Last updated: March 7, 2026
When you create a Cloud Guardian account, we collect personal information necessary to provide our service. This includes your full name, email address, profile photograph, and Google account identifier as provided through Firebase Authentication and Google Single Sign-On (SSO). We also collect organizational information you provide when creating or joining an organization, including organization name, your role within the organization (viewer, member, admin, or owner), and membership details for multi-tenant access control.
When you connect a Google Cloud Platform project to Cloud Guardian via a service account connector, we collect infrastructure metadata from up to nine resource types within your project. This includes Cloud Run service configurations (revision details, scaling settings, CPU/memory allocation, traffic routing, and container metadata), Secret Manager secret metadata (secret names, versions, rotation policies — but never secret values), Artifact Registry repository information (repository names, image tags, version counts, and storage utilization), Compute Engine instance details (machine types, zones, status, and disk configurations), Cloud SQL instance metadata (database versions, tier, storage, and high-availability settings), Cloud Storage bucket configurations (location, storage class, lifecycle rules, and access controls), and Cloud Functions metadata (runtime, memory, timeout, and trigger configurations). We do not access or store the contents of your application data, secrets, databases, or storage buckets.
We additionally collect cost and utilization metrics from Google Cloud Monitoring and Cloud Billing APIs associated with your connected projects. This includes CPU utilization percentages, memory usage, request counts, billable instance hours, network egress volumes, and associated cost figures. Usage analytics about how you interact with the Cloud Guardian platform itself — such as pages visited, features used, scan triggers, and remediation actions taken — are collected to improve service quality and reliability.
The primary use of your information is to provide, operate, and maintain the Cloud Guardian service. This includes authenticating your identity, managing organizational access controls, connecting to your GCP projects via encrypted service account credentials, and rendering your infrastructure status on the dashboard. Your infrastructure metadata is used to perform automated scanning cycles that identify cost optimization opportunities, security misconfigurations, and compliance violations against both built-in checks and custom guardian rules you define using CEL (Common Expression Language) expressions.
We use your information to generate and execute remediation actions. This includes planning remediation steps based on scan findings, executing approved changes directly via GCP APIs, creating GitHub Pull Requests for infrastructure-as-code changes when configured, and running auto-remediation within scopes you have explicitly enabled. Cost and utilization metrics are used to calculate estimated savings, track actual savings over configurable verification windows, generate cost trend analyses, and produce cost breakdown reports by project, service, and resource type.
Your email address is used to send service-related notifications, including scan completion summaries, remediation execution results, cost alert threshold notifications, and account security alerts. If you configure notification integrations, we deliver event data to your specified endpoints including Slack webhooks, Microsoft Teams webhooks, email addresses via Resend, and custom webhook URLs. We do not sell, rent, or trade your personal information or infrastructure data to third parties. We do not use your infrastructure data to train machine learning models or for any purpose unrelated to providing the Cloud Guardian service to you.
All Cloud Guardian data is stored in Google Cloud Firestore, which provides automatic encryption at rest using Google-managed encryption keys. Firestore data is replicated across multiple availability zones within the configured region for durability and high availability. Our application data, including infrastructure snapshots, scan results, remediation action records, cost metrics, and organizational configurations, resides in the Firestore default database instance.
GCP service account credentials receive an additional layer of protection through envelope encryption. Each credential blob is encrypted using AES-256-GCM with a unique Data Encryption Key (DEK), and the DEK itself is wrapped using Google Cloud Key Management Service (Cloud KMS). This ensures that even in the unlikely event of a data store compromise, credentials remain protected by hardware-backed KMS keys. All data in transit between clients and our services is encrypted using TLS 1.2 or higher. Internal service-to-service communication uses h2c (HTTP/2 cleartext) within the Cloud Run trusted execution environment.
Access to your data within Cloud Guardian is governed by a four-tier role-based access control (RBAC) system. The viewer role provides read-only access to dashboards and scan results. The member role adds the ability to trigger scans and view detailed configurations. The admin role permits managing connectors, rules, and remediation actions. The owner role grants full organizational control including member management, billing, and organization deletion. Each API request is authenticated through a chain that checks for a static service token, then API key authentication (SHA-256 hash lookup), and finally Firebase JWT validation. Credential isolation ensures that connectors and their encrypted credentials are scoped to the owning organization and cannot be accessed across organizational boundaries.
