Data Handling

Summary

RedCloud collects the configuration and metadata it needs to assess your security posture — read-only — and stores the results in a tenant-scoped way. This page summarizes what’s collected, how it’s protected, and how long it’s kept.

What’s collected

Data	Purpose
Cloud configuration & IAM metadata	The raw material for security checks and attack-path analysis
Findings, scores, and evidence	The scan results you act on
Users, roles, and audit logs	Authentication, authorization, and accountability
Reports and exports	Shareable outputs you generate

RedCloud collects this with read-oriented access; it does not require write/admin access for posture scanning.

How it’s protected

At rest — configuration and sensitive data are encrypted using a dedicated encryption key; there is no silent fallback if it’s missing in production.
In transit — TLS is terminated at your reverse proxy / load balancer.
Secrets — never written to logs; auto-generated secrets are refused in production; the design is rotation-ready.
Tenant-scoped — all stored data is bound to its tenant (see Tenant Isolation).

Where it’s stored

Application state (users, scans, findings, audit logs) lives in PostgreSQL.
Scan artifacts (findings, reports, evidence) are written to a persistent, tenant-scoped output volume.
You control the deployment, so the data resides in your environment.

Retention

Retention of scans and findings is configurable to match your policy, and the platform includes retention-policy controls. Align retention with your compliance obligations (for example, how long audit evidence must be kept).

Compliance frameworks

Findings map to many recognized frameworks for reporting — including CIS, PCI-DSS, SOC 2, HIPAA, ISO 27001, NIST 800-53 / CSF, and GDPR — so data you collect can be presented against the standard your auditors use. See Audit & Compliance.