Security & trust

Designed audit-ready. Verified by independent auditors.

A finance system touches every billing line in your business. We built InstantViewAI to the standard your auditors will eventually hold it to — read-only cloud access, isolated tenants, KMS envelope encryption, EU/US data residency, and an immutable audit trail by default. SOC 2 Type II audit underway.

Trust at a glance
  • SOC 2 Type I complete · Type II audit in progress · report Q3 2026
  • ISO 27001 · readiness assessment Q4 2026
  • GDPR-aligned · EU-first by design
  • EU data residency · standard, US optional
  • Annual pen-test by independent firm
Trust documents (DPA, security questionnaire, subprocessor list, pen-test summary) available on request.
Architecture

Read-only by default. Multi-tenant, isolated.

InstantViewAI never needs write access to your cloud accounts. Read-only billing, inventory, and utilization access is enough — and it means a worst-case incident on our side cannot start, stop, or change anything in your environment. Period.

  • Read-only IAM scoped to billing & inventory APIs
  • Per-customer Keycloak realm — no shared identity
  • Per-customer dataset in BigQuery + isolated PostgreSQL schema
  • Dedicated environment option (Enterprise plan)
Data flow
Your cloud / AI providers GCP · AWS · Azure · OpenAI · Anthropic
↓ Read-only billing & inventory
InstantViewAI ingestion (TLS 1.3) Encrypted at rest · KMS
↓ Per-tenant isolation
Your tenant (EU / US) Keycloak realm + dataset
↓ SSO + RBAC
Your users SAML / OIDC
Onboarding effort

What we'll need from your team — exactly.

No agents to install. No write permissions. The total ask on your side is roughly 2 – 3 hours of your team's time in week 1, then about 30 minutes a week thereafter.

WEEK 1 ~ 2 – 3 hours, your team
  • 30 min: grant read-only role to billing exports (GCP / AWS / Azure)
  • 30 min: provide API keys for OpenAI / Anthropic (or skip if not used)
  • 60 min: walk us through your org chart and BUs once
  • 30 min: configure SSO (SAML or OIDC) with your IdP
Delivered by end of week 2: your first attributed cost report.
ONGOING ~ 30 min / week
  • Approve flagged budget variances in the inbox
  • Review the scheduled report we send before your board pack
  • Update the org chart if a team or BU moves
  • Nothing else. No daily babysitting.
All other config tweaks come from us — you focus on decisions, not maintenance.
NEVER What we don't ask for
  • Write permissions in your cloud accounts
  • Agents installed inside your environments
  • Access to production data, code, or secrets
  • Your engineering team's roadmap time
Worst-case incident on our side cannot change anything in your environment.
Pillars

Security across the stack.

Encryption

  • · TLS 1.3 in transit
  • · AES-256 at rest
  • · GCP KMS envelope encryption for secrets
  • · BYOK supported on Enterprise

Identity & access

  • · Keycloak realm per customer
  • · SAML 2.0 + OIDC SSO
  • · Role-based access control (RBAC)
  • · MFA enforced for admin roles

Audit trail

  • · Immutable, write-once events
  • · Every material state change recorded
  • · Audit-log export to S3 / GCS
  • · Auditor-ready out of the box

Data residency

  • · EU (Netherlands · europe-west4) standard
  • · US (us-central1) optional
  • · UK on Enterprise plan
  • · No cross-region replication of customer data

Operational security

  • · Annual third-party pen-test
  • · Dependency scanning + SBOM
  • · Least-privilege engineer access
  • · Background checks on all staff

Incident response

  • · 24-hour notification SLA for confirmed incidents
  • · Documented IR playbook with quarterly drill
  • · Public status page (status.instantview.ai)
  • · Root-cause analysis shared with affected customers
Compliance

Where we are. Where we're going. Dated commitments.

We're explicit about which certifications are in place, which are in progress, and when the report will land. No "compliance theater."

StandardStatusