Do I need to install an agent?

No. Cloustral connects to AWS and Azure using read only access that you configure yourself. There is nothing to install in your infrastructure.

Does Cloustral modify my cloud resources?

No. Cloustral only calls read APIs. It does not create, update, or delete resources in your cloud environment.

Which cloud providers are supported?

Cloustral currently supports AWS and Azure.

What is a cloud connection?

A cloud connection is one AWS account or Azure subscription connected to Cloustral. AWS connections sync all enabled regions by default, or selected regions when you want a narrower scope. Azure connections sync the configured subscription. Credentials are stored encrypted and used to sync inventory, build architecture views, and evaluate rules.

What happens in a demo organization?

New organizations start as demos. You can add synthetic cloud data and use full architecture visualization, but real cloud connections and automation require a paid pla

What is the difference between Starter, Pro, and Team?

Starter (€49/month) includes daily automation, 5 users, 3 cloud connections, and basic architecture visualization. Pro (€129/month) raises limits to 10 users and 8 connections, adds full architecture visualization, and includes 1 high frequency connection that syncs hourly during business hours. Team (€349/month) supports 25 users, 20 connections, and 3 high frequency connections.

When do automated cloud syncs run?

All paid plans run a daily sync for every connection. High frequency connections (Pro: 1, Team: 3) additionally sync hourly during the business hours window you configure. All schedules use UTC.

Can I create my own rules?

Yes. You can create custom rules based on the cloud standards your team cares about.

Does Cloustral replace Wiz, Orca, or Prisma Cloud?

No. Cloustral is built as a lightweight cloud visibility and governance tool for small DevOps teams, not as a full enterprise CNAPP platform.

Can MSPs or consultants use Cloustral?

Yes. Enterprise plans can support custom limits, onboarding, procurement, and dedicated support for MSPs or consultants.

Legal

Privacy Policy

Last updated: May 14, 2026

Cloustral ("we", "our", or "us") is committed to protecting your personal data. This Privacy Policy explains what information we collect, why we collect it, how we use and protect it, and the rights you have regarding your data. Please read this policy carefully before using our services.

1. Who We Are

Cloustral is a cloud visibility and governance platform that allows organizations to connect cloud accounts (AWS, Azure), inventory their resources, map architecture, and identify misconfigurations, cost waste, and policy drift. References to "Cloustral", "we", "us", or "our" refer to the operator of this service. For questions about this policy or to exercise your rights, please contact us via the contact page.

2. Information We Collect

We collect the following categories of information:

Account and Identity Data

When you register for an account, we collect your email address and any profile information you provide (such as your name or organization name). If you are invited to an organization by another user, we receive your email address as part of that invitation process.

Cloud Credentials and Integration Data

When you connect a cloud account, we collect and store the credentials, role identifiers, or API keys you provide so Cloustral can retrieve cloud inventory. You should grant Cloustral the minimum permissions needed for inventory collection. Stored credentials are encrypted before they are saved in the database, and they are decrypted by the application only when needed to connect to your cloud provider. We also collect and store cloud resource data retrieved through those connections, including resource identifiers, configurations, network topology, tags, and metadata, to provide the service.

Usage and Interaction Data

We may collect information about how you interact with Cloustral, including features used, pages visited, actions taken (such as creating rules or running scans), and timestamps of activity. This helps us improve the product and troubleshoot issues.

Technical and Device Data

Standard technical data may be processed automatically when you access our service, including IP address, browser and device information, referring URL, request metadata, and session identifiers. This data is used for authentication, abuse prevention, troubleshooting, and service reliability.

Communication Data

If you contact us by email or through the contact page, we process the message contents and contact details you provide so we can respond to and resolve your enquiry. Contact form delivery may be handled by our configured email provider.

3. Legal Basis for Processing

We process your personal data on the following legal grounds under applicable data protection law:

Contractual necessity: processing required to deliver the service you have signed up for, including account management, credential storage, cloud inventory sync, and evaluation of rules and automations you configure.
Legitimate interests: processing necessary for our legitimate business interests, such as improving the service, preventing fraud, ensuring security, and conducting analytics, provided those interests are not overridden by your rights.
Consent: where we rely on your consent (for example, for optional analytics), you may withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
Legal obligation: where processing is necessary to comply with a legal obligation to which we are subject.

4. How We Use Your Data

We use the data we collect to:

Create and manage your account and organization membership.
Authenticate your identity and maintain session security.
Connect to and retrieve data from your cloud provider accounts.
Generate architecture views, resource inventories, and findings.
Run automation and scheduled scans on your behalf.
Send transactional emails such as password resets, invitations, automation summaries, and billing notifications.
Respond to support requests and enquiries.
Detect, investigate, and prevent security incidents and abuse.
Improve and develop our product based on aggregated usage analytics.
Comply with our legal obligations.

We do not sell your data or use cloud account data for advertising. We do not use your data for profiling for marketing purposes.

5. Data Sharing and Third Parties

We do not sell, rent, or trade your personal data or cloud account data to any third party.

We may share data with trusted third-party service providers who assist us in operating the service, only to the extent necessary for the service they provide. Categories of service providers include:

Cloud infrastructure providers (hosting, compute, and storage).
Authentication and identity management services.
Transactional email delivery providers.
Payment processors for subscription billing.
Product analytics tools, when analytics is enabled.

We may also disclose data if required to do so by law or in good faith belief that such disclosure is reasonably necessary to comply with legal process, respond to claims, or protect the rights, property, or safety of Cloustral, our users, or the public.

In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity. Where required, we will notify you of material changes affecting your data.

6. Cookies and Tracking Technologies

We use cookies and similar technologies on our platform. Cookies are small text files stored on your device.

Essential cookies

These are strictly necessary for the service to function. They include session tokens, authentication cookies, and CSRF protection tokens. The service cannot operate without them and they are set without requiring your consent.

Analytics cookies

With your consent, we may use analytics tools to understand how users interact with the service. These tools may collect page views, event metadata, device information, and similar usage data. You can accept or decline non-essential analytics via the cookie banner shown on your first visit. Your choice is stored in your browser's local storage, and you can change it by clearing that site data or contacting us.

You can also control cookies through your browser settings. Disabling essential cookies will impair or prevent use of the service.

7. Data Retention

We retain your personal data for as long as your account is active or as needed to provide the service. Specifically:

Account data is retained for the duration of your account. If you delete your account, we remove the active user record when deletion is available in the product. We may retain limited records, such as email address, Google account identifier and deletion timestamp, where needed to prevent abuse or meet legal and accounting requirements.
Cloud credential data is removed from the active database when the related cloud connection or organization is deleted. Residual copies may remain temporarily in backups or logs according to infrastructure retention practices.
Cloud resource inventory data is retained while the related organization and connection are active. Inventory for a connection is replaced on sync, and it is removed from the active database when the connection or organization is deleted.
Support communications are retained as long as needed to respond to your request, maintain records of support activity, and meet legal or business requirements.

You may request deletion of your data at any time as described in Section 9 below.

8. Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect it against unauthorised access, loss, destruction, or alteration. These measures include:

Encryption of stored cloud credentials using authenticated encryption.
Secure, HttpOnly session cookies and CSRF protection for authenticated requests.
Role-based permissions for organization access inside the product.
Password hashing, MFA support, and rate limits on sensitive authentication routes.
Operational logging for troubleshooting and email delivery failures.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security. If you suspect a security incident, please contact us immediately.

9. Your Rights

Depending on your location and applicable law, you may have the following rights regarding your personal data:

Right of access: to request a copy of the personal data we hold about you.
Right to rectification: to request correction of inaccurate or incomplete personal data.
Right to erasure: to request deletion of your personal data where there is no legitimate reason for us to continue holding it.
Right to restriction: to request that we limit processing of your data in certain circumstances.
Right to data portability: to receive your data in a structured, commonly used, machine-readable format.
Right to object: to object to processing based on legitimate interests or for direct marketing purposes.
Right to withdraw consent: where processing is based on consent, to withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us via the contact page. We aim to respond within the timeframe required by applicable law, and normally within 30 days. We may ask you to verify your identity before fulfilling your request. If you are located in the European Economic Area, you also have the right to lodge a complaint with your local supervisory authority.

10. International Data Transfers

Cloustral operates and uses service providers that may process data outside your home country. If applicable law requires safeguards for an international transfer, we use appropriate transfer mechanisms such as contractual protections, Standard Contractual Clauses, or transfers to countries covered by an adequacy decision.

11. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. For significant changes, we may also send a notification to the email address associated with your account.

12. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via the contact page. We are committed to working with you to resolve any privacy concerns promptly and transparently.