Last updated: March 7, 2026
By accessing, browsing, or using Cloud Guardian (“the Service”), operated by Cloud Guardian (“we,” “us,” or “our”), you acknowledge that you have read, understood, and agree to be bound by these Terms of Service (“Terms”). These Terms constitute a legally binding agreement between you and Cloud Guardian governing your use of the platform, including the web dashboard, API, MCP server interface, and all related services.
If you are using the Service on behalf of an organization, company, or other legal entity, you represent and warrant that you have the authority to bind that entity to these Terms. In such cases, “you” and “your” refer to both you individually and the entity you represent. If you do not have such authority, or if you do not agree with these Terms, you must not use the Service.
These Terms apply to all users of the Service, including organization owners, administrators, members, and viewers. Additional terms may apply to specific features or services, and such terms will be presented to you when you access those features. In the event of a conflict between these Terms and any feature-specific terms, the feature-specific terms shall prevail for that particular feature.
Cloud Guardian is a multi-tenant infrastructure cost protection and optimization platform for Google Cloud Platform (GCP). The Service provides automated scanning of connected GCP projects to identify cost optimization opportunities, security misconfigurations, and compliance violations across nine resource types: Cloud Run services, Compute Engine instances, Cloud SQL instances, Cloud Storage buckets, Cloud Functions, GKE clusters, BigQuery datasets, Secret Manager secrets, and Artifact Registry repositories. Scanning occurs on automated 6-hour cycles with concurrent project processing.
The Service includes infrastructure remediation capabilities that can execute optimization changes either directly via GCP APIs or through GitHub Pull Requests for infrastructure-as-code review workflows. Additional features include cost trend analysis and breakdown reporting, custom policy enforcement via CEL-based guardian rules, multi-organization management with role-based access controls, real-time notifications via email (Resend), Slack, Microsoft Teams, and custom webhooks, savings tracking with configurable verification windows, per-project scan result recording, and a system diagnostics console for operational visibility.
Cloud Guardian also provides an MCP (Model Context Protocol) server interface enabling integration with AI-powered development tools such as Claude Code. The MCP server exposes the full range of platform capabilities through structured tool interfaces, including authentication, organization management, project scanning, remediation execution, and cost analysis. The Service requires you to grant access to your GCP projects via service account credentials with appropriate IAM permissions.
To use Cloud Guardian, you must create an account by authenticating through Firebase Authentication using Google Single Sign-On (SSO). By creating an account, you agree to provide accurate and complete information. You are responsible for maintaining the confidentiality of your account and for all activities that occur under your account. You must notify us immediately of any unauthorized use of your account.
Cloud Guardian operates on a multi-tenant organizational model. After creating an account, you may create one or more organizations or be invited to join existing organizations by their administrators or owners. Each organization maintains independent configurations, connected projects, rules, and member rosters. Your role within each organization (viewer, member, admin, or owner) determines your permissions and access level as described in our documentation.
You may be a member of multiple organizations simultaneously, each with independent roles and permissions. Organization owners are responsible for managing membership, configuring projects, and ensuring appropriate access controls within their organization. Invitations are sent via email and must be accepted by the recipient to activate membership.
You are responsible for maintaining the security of all credentials associated with your Cloud Guardian account, including your Google SSO credentials, API keys generated through the platform, and the GCP service account keys you provide for project connectivity. You must not share credentials with unauthorized parties or use credentials belonging to others without explicit authorization.
When connecting GCP projects, you are responsible for reviewing and understanding the IAM permissions granted to the Cloud Guardian service account. The recommended roles are roles/viewer, roles/run.viewer, and roles/secretmanager.viewer for read-only scanning. Additional roles may be required for remediation execution. You must ensure that the permissions granted are appropriate for your use case and comply with your organization's security policies.
You are responsible for reviewing all remediation actions before approving execution, particularly for direct GCP API changes that take immediate effect. For PR-based remediation, you should review generated pull requests through your standard code review process before merging. You must comply with Google Cloud Platform's Terms of Service, Acceptable Use Policy, and all applicable laws and regulations when using Cloud Guardian to manage your GCP infrastructure. You are solely responsible for any consequences arising from remediation actions applied to your infrastructure, whether manually approved or automatically executed.
