Skip to main content

Security and data access policy

This document outlines what customer data the DoiT Platform accesses, why, and what and how data are stored.

Google Cloud

Note

The permissions are to be granted at the Google Cloud Organization level.

While they allow us to get information about your resources, except the permission for BigQuery Lens Advanced, none of them give us access to your data.

Core functionality

Below is the minimum set of read-only permissions we need for features in DoiT Platform.

Permissions to get information about your Google Cloud resource hierarchy and correlate it with billing:

resourcemanager.organizations.get
resourcemanager.organizations.getIamPolicy
resourcemanager.folders.get
resourcemanager.folders.list
resourcemanager.projects.get
resourcemanager.projects.list
compute.addresses.list
compute.disks.get
compute.disks.list
compute.images.get
compute.images.list
compute.instances.get
compute.instances.list
compute.projects.get
compute.regions.get
compute.regions.list
compute.snapshots.get
compute.snapshots.list
compute.zones.get
compute.zones.list
compute.commitments.get
compute.commitments.list

Permissions to check the status (and enable if required) Google Cloud APIs (e.g., Recommender API):

serviceusage.services.enable
serviceusage.services.get
serviceusage.services.list
serviceusage.services.use

Sandboxes for Google Cloud

Permission required for Sandbox functionality:

resourcemanager.projects.create

Google Cloud Rightsizing

Permissions required to provide you with Rightsizing Recommendations for your Google Compute Engine instances across your organization:

recommender.computeInstanceMachineTypeRecommendations.list
compute.instances.list

Permissions required to implement Rightsizing recommendations:

compute.instances.setMachineType
compute.instances.stop
compute.instances.start

BigQuery Lens

Permissions required for the BQ Lens to get cost optimization recommendations for your BigQuery environment:

logging.sinks.create
bigquery.datasets.create
logging.sinks.get
bigquery.datasets.get
bigquery.tables.get
bigquery.tables.list
bigquery.jobs.get
bigquery.jobs.list
bigquery.jobs.listAll
bigquery.jobs.create
bigquery.routines.get
bigquery.routines.list

BigQuery Lens Advanced needs additional permissions to get advanced clustering recommendations and fetch BigQuery reservations information to enable flat-rate mode when applicable:

bigquery.tables.getData
bigquery.reservations.list
bigquery.reservationAssignments.list
Why does BigQuery Lens need permissions at the organization level?

The BQ Lens creates an audit log sink at the organization level to monitor and analyze logs across projects. We do not support fetching logs from project-level sinks.

These permissions allow the BQ Lens to access the structure of your projects, datasets, and tables in order to show the costs and optimization recommendations on the dashboard with resources names. Except the permission for BigQuery Lens Advanced, none of them give us access to your BigQuery data.

See also: Why does BigQuery Lens Advanced need extra permissions

GKE usage metering (deprecated)

Permissions required to list your clusters for their GKE usage metering export configuration used to enable GKE usage metering in Cloud Analytics.

container.clusters.list
container.clusters.get
bigquery.jobs.create

Amazon Web Services

The sections below list the permissions we require to your AWS account.

Core functionality

Below is the minimum set of read-only permissions we need for features in DoiT Platform.

Permissions required to access the billing data and the security posture of your AWS account:

arn:aws:iam::aws:policy/SecurityAudit
arn:aws:iam::aws:policy/AWSSavingsPlansReadOnlyAccess
arn:aws:iam::aws:policy/job-function/Billing

AWS quota monitoring

Permissions required to proactively monitor your AWS Quotas:

support:DescribeTrustedAdvisorCheckSummaries
support:DescribeTrustedAdvisorCheckRefreshStatuses
support:DescribeTrustedAdvisorChecks
support:DescribeSeverityLevels
support:RefreshTrustedAdvisorCheck
support:DescribeSupportLevel
support:DescribeCommunications
support:DescribeServices
support:DescribeIssueTypes
support:DescribeTrustedAdvisorCheckResult
trustedadvisor:DescribeNotificationPreferences
trustedadvisor:DescribeCheckRefreshStatuses
trustedadvisor:DescribeCheckItems
trustedadvisor:DescribeAccount
trustedadvisor:DescribeAccountAccess
trustedadvisor:DescribeChecks
trustedadvisor:DescribeCheckSummaries

Spot Scaling

Spot Scaling analyzes your Auto Scaling Groups based on cost and usage and get recommendations to replace On-Demand EC2 instances with Spot instances.

ec2:Describe*
ec2:CreateLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:ModifyLaunchTemplate
ec2:RunInstances
ec2:TerminateInstances
ec2:CreateTags
ec2:DeleteTags
ec2:CreateLaunchTemplateVersion
ec2:CancelSpotInstanceRequests
autoscaling:CreateOrUpdateTags
autoscaling:UpdateAutoScalingGroup
autoscaling:Describe*
autoscaling:AttachInstances
autoscaling:BatchDeleteScheduledAction
autoscaling:BatchPutScheduledUpdateGroupAction
cloudformation:ListStacks
cloudformation:Describe*
iam:PassRole
events:PutRule
events:PutTargets
events:PutEvents

Privacy and data protection

What we store

We only store data required for DoiT Platform functionality.

  • Cloud Billing exports required for core Billing functionality; stored in BigQuery

  • User information required for core CPM functionality; stored in Firestore

  • Assets created via using DoiT Console (Invoices, Billing Profiles, etc.) required for core DoiT Platform functionality; stored in Firestore

  • Contracts required for core DoiT Platform functionality; stored in Google Cloud Storage

  • Service Account Keys required for core DoiT Platform functionality; stored in Firestore and encrypted with KMS

How we handle and store your data

All data we handle are encrypted in transit using industry-standard protocols like HTTPS (TLS).

All data we store are encrypted at rest:

  • Google BigQuery using Google-managed encryption keys and Advanced Encryption Standard (AES)

  • Google Firestore using Google-managed encryption keys and AES

  • Google Cloud Storage using Google-managed encryption keys and AES

  • Service Account Keys encrypted using Google Cloud KMS and stored in Google Secret Manager

Who can access your data

DoiT employees in customer-facing roles, such as Account managers and Support engineers, can access your data in the DoiT Platform. A small team of core DoiT Platform developers is able to access your data directly in the underlying storage.

Service Account keys are used only by backend systems to retrieve relevant data from Google Cloud. Only a small team of core DoiT Platform developers has access to the KMS keys.

Third parties

With the exceptions listed below required for core DoiT Platform functionality, we do not provide your data to any third-party.

  • DoiT Platform Support We use Zendesk as a backend for our ticketing system. Ticket-related data are stored in Zendesk and retrieved using Zendesk APIs [1].

  • Payments We use Stripe for payments. All payment-related data (such as Credit card or bank account details) are stored in the Stripe platform and used via Stripe APIs [2].

Compliance

Our products regularly undergo independent verification of security, privacy, and compliance controls, achieving certifications against global standards. We're constantly working to expand our coverage.

  • EU and GDPR Compliance we have customers in the European Economic Area and we handle data in compliance with the General Data Protection Regulation (GDPR) [3].

  • The SOC 2 and SOC 3 is a report based on the Auditing Standards Board of the American Institute of Certified Public Accountants' (AICPA) existing Trust Services Criteria (TSC). The report evaluates an organization's information systems relevant to security, availability, processing integrity, confidentiality, and privacy.

  • ISO/IEC 27001 outlines and provides the requirements for an information security management system (ISMS), specifies a set of best practices, and details the security controls that can help manage information risks.

The DoiT Platform ISO/IEC 27001 and SOC 2/3 certificates may be requested via trust.doit.com.

External references