Security
Connecting your cloud infrastructure to a third-party platform requires trust. This page explains how Servyx protects your credentials, your data, and your infrastructure.
Credential Protection
Your AWS credentials are encrypted at rest using AES-256-GCM, the same standard used by governments and financial institutions. Each set of credentials receives its own unique derived encryption key -- no two accounts share the same key material.
Credentials are only decrypted in memory for the duration of a sync operation. They are never logged, cached, written to disk, or exposed to any external service.
Your Keys
Access key + secret
AES-256-GCM
HKDF per account
Encrypted
Stored in DB
Decrypt
In memory only
Wiped after sync
AWS API
Read-only calls
Even in the event of a full database breach, encrypted credentials cannot be recovered without access to the isolated key infrastructure.
Read-Only Access
Servyx only requests read-only permissions to your AWS account. We use Describe, List, and Get API calls exclusively. Servyx cannot:
- Start, stop, or terminate instances
- Create, modify, or delete any resource
- Change security groups or network configurations
- Access the contents of your S3 objects, databases, or file systems
- Modify IAM users, roles, or policies
You can review the exact permissions in the IAM Policy Reference.
Kubernetes Authentication
When you connect a Kubernetes cluster, Servyx generates a one-time authentication token. This token is:
- Displayed to you once and never shown again
- Stored using one-way cryptographic protection -- the original token cannot be recovered from our systems
The collector agent runs with read-only cluster permissions. It can read node and pod metrics but cannot create, modify, or delete any Kubernetes resource.
Data Isolation
Every workspace in Servyx is fully isolated:
- All data is scoped to your workspace -- no shared data layer exists between customers
- Access controls are enforced at every layer of the stack
- Deleting your account permanently removes all associated data
What We Store
| Data | Protection |
|---|---|
| AWS credentials | Encrypted at rest (AES-256-GCM), unique key per account, decrypted only in memory |
| K8s authentication | One-way cryptographic protection, original token never stored |
| Infrastructure data | Isolated per workspace, access-controlled |
| Cost and metrics | Isolated per workspace, read from AWS APIs |
| User identity | Delegated to Google OAuth -- no passwords stored |
What We Never Store
- Application data, source code, or business logic
- Contents of S3 buckets, databases, or file systems
- SSH keys, instance credentials, or secrets
- Kubernetes Secrets or ConfigMaps
- Network traffic, application logs, or request payloads
Authentication
Servyx uses Google Sign-In for all user authentication. We do not store passwords. Session management uses industry-standard token validation on every request.
Infrastructure
- Encryption in transit -- All communication uses TLS (HTTPS)
- Secrets management -- Encryption keys are stored in isolated, environment-level secret stores with no application-layer access
- Network isolation -- Internal services and databases are not publicly accessible
You Stay in Control
- Revoke access instantly -- Delete the IAM user in AWS or uninstall the Helm chart in Kubernetes
- Rotate credentials -- Update your keys in Servyx at any time after rotating them in AWS
- Delete everything -- Remove your account and all associated data from within Servyx
- Audit permissions -- The IAM policy is fully transparent, and the Kubernetes collector is open source
Questions
If you have questions about our security practices or need additional information for a security review, contact us at security@servyx.ai.