Security at Infralyst
Infralyst is read-only first, conservative about changes, and transparent about how we handle your data.
Our security principles
Read-only by design
Infralyst connects to your AWS accounts with read-only access. GitHub access is scoped to the repos you choose, and PRs are only created when you explicitly request one. You control what gets generated and what gets merged.
Least privilege, scoped access
Access to your cloud accounts is granted via a Terraform-created IAM role with tightly scoped permissions. The GitHub App is limited to the repositories you select. You stay in control and can revoke access at any time.
Changes as code, not clicks
Infralyst uses AI agents to read your Terraform and write the actual code change. Every change lands as a small, reviewable PR in your own repo. When a change requires downtime, the PR says so upfront. Your team reviews, tests, and merges every change.
Hardened, private infrastructure
We run on a Linux-based stack managed entirely as code, with no manual changes outside of version control. Services are deployed in hardened, private networks and are never directly reachable from the internet.
AWS, GitHub, and Slack access
AWS access
- You add the Infralyst Terraform module to your infra repo.
- The module creates a read-only IAM role so Infralyst can see your AWS resources and utilization.
- Access uses temporary credentials via AWS STS. No long-lived keys are stored or exchanged.
- We use that role to fetch the metadata and metrics needed to generate savings recommendations. We don't need or request access to your application data.
GitHub & Terraform
- You install the Infralyst GitHub App in your GitHub organization and choose which infrastructure repositories it can see.
- Infralyst opens pull requests in those repos only, on dedicated branches.
- We never push directly to main or merge changes on your behalf.
- All webhook payloads are verified with HMAC-SHA256 signatures.
Slack
- If you connect Slack, we use it only to send notifications and trigger PR generation from your channels.
- We do not read or store the contents of your wider Slack workspace.
- All webhook payloads are verified with HMAC-SHA256 signatures.
- You can disconnect Slack at any time from your workspace settings.
Data we store (and don't store)
We store
- Account details you give us (like name, email, and workspace info).
- Infrastructure metadata and utilization needed to generate savings recommendations.
- Configuration for your integrations (AWS role ARN, GitHub repo mappings, etc.).
- Product analytics that help us understand feature usage and improve Infralyst.
We don't store
- Your AWS access keys or secret keys. Access is via role assumption, not long-lived credentials.
- Your Terraform state files. We read Terraform files to generate PRs but don't store or cache state.
- Your application payloads or customer data.
- Database rows, S3 object contents, or logs from your production systems.
- Payment card details are handled by Stripe; our servers never see your full card number.
- Any secrets you don't explicitly configure in Infralyst.
We never sell your data or use it for advertising. You can delete your workspace and its associated data at any time. See our Privacy Policy for full details on data retention.
Infrastructure security
Encryption in transit and at rest
All traffic between your browser, our API, and our integrations is protected with TLS. Sensitive data in our databases is encrypted at rest.
AI that doesn't touch your data
Recommendations are fully deterministic. No AI is involved in deciding what to resize. An open-source LLM writes the Terraform code change via OpenRouter. Your infrastructure data is never used for model training.
Limited employee access
Access to production systems is limited to essential personnel and requires multi-factor authentication. We follow least-privilege principles internally.
Keeping software up to date
We regularly update operating systems, libraries, and dependencies to pick up security patches. New code is reviewed before it's deployed.
Security questions & responsible disclosure
If you've found a potential security or privacy issue, or have a question about how Infralyst handles data, please contact our security team.
When you email us, please include as much detail as you can, along with steps to reproduce if applicable.
Once we receive your report, we will:
- 1.Acknowledge your message and confirm that we're looking into it.
- 2.Investigate the issue and assess impact and severity.
- 3.Resolve the problem where needed and, when appropriate, share what we changed.
We ask that you follow responsible disclosure and give us a chance to fix issues before sharing them publicly.