Security

Connecting your cloud infrastructure to a third-party platform requires trust. This page explains how Servyx protects your credentials, your data, and your infrastructure.

Credential Protection

Your AWS credentials are encrypted at rest using AES-256-GCM, the same standard used by governments and financial institutions. Each set of credentials receives its own unique derived encryption key -- no two accounts share the same key material.

Credentials are only decrypted in memory for the duration of a sync operation. They are never logged, cached, written to disk, or exposed to any external service.

Your Keys

Access key + secret

AES-256-GCM

HKDF per account

Encrypted

Stored in DB

Servyx

Decrypt

In memory only

Wiped after sync

AWS API

Read-only calls

Even in the event of a full database breach, encrypted credentials cannot be recovered without access to the isolated key infrastructure.

Read-Only Access

Servyx only requests read-only permissions to your AWS account. We use Describe, List, and Get API calls exclusively. Servyx cannot:

  • Start, stop, or terminate instances
  • Create, modify, or delete any resource
  • Change security groups or network configurations
  • Access the contents of your S3 objects, databases, or file systems
  • Modify IAM users, roles, or policies

You can review the exact permissions in the IAM Policy Reference.

Kubernetes Authentication

When you connect a Kubernetes cluster, Servyx generates a one-time authentication token. This token is:

  • Displayed to you once and never shown again
  • Stored using one-way cryptographic protection -- the original token cannot be recovered from our systems

The collector agent runs with read-only cluster permissions. It can read node and pod metrics but cannot create, modify, or delete any Kubernetes resource.

Data Isolation

Every workspace in Servyx is fully isolated:

  • All data is scoped to your workspace -- no shared data layer exists between customers
  • Access controls are enforced at every layer of the stack
  • Deleting your account permanently removes all associated data

What We Store

DataProtection
AWS credentialsEncrypted at rest (AES-256-GCM), unique key per account, decrypted only in memory
K8s authenticationOne-way cryptographic protection, original token never stored
Infrastructure dataIsolated per workspace, access-controlled
Cost and metricsIsolated per workspace, read from AWS APIs
User identityDelegated to Google OAuth -- no passwords stored

What We Never Store

  • Application data, source code, or business logic
  • Contents of S3 buckets, databases, or file systems
  • SSH keys, instance credentials, or secrets
  • Kubernetes Secrets or ConfigMaps
  • Network traffic, application logs, or request payloads

Authentication

Servyx uses Google Sign-In for all user authentication. We do not store passwords. Session management uses industry-standard token validation on every request.

Infrastructure

  • Encryption in transit -- All communication uses TLS (HTTPS)
  • Secrets management -- Encryption keys are stored in isolated, environment-level secret stores with no application-layer access
  • Network isolation -- Internal services and databases are not publicly accessible

You Stay in Control

  • Revoke access instantly -- Delete the IAM user in AWS or uninstall the Helm chart in Kubernetes
  • Rotate credentials -- Update your keys in Servyx at any time after rotating them in AWS
  • Delete everything -- Remove your account and all associated data from within Servyx
  • Audit permissions -- The IAM policy is fully transparent, and the Kubernetes collector is open source

Questions

If you have questions about our security practices or need additional information for a security review, contact us at security@servyx.ai.