Cloud Guardian offers automated remediation capabilities that can modify your GCP infrastructure based on scan findings. Remediation operates in two modes: direct execution, which applies changes immediately via GCP APIs, and GitHub PR mode, which creates pull requests in your connected repository for review before application. When a project has both a GitHub repository and GitHub App installation configured, remediation defaults to PR mode for safety.
Auto-remediation scopes allow you to specify which types of violations should be automatically remediated after each scan cycle without manual approval. These scopes are configurable per project and can be defined at both the connector and organization project level. The force_direct option bypasses PR mode and executes changes directly via GCP APIs even when a GitHub integration is configured. You should use this option with extreme caution and only when you have thoroughly tested the remediation behavior.
You acknowledge and accept that automated modifications to cloud infrastructure carry inherent risks, including but not limited to: service disruption if scaling parameters are changed during peak traffic, data availability impact if storage configurations are modified, cost increases if remediation actions do not produce the expected savings, and configuration drift between your infrastructure-as-code definitions and actual deployed state. We strongly recommend starting with PR-based remediation and progressively enabling auto-remediation scopes only after validating behavior in non-production environments. Cloud Guardian implements deduplication to prevent redundant remediation actions and uses post-remediation re-scanning to verify changes, but these safeguards do not eliminate all risk.
Cloud Guardian allows you to generate API keys for programmatic access to the platform. API keys are prefixed with cg_ followed by 40 hexadecimal characters. Keys are stored as SHA-256 hashes; the plaintext key is displayed only once at creation time and cannot be recovered. You are responsible for securely storing your API keys and rotating them periodically. Compromised keys should be revoked immediately through the dashboard or API.
Each API key is associated with a role that determines its permission level. The role assigned to an API key cannot exceed the role of the user who created it. For example, a member cannot create an admin-level API key. API keys authenticate requests independently of Firebase session tokens, making them suitable for CI/CD pipelines, scripts, and automated workflows.
The MCP server interface provides access to Cloud Guardian's capabilities through structured tool calls compatible with AI development assistants. MCP authentication uses a browser-based flow where the CLI opens a web page for Firebase Google Sign-In, and the resulting token is posted to a localhost callback. MCP tokens are stored at ~/.config/cloud-guardian/auth.json with restricted file permissions (0600) and are automatically refreshed. You are responsible for securing access to machines where MCP tokens are stored.
You may configure webhook endpoints to receive real-time event notifications from Cloud Guardian. Webhook destinations are user-configured URLs that must be accessible from Cloud Guardian's infrastructure. You are responsible for ensuring your webhook endpoints are properly secured, available, and capable of handling the expected event volume.
All webhook deliveries are signed using HMAC-SHA256 with a per-connector signing secret. You should validate the signature on every incoming webhook request to verify authenticity and prevent unauthorized payload injection. Event types include scan completions, remediation results, cost alert triggers, and drift detection notifications.
Failed webhook deliveries are retried with exponential backoff. Delivery records are retained for 30 days. Cloud Guardian is not responsible for data exposure resulting from misconfigured, insecure, or publicly accessible webhook endpoints. You should use HTTPS endpoints and implement appropriate authentication and authorization on your receiving infrastructure.
Cloud Guardian is open-source software. The source code is available on GitHub and is licensed under the terms specified in the repository. You are granted a license to use, modify, and distribute the software in accordance with the applicable open-source license terms. The Cloud Guardian name, logo, and branding are trademarks of Cloud Guardian and may not be used without permission.
You retain full ownership of all data within your GCP projects, all infrastructure metadata collected by Cloud Guardian, and any custom guardian rules, configurations, or other content you create within the platform. We claim no intellectual property rights over your data or configurations. Infrastructure-as-code fixes generated by the Gemini-powered fix agent or deterministic fixgen engine are provided for your use and become part of your codebase upon acceptance.