When you provide a GCP service account key to create a connector, the JSON key file is encrypted immediately upon receipt using the envelope encryption scheme described above. The plaintext key material is never written to disk in unencrypted form, never stored in application logs, and never included in error messages or diagnostic output. Once encrypted, the credential is stored with a reference marker of stored:// indicating that the actual credential blob is held in encrypted storage rather than inline.
During scan operations, credentials are decrypted in memory only for the duration of the API calls required to collect infrastructure metadata and metrics from your GCP project. Decryption occurs sequentially before parallel scanning begins, and the decrypted material is held only in process memory with a per-project timeout of two minutes. After the scan completes or times out, the decrypted credential is eligible for garbage collection and is not cached between scan cycles.
You may revoke Cloud Guardian's access to your GCP project at any time by deleting the associated connector through the Cloud Guardian dashboard or API, which permanently removes the encrypted credential blob from our storage. You can additionally revoke access from the GCP side by deleting or disabling the service account key in your Google Cloud Console, or by removing the IAM role bindings granted to the Cloud Guardian service account. We recommend both approaches for complete access revocation. The credential cloning feature allows copying encrypted credentials between connectors without decryption, ensuring the plaintext key is never exposed even during administrative operations.
Cloud Guardian performs automated infrastructure scanning on a recurring 6-hour cycle. Each scan cycle collects current infrastructure metadata and cost metrics from all connected GCP projects within your organization. Projects are scanned concurrently (default concurrency of 5, configurable via environment variable) with a two-minute timeout per project. A scan mutex prevents overlapping cycles to ensure data consistency.
Scan results are evaluated against both built-in checks and custom guardian rules. Built-in checks cover common optimization patterns such as non-zero minimum instances, CPU idle billing, oversized memory allocation, and stale artifact registry images. Custom guardian rules use CEL (Common Expression Language) expressions that you define, allowing flexible policy enforcement tailored to your organization's requirements. Check overrides allow you to suppress or modify the severity of specific checks on a per-organization basis.
When auto-remediation is enabled for specific scopes within a project, Cloud Guardian will automatically plan and execute remediation actions for violations detected during each scan cycle. Auto-remediation respects the configured mode: direct execution via GCP APIs for immediate changes, or GitHub Pull Request creation for infrastructure-as-code review workflows. Drift detection compares current infrastructure state against previously recorded snapshots to identify configuration changes between scan cycles. Savings verification tracks the actual cost impact of remediation actions over a configurable verification window (default one hour) to validate projected savings against real billing data.
Infrastructure snapshots, which contain point-in-time records of your GCP resource configurations and associated cost metrics, are retained for 90 days from the date of collection. This retention period enables historical trend analysis, cost comparison reporting, and drift detection across your infrastructure over time. After 90 days, snapshot data is automatically purged from our systems.
Scan logs, which record the details of each scan cycle including per-project results, durations, resource counts, violation counts, and any errors encountered, are retained for 30 days. Webhook delivery records, which log the payload, destination, HTTP response status, and delivery timestamp for each webhook event sent to your configured endpoints, are also retained for 30 days. Remediation action records, including execution history and status transitions, are retained for 90 days.
When you request account deletion or organization removal, all associated data — including infrastructure snapshots, scan logs, remediation records, connector configurations, encrypted credentials, custom rules, check overrides, and organizational membership records — is permanently deleted within 30 days of the request. Project disconnection (connector deletion) immediately removes the encrypted credentials and queues associated snapshot and scan data for deletion within the same 30-day window. You may request expedited deletion by contacting us directly.
Cloud Guardian relies on several third-party services to deliver its functionality. Firebase Authentication (operated by Google) manages user identity, session tokens, and Google SSO integration. Your authentication data is subject to Firebase's Privacy Policy. Google Cloud Platform provides our core infrastructure including Cloud Run (application hosting), Firestore (data storage), Cloud KMS (credential encryption), and Cloud Monitoring (metrics collection from your connected projects), governed by Google Cloud's Privacy Notice.
Vercel provides frontend hosting and edge delivery for the Cloud Guardian web application, subject to Vercel's Privacy Policy. GitHub, through its GitHub App integration (used for PR-based remediation delivery), processes repository metadata and pull request content for connected repositories, subject to GitHub's Privacy Statement. Resend provides transactional email delivery for notifications, processing recipient email addresses and email content as described in their privacy policy.
We select third-party providers that maintain strong security practices and comply with applicable data protection regulations. However, each third-party service operates under its own privacy policy and terms. We encourage you to review the privacy policies of these services. We do not share your infrastructure data or GCP credentials with any third-party service other than Google Cloud Platform, which requires credential access to perform scanning operations on your behalf.
