INTRODUCING saasups — KNOW THE PATH BEFORE YOU TAKE IT →
Security & Trust

Read-only by design. We map your estate. We never touch it.

saasups ingests your AWS estate to produce a scored dependency map and migration roadmap. At no point does it write to, modify, or interact with your running systems. That constraint is architectural — not a policy.

Architecture

Built from first principles — not bolted on.

Four architectural choices that make read-only behaviour a structural guarantee, not a configuration option.

Read-only architecture

saasups operates exclusively through read-only AWS APIs. No write, delete, or mutate permissions are requested or accepted. Your running infrastructure is structurally unreachable from the analysis plane.

Least-privilege access

We request a scoped cross-account IAM role with only the permissions required to read Config snapshots, Migration Hub records, CloudWatch utilization, and Terraform state references. Nothing more.

Data minimization

We ingest resource configuration, dependency relationships, and utilization signals. We do not ingest source code, database contents, secrets, PII, or application traffic. If we don't need it to score your estate, we don't collect it.

Encryption in transit & at rest

All data in motion uses TLS 1.3. Ingested estate data is encrypted at rest with AES-256. Encryption keys are managed per-tenant and rotated on a 90-day cycle.

Data flow

How your data flows

Three discrete, auditable steps — your systems are unchanged at every stage.

Zero writes at every stage
01
Read-only IAM role

Connect

You deploy a scoped, read-only cross-account IAM role. saasups assumes that role and reads AWS Config snapshots, Migration Hub records, and optionally CloudWatch utilization data. No agents are installed. No software touches your workloads.

02
Isolated processing

Analyze

Ingested configuration data is processed in an isolated analysis environment. saasups builds a dependency graph, resolves application relationships, and scores each workload against the 7 R's. Your AWS account is not contacted again during this phase.

03
Outputs leave; systems unchanged

Deliver

The output — a scored estate map, dependency graph, and prioritized migration roadmap — is delivered to your team. The analysis environment is flushed on a configurable schedule. Your systems are exactly as you left them.

Compliance

Compliance & certifications

These items reflect our current program status. Certification timelines are illustrative; engage your account team for the latest audit artefacts.

SOC 2 Type II

In progress (illustrative)

Security, availability, and confidentiality trust service criteria. Audit cycle initiated; report expected Q3 2026.

GDPR-readiness

Implemented

Data processing agreements available. EU-region data residency option configurable per tenant. saasups does not process personal data as part of estate ingestion.

Data residency

Configurable

Analysis workloads can be pinned to AWS us-east-1 (default), eu-west-1, or ap-southeast-2. Selection is locked at tenant creation and immutable without explicit migration request.

Pen testing

Annual (illustrative)

Third-party penetration testing conducted on the analysis pipeline and API surface on an annual cadence. Summary reports available under NDA.

Compliance status reflects our current program as of June 2026. Items marked “illustrative” or “in progress” have not completed a formal audit. Contact your account team for current attestations and available artefacts.

FAQ

Questions engineering leaders ask

Does saasups write to our systems?

No. saasups is read-only by design. The cross-account IAM role we request carries no write, delete, or mutate permissions. Your infrastructure configuration, running workloads, and data stores are structurally unreachable from the saasups analysis plane. This is not a policy — it is an architectural constraint built into how the platform operates.

What permissions does saasups need?

saasups requires a cross-account IAM role with read access to AWS Config (configuration snapshots), AWS Migration Hub (discovery records), and optionally CloudWatch (utilization metrics for FinOps cost modeling). We publish a minimal policy document in our integration guide. You review, approve, and deploy the role — we never request changes to it unilaterally.

Where is our data processed and stored?

Processing occurs in an isolated AWS-hosted analysis environment in your selected region (us-east-1, eu-west-1, or ap-southeast-2). Ingested estate data is encrypted at rest with AES-256. Analysis outputs are retained for the period defined in your agreement — default 90 days — after which they are purged from the analysis environment.

How long is our data retained?

Assessment data is retained for 90 days by default, configurable to 30 or 180 days under your agreement. When an assessment cycle closes, raw ingestion data is deleted. Derived outputs (scored estate map, dependency graph, roadmap) are retained for the agreed period and then permanently deleted. You can request early deletion at any time.

Can we run saasups inside our own AWS account?

The current platform runs in saasups-managed infrastructure with strict tenant isolation. A bring-your-own-account deployment model is on the roadmap for enterprise agreements where VPC-private analysis is a hard requirement. Contact your account team to discuss current availability and timeline.

See your modernization path mapped — talk to a saasups architect

BOOK A TECHNICAL WALKTHROUGH