Cloud Guardian is currently in beta and is provided on an as-available basis. We do not guarantee any specific level of uptime, availability, or performance. The Service may experience planned maintenance windows, during which scanning, remediation, and API access may be temporarily unavailable. We will endeavor to provide advance notice of planned maintenance through the dashboard or status page when feasible.
During the beta period, no formal Service Level Agreement (SLA) is offered. We make commercially reasonable efforts to maintain service availability but do not guarantee uninterrupted operation. The Service depends on the availability of upstream providers including Google Cloud Platform, Firebase, Vercel, and GitHub, and outages in those services may affect Cloud Guardian functionality. We are not responsible for interruptions caused by upstream provider outages, network issues, or force majeure events.
TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, CLOUD GUARDIAN IS PROVIDED “AS IS” AND “AS AVAILABLE” WITHOUT WARRANTIES OF ANY KIND, WHETHER EXPRESS, IMPLIED, STATUTORY, OR OTHERWISE. WE EXPRESSLY DISCLAIM ALL IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, AND NON-INFRINGEMENT. WE DO NOT WARRANT THAT THE SERVICE WILL MEET YOUR REQUIREMENTS, OPERATE WITHOUT INTERRUPTION, OR BE ERROR-FREE.
We make no warranties or representations regarding the accuracy of cost projections, savings estimates, or optimization recommendations. Cost figures are derived from Cloud Monitoring and Cloud Billing APIs and may not reflect your actual billing due to sustained use discounts, committed use discounts, billing account configurations, or delays in billing data availability. You should independently verify all cost savings claims against your actual Google Cloud billing statements.
IN NO EVENT SHALL CLOUD GUARDIAN, ITS OFFICERS, DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, DATA, USE, GOODWILL, OR OTHER INTANGIBLE LOSSES, ARISING FROM OR RELATED TO: (A) REMEDIATION ACTIONS APPLIED TO YOUR INFRASTRUCTURE, WHETHER MANUALLY APPROVED OR AUTO-EXECUTED; (B) SERVICE DOWNTIME OR INTERRUPTIONS; (C) INACCURATE COST PROJECTIONS, SAVINGS ESTIMATES, OR OPTIMIZATION RECOMMENDATIONS; (D) UNAUTHORIZED ACCESS TO OR ALTERATION OF YOUR DATA; (E) ANY THIRD-PARTY CONDUCT ON THE SERVICE; OR (F) ANY OTHER MATTER RELATING TO THE SERVICE. OUR TOTAL AGGREGATE LIABILITY SHALL NOT EXCEED THE AMOUNT YOU HAVE PAID US IN THE TWELVE MONTHS PRECEDING THE CLAIM.
You agree to indemnify, defend, and hold harmless Cloud Guardian and its officers, directors, employees, agents, and affiliates from and against any and all claims, damages, obligations, losses, liabilities, costs, and expenses (including but not limited to attorney's fees) arising from: (a) your use of and access to the Service; (b) your violation of these Terms; (c) your violation of any third-party rights, including any intellectual property, privacy, or contractual rights; (d) remediation actions executed on your infrastructure through the Service; or (e) any claim that your use of the Service caused damage to a third party.
This indemnification obligation survives the termination of your account and these Terms. We reserve the right, at your expense, to assume exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate with our defense of such claims. You will not settle any claim without our prior written consent.
You retain full ownership of all data within your GCP projects and all content you create within Cloud Guardian. We do not claim ownership of your infrastructure data, configurations, custom rules, or any other content you provide. We access your GCP project data solely for the purpose of providing the Service as described in these Terms and our Privacy Policy.
GCP service account credentials you provide are encrypted using envelope encryption (AES-256-GCM with Cloud KMS DEK wrapping) and are stored solely for the purpose of scanning and remediating your connected infrastructure. Credentials are decrypted only in memory during scan operations and are never logged, cached between cycles, or accessible to Cloud Guardian personnel in plaintext form.
