Draftt connects to your cloud infrastructure, source control, and internal systems. This page describes how Draftt handles that access, what data it stores, and the security controls in place to protect it.Documentation Index
Fetch the complete documentation index at: https://docs.draftt.io/llms.txt
Use this file to discover all available pages before exploring further.
Compliance
Draftt is SOC 2 Type II certified. Our report covers the Security, Availability, and Confidentiality trust service criteria. The audit is conducted annually by an independent third-party auditor. To request a copy of our SOC 2 report or our security questionnaire, contact security@draftt.io or ask your account team.Data Handling
What Draftt Stores
Draftt collects metadata about your cloud resources: versions, configuration attributes, ownership signals, cost metrics, and policy evaluation results. It does not store the contents of your workloads: no application data, no database records, no secret values.Data Residency
Customer data is stored in the United States by default. EU data residency is available on the Enterprise plan. Contact your account team to configure regional data storage before your first connector is activated.Infrastructure Security
Draftt runs on AWS. All production infrastructure is provisioned via Infrastructure as Code, with no manual access to production environments. Encryption at rest: All customer data is encrypted at rest using AES-256. Encryption keys are managed via AWS KMS with per-customer key isolation on the Enterprise plan. Encryption in transit: All data in transit is encrypted via TLS 1.2 or higher. TLS 1.0 and 1.1 are not supported. Network isolation: Production services run in private VPCs with no direct public ingress. All external traffic passes through load balancers with WAF rules active.Access Controls
Internal access: Draftt engineers do not have standing access to production systems. Access to production infrastructure requires a time-limited approval through our PAM system and is logged. All production access is reviewed quarterly. Least privilege: Cloud integrations use read-only IAM roles scoped to the specific services Draftt needs to read. Draftt never requests write access to your cloud accounts. Customer access controls: Draftt provides SSO, RBAC, and SCIM provisioning so your organization controls who can access the platform and what they can do.Vulnerability Management
Draftt runs continuous dependency scanning on all production services. Critical and high severity vulnerabilities are triaged within 24 hours and remediated within 7 days. Our security team subscribes to relevant CVE feeds and conducts internal security reviews on all significant feature releases. Penetration testing is conducted annually by an independent security firm. Results are available to Enterprise customers under NDA.Cloud Integration Security
When you connect a cloud account, Draftt uses a dedicated read-only IAM role or service principal with the minimum permissions required for discovery. These are documented in each integration guide. Draftt does not:- Store cloud credentials. OAuth tokens and API keys are encrypted at rest and never logged.
- Modify your cloud resources. All integrations are read-only.
- Share your data with third parties for any purpose other than delivering the Draftt service.
Next Steps
- Set up SSO and SCIM to enforce access controls for your organization
- Review Enterprise Controls for the full access governance feature set
- Contact security@draftt.io to request the SOC 2 report or security questionnaire