When you configure webhook endpoints for event notifications, Cloud Guardian delivers event payloads to your specified URLs. Each webhook delivery is cryptographically signed using HMAC-SHA256 with a per-connector signing secret, allowing you to verify the authenticity and integrity of incoming webhook payloads. The signing secret is generated at connector creation time and can be rotated by updating the connector configuration.
Webhook event types include scan completion events (with summary statistics), remediation execution results (success or failure with details), cost alert threshold breaches, and infrastructure drift detection notifications. Each delivery payload contains the event type, timestamp, organization identifier, relevant resource identifiers, and event-specific data. Payloads do not include GCP credentials or secret values.
Webhook delivery records — including the destination URL, HTTP response status code, response time, and a truncated payload summary — are retained for 30 days to support delivery troubleshooting and audit trails. Failed deliveries are retried with exponential backoff. You are responsible for securing your webhook endpoint and validating the HMAC-SHA256 signature on incoming deliveries to prevent unauthorized data injection.
Cloud Guardian uses Firebase Authentication session tokens stored in your browser to maintain your authenticated session. These tokens are essential for the operation of the service and are used solely for authentication and session management purposes. Session tokens are JWT (JSON Web Token) format, contain your user identifier and email, and expire after one hour with automatic refresh via Firebase's secure token endpoint.
Cloud Guardian does not use third-party tracking cookies, advertising cookies, or analytics tracking pixels. We do not integrate with any advertising networks or third-party analytics platforms that track users across websites. We do not participate in cross-site tracking or retargeting programs. The only cookies or local storage entries set by Cloud Guardian are those strictly necessary for authentication, session management, and remembering your UI preferences such as selected organization and dashboard layout settings.
Cloud Guardian's primary infrastructure, including the API server and Firestore database, is hosted in Google Cloud's australia-southeast2 (Melbourne, Australia) region. Infrastructure metadata collected from your GCP projects is processed and stored within this region. Frontend assets are served globally through Vercel's edge network for performance, but do not contain your infrastructure data.
If you are located outside Australia, your personal information (name, email) and infrastructure metadata will be transferred to and processed in Australia. By using Cloud Guardian, you consent to this transfer. We rely on Google Cloud's data processing agreements and standard contractual clauses for any data transfers that may occur within Google's global infrastructure for redundancy and disaster recovery purposes. Firebase Authentication data may be processed in Google's global infrastructure as described in Firebase's data processing terms.
Cloud Guardian is a business-to-business infrastructure management platform and is not directed at children under the age of 13 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected personal information from a child under 13, we will take steps to delete that information promptly. If you believe that a child under 13 has provided us with personal information, please contact us at privacy@cloudguard.dev.
Depending on your jurisdiction, you may have the following rights regarding your personal information. The right of access: you can request a copy of all personal data we hold about you, including infrastructure metadata, scan history, and organizational membership records, exportable in JSON format through the Cloud Guardian dashboard or API. The right to rectification: you can update your account information at any time through your profile settings or by contacting us.
The right to erasure (right to be forgotten): you can request complete deletion of your account and all associated data. Upon request, we will delete your personal information, infrastructure snapshots, scan logs, remediation records, and organizational data within 30 days. The right to data portability: you can export your data in machine-readable JSON format. The right to restrict processing: you can disconnect individual GCP projects to stop data collection while maintaining your account. The right to object: you can opt out of non-essential communications at any time.
For users in the European Economic Area (EEA), we process your data under the lawful bases of contract performance (providing the service you signed up for) and legitimate interest (improving service quality and security). For users in California, under the CCPA you have the right to know what personal information we collect, the right to delete your personal information, and the right to non-discrimination for exercising your privacy rights. We do not sell personal information as defined by the CCPA. To exercise any of these rights, contact us at privacy@cloudguard.dev or use the self-service options in the Cloud Guardian dashboard.
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes, we will update the “Last updated” date at the top of this page. For material changes that significantly affect how we handle your personal information, we will provide prominent notice through the Cloud Guardian dashboard and/or email notification to the address associated with your account at least 14 days before the changes take effect.
Your continued use of Cloud Guardian after any changes to this Privacy Policy constitutes your acceptance of the updated policy. If you do not agree with any changes, you should discontinue use of the service and request account deletion. We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information. Prior versions of this policy are available upon request.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at privacy@cloudguard.dev. For data protection inquiries specific to GDPR, you may also contact our data protection point of contact at the same address. We will respond to all privacy-related inquiries within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection supervisory authority.