You may revoke Cloud Guardian's access to your GCP projects at any time by deleting the associated connector (which permanently removes the encrypted credential) or by removing the service account's IAM bindings from your GCP project. Upon connector deletion or account termination, encrypted credentials are permanently removed from our systems immediately, and associated infrastructure data is deleted within 30 days as described in our Privacy Policy.
You agree not to use Cloud Guardian for any unlawful purpose or in any way that could damage, disable, overburden, or impair the Service. Specifically, you must not: attempt to gain unauthorized access to other users' accounts, organizations, or data; use the Service to scan or remediate GCP projects you do not own or have authorization to manage; reverse engineer, decompile, or disassemble any part of the Service (except as permitted by applicable open-source licenses); transmit malicious code, viruses, or harmful data through the Service; or use automated tools to excessively load or scrape the Service beyond normal API usage patterns.
Cloud Guardian implements rate limiting on API endpoints to ensure fair usage and service stability. You must not attempt to circumvent rate limits or abuse API endpoints. Excessive usage that degrades service quality for other users may result in temporary throttling or account suspension. We reserve the right to establish and enforce usage quotas at our discretion.
Cloud Guardian is currently offered as a free beta service. During the beta period, all features are available at no charge to registered users. The beta period allows us to refine the platform based on real-world usage and user feedback. We make no guarantees regarding the duration of the beta period or the continued availability of any specific feature.
When Cloud Guardian transitions to a paid service, users who participated in the beta program will be offered grandfathered pricing that reflects their early adoption and contribution to the platform's development. The specific terms of grandfathered pricing will be communicated at least 30 days before any paid tier takes effect. You will not be charged for any service without explicit opt-in to a paid plan.
Beta features may be experimental and subject to change, deprecation, or removal without notice. We may introduce, modify, or discontinue features during the beta period based on technical requirements, user feedback, or strategic decisions. We encourage beta users to provide feedback through the dashboard feedback mechanism or by contacting us directly.
You may terminate your account at any time by requesting account deletion through the Cloud Guardian dashboard or by contacting us at legal@cloudguard.dev. Upon account termination, your personal information, organizational memberships (if you are the sole owner, the organization will also be deleted), connected project data, encrypted credentials, and all associated records will be deleted within 30 days in accordance with our Privacy Policy.
We may suspend or terminate your access to the Service immediately and without prior notice if: (a) you violate these Terms or any applicable laws; (b) you engage in abusive, fraudulent, or harmful use of the Service; (c) your use poses a security risk to the Service or other users; or (d) continued provision of the Service to you becomes commercially impracticable. We may also discontinue the Service entirely with 30 days' advance notice. Upon any termination, your right to use the Service ceases immediately, and we may delete your data in accordance with our retention policies.
We reserve the right to modify these Terms at any time. When we make changes, we will update the “Last updated” date at the top of this page. For material changes that significantly affect your rights or obligations, we will provide notice through the Cloud Guardian dashboard and/or email notification at least 14 days before the changes take effect.
Your continued use of Cloud Guardian after any modifications to these Terms constitutes your acceptance of the revised Terms. If you do not agree to the modified Terms, you must stop using the Service and may request account termination. It is your responsibility to review these Terms periodically. Prior versions of these Terms are available upon request.
These Terms shall be governed by and construed in accordance with the laws of the Commonwealth of Australia, without regard to its conflict of law provisions. Any disputes arising out of or relating to these Terms or your use of the Service shall be subject to the exclusive jurisdiction of the courts located in Victoria, Australia.
If any provision of these Terms is held to be invalid, illegal, or unenforceable by a court of competent jurisdiction, such provision shall be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, shall be severed from these Terms. The invalidity of any provision shall not affect the validity or enforceability of the remaining provisions. Our failure to enforce any right or provision of these Terms shall not constitute a waiver of such right or provision.
If you have questions about these Terms of Service, please contact us at legal@cloudguard.dev. For privacy-related inquiries, please refer to our Privacy Policy or contact us at privacy@cloudguard.dev. For urgent security concerns, including suspected credential compromise or unauthorized access, please contact us immediately at both email addresses.