Security & Trust

Driftak connects to your AWS account using an IAM Role — not access keys. The role is granted read-only permissions only. Driftak can never create, modify, or delete any AWS resource in your account.

The IAM policy is open-source and can be reviewed before you connect. It grants access to:

• EC2: describe instances, volumes, snapshots, addresses
• RDS: describe instances and clusters
• Elastic Load Balancing: describe load balancers
• Cost Explorer: read billing data
• STS: verify caller identity (used during setup only)

Nothing beyond these permissions is requested. Any future permission change will be communicated in advance and requires your explicit re-consent.

Driftak uses IAM Role assumption — your AWS account credentials never leave AWS. There are no access keys, secret keys, or session tokens stored in our database.

What we do store: your AWS Account ID and the ARN of the IAM Role you created. These are needed to assume the role on each scan. Neither value grants access on its own.

When a scan runs, Driftak calls AWS APIs using your IAM Role and processes the response in memory to identify idle or orphaned resources. The results — resource IDs, types, estimated costs — are stored in our database to power your dashboard and alerts.

Raw AWS API responses are not persisted. We store only the structured data needed to display your dashboard and generate alerts.

All data is encrypted at rest and in transit. Driftak uses Supabase (hosted on AWS) with row-level security enforced per user.

In the unlikely event of a security incident affecting your data, we will notify you within 72 hours of discovery, consistent with GDPR requirements.

To report a security vulnerability, email security@driftak.com. We aim to respond within 24 hours.

You can disconnect an AWS account at any time from your dashboard. Disconnecting immediately stops all scans and deletes the stored Role ARN for that account.

To complete the removal, also delete the IAM Role from your AWS account. We include step-by-step instructions in the disconnect flow.

To delete your entire Driftak account and all associated data, email support@driftak.com with the subject line "Delete my account". We will process the request within 7 business days and confirm when complete.