Information Trust Center
How CloudMonitor handles your data — in one place.
Security certifications, data residency, sub-processors, audit reports, and security contacts. Updated quarterly.
Certifications & frameworks
Independently audited. Continuously assured.
CloudMonitor is certified to ISO/IEC 27001, ISO 9001, and ISO/IEC 42001 (AI Management System), and is a member organization of the FinOps Foundation.
ISO/IEC 27001
Information security · current
ISO 9001
Quality management · current
ISO/IEC 42001
AI management system · current
FinOps Foundation
Member organization
Microsoft
Solutions Partner · Cloud
Data handling
Your data, in the region you choose.
CloudMonitor is a hosted SaaS platform. Your billing data is processed inside CloudMonitor and stored in your chosen data residency region, isolated per customer.
Read access is scoped to your billing data only — no write permissions, no access to workloads, no ability to change configuration. You can revoke our access from the Azure portal at any time.
- Encrypted in transit and at rest
- Scoped read-only access to billing data
- Scope-bound to billing metadata
- Revocable from the Azure portal
Sub-processors
A short, audited list of sub-processors.
CloudMonitor relies on a small, audited list of sub-processors for product hosting, support, and analytics. The full list is maintained in the security pack and updated quarterly.
No sub-processor receives your billing or telemetry data — it stays inside CloudMonitor's per-customer isolation in your chosen region.
- Microsoft Azure (hosting CloudMonitor management plane)
- Microsoft Entra ID (auth)
- Atlassian (support ticketing)
- Pendo (anonymised in-product analytics)
Data residency
Pick your data residency region.
At sign-up, choose the Azure region where your billing data will be stored and processed — Australia, EU, US, or any other supported region. Your data does not leave that region.
CloudMonitor's control plane (where we operate the platform from) is hosted in Australia East. Customer billing data is held in the customer's chosen region only.
FAQ
Trust & security questions
Do you store or process our billing data?
CloudMonitor is a hosted SaaS platform: your billing data is ingested and processed inside CloudMonitor, stored in your chosen region, encrypted in transit and at rest, and isolated per customer. CloudMonitor staff access is restricted, audited, and gated by least-privilege controls.
Can we get your SOC 2 report?
CloudMonitor is ISO/IEC 27001 certified, which covers the same controls. We can share the certificate and a Stage 2 audit summary under NDA — request the Security Pack.
How do you govern the AI and agentic features?
CloudMonitor operates a certified AI management system under ISO/IEC 42001 — covering AI risk assessment, transparency, human oversight, and lifecycle controls. Every agentic FinOps action runs against scoped permissions, an approval workflow, and a reversible audit trail.
How do you handle a breach?
CloudMonitor maintains an incident response plan aligned to ISO 27001 Annex A.16. Customers are notified within 24 hours of confirmation of any incident affecting their tenant.
Can we run a penetration test?
Yes — coordinate via Customer Success. We support customer-initiated pen tests against the CloudMonitor app and admin app surfaces.
What happens to our data if we cancel?
When you cancel, revoke CloudMonitor's access from your Azure portal and request data deletion. We delete your data within 30 days; nothing is retained beyond contractual backup windows.
Need to brief your security team?
We provide NDAs, security questionnaires, and SOC documentation on request.