Security
A candid view of the protections in place today and the items we are actively delivering next.
What is live today
These controls ship with the current release and are monitored by the core engineering team.
Authentication
- SSO via Google, GitHub, Azure AD, plus passwordless email links
- Session cookies scoped to cloudcostlite.com with secure and HTTP-only flags in production
- NextAuth with Prisma adapter stores minimal identity data
Infrastructure
- Next.js 15 hosted on Vercel with automatic TLS
- PostgreSQL (Prisma) as the system of record; no cloud credentials stored today
- Sentry instrumented across server routes with trace IDs from the ApiEnvelope middleware
Monitoring & logging
- Structured logging via Pino for ingest jobs and API handlers
- React Query + ApiEnvelope to surface degraded data states immediately
- Security notifications go to security@cloudcostlite.com (monitored by core team)
Roadmap & next steps
We publish progress in the weekly changelog. Reach out if you want to preview these upgrades or review documentation ahead of time.
- Log drain export to Logtail for long-term retention (Epic E)
- Granular role-based access control and audit log exports
- Formal incident response runbooks with customer SLAs
- Automated credential scanning for uploaded CSV artifacts
Need to report an issue?
Email security@cloudcostlite.com. We triage reports within one business day and keep reporters updated until closure.
Last updated: October 4, 2025