users.
Customer context and asset management
For customer-specific context, assets, and general information:
-
Vector database usage: We utilize a vector database to store and embed customer data securely, according to the customer's usage and relevance.
-
Data segmentation: Each customer's data is isolated using robust filtering mechanisms, ensuring that customers cannot access or view each other's data.
By adhering to these security practices, Ava ensures that all customer data is handled with the highest level of security, preventing unauthorized access and maintaining data integrity across all operations.
Privacy and data protection
What we store
We only store data required for DoiT Platform functionality.
-
Cloud Billing exports — required for core Billing functionality; stored in BigQuery
-
User information — required for core DoiT Platform functionality; stored in Firestore
-
Assets created via using DoiT console (Invoices, Billing Profiles, etc.) — required for core DoiT Platform functionality; stored in Firestore
-
Contracts — required for core DoiT Platform functionality; stored in Google Cloud Storage
-
Service Account Keys — required for BigQuery Lens; stored in Firestore and encrypted with KMS
How we handle and store your data
All data we handle are encrypted in transit using industry-standard protocols like HTTPS (TLS).
All data we store are encrypted at rest:
-
Google BigQuery — using Google-managed encryption keys and Advanced Encryption Standard (AES)
-
Google Firestore — using Google-managed encryption keys and AES
-
Google Cloud Storage — using Google-managed encryption keys and AES
-
Service Account Keys — encrypted using Google Cloud KMS and stored in Google Secret Manager
Who can access your data
DoiT employees in customer-facing roles, such as Account managers and Support engineers, can access your data in the DoiT Platform. A small team of core DoiT Platform developers is able to access your data directly in the underlying storage.
Service Account keys are used only by backend systems to retrieve relevant data from Google Cloud. Only a small team of core DoiT Platform developers has access to the KMS keys.
Third parties
With the exceptions listed below required for core DoiT Platform functionality, we do not provide your data to any third-party.
-
DoiT Platform Support — We use Zendesk as a backend for our support request system. Ticket-related data are stored in Zendesk and retrieved using Zendesk APIs [1].
-
Payments — We use Stripe for payments. All payment-related data (such as Credit card or bank account details) are stored in the Stripe platform and used via Stripe APIs [2].
Compliance
Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards. We're constantly working to expand our coverage.
-
EU and GDPR Compliance — we have customers in the European Economic Area and we handle data in compliance with the General Data Protection Regulation (GDPR) [3].
-
The SOC 2 and SOC 3 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The report evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.
-
ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.
The DoiT Platform ISO/IEC 27001 and SOC 2/3 certificates may be requested via trust.doit.com.