Security & data

Data residency, the access model, and certifications.

Where is our data stored?

CloudMonitor is a hosted SaaS platform running in our Microsoft Fabric tenancy. Your billing data stays in the storage account you own — CloudMonitor reads it in place through a OneLake shortcut, read-only, and never makes a second copy. The CloudMonitor environment that reads it and serves your reports runs in the data residency region you choose at sign-up — encrypted in transit and at rest, and isolated per customer. CloudMonitor staff access is restricted, audited, and gated by least-privilege controls, and only your authorized users see your reports.

How does our Azure billing data reach CloudMonitor?

You configure a FOCUS cost export to an Azure Storage account in your tenant and grant CloudMonitor scoped read-only access to it. CloudMonitor ingests that export into your dedicated Microsoft Fabric workspace, where it becomes your reports. Only billing and resource metadata moves — never the data inside your resources. See the Information Trust Center for the full data-flow detail.

How is our data isolated inside Microsoft Fabric and OneLake?

Every customer gets a dedicated Microsoft Fabric workspace, and your data lives in that workspace's own OneLake storage — the workspace is the isolation boundary, so your data is never co-mingled with another customer's. The CloudMonitor application is scoped to your workspace and has no path to read across workspaces. Authentication and authorization are handled entirely by native Microsoft Entra ID and Fabric workspace roles — we have not built a custom identity or permissions layer on top, so access is governed by the same Microsoft security model that protects the rest of your Azure estate. Only the Entra users you authorize can reach your data. See the Information Trust Center for the full posture.

Can CloudMonitor see our application data?

No. CloudMonitor reads only billing metadata and resource-level metadata (IDs, types, SKUs, tags). It has no access to data inside your resources.

What level of Azure access do you need?

Read-only, scoped to your billing data. You can scope it to specific subscriptions, and revoke it from your Azure portal at any time. We never have write access to your resources.

Can we audit what CloudMonitor reads?

Yes — Azure Activity Log shows every read against your subscriptions. The reads originate from CloudMonitor's authorized identity and are logged like any other Azure action.

Are you ISO certified?

Yes — ISO/IEC 27001:2022 (Information Security), ISO 9001:2015 (Quality Management), and ISO/IEC 42001 (AI Management). Certificates available under NDA — see the certification statement.

Can we get a SOC 2 report?

CloudMonitor is ISO/IEC 27001 certified, which covers the same controls. We can share the certificate and a Stage 2 audit summary under NDA — request the Security Pack. See the full ISO 27001 + 9001 certification statement for scope, certifying body, and audit cadence.

How do you govern the AI and agentic features?

CloudMonitor operates a certified AI management system under ISO/IEC 42001 — covering AI risk assessment, transparency, human oversight, and lifecycle controls. Every agentic FinOps action runs against scoped permissions, an approval workflow, and a reversible audit trail.

How do you handle a breach?

CloudMonitor maintains an incident response plan aligned to ISO 27001 Annex A.16. Because CloudMonitor only ever holds billing and resource metadata — never the data inside your resources — a breach of CloudMonitor systems would not expose your application data. We notify affected customers within 24 hours of confirming any incident with potential impact.

Can we run a penetration test?

Yes — coordinate via Customer Success. We support customer-initiated pen tests against the CloudMonitor app and admin app surfaces.

Is CloudMonitor certified by Microsoft?

Yes — CloudMonitor is a Microsoft Solutions Partner with certified software for Azure. The designation confirms the platform has been technically reviewed for interoperability with Microsoft Azure and validated against Microsoft Marketplace customer-success criteria. Procurement teams can reference the Microsoft Learn overview of the designation and the Information Trust Center for the full certification stack (ISO 27001, ISO 9001, ISO 42001, FinOps Specialty Solution, and Microsoft Solutions Partner).

What happens to our data if we cancel?

When you cancel, revoke CloudMonitor's access from your Azure portal and request data deletion. We delete your data within 30 days; nothing is retained beyond contractual backup windows.

How do we get a copy of the certificate?

Certificates are available for download on request. Open a ticket via the Support Helpdesk and we'll send the current certificates within one business hour.

How often are you audited?

Annual surveillance audits, with full re-certification every 3 years. Our most recent surveillance was in February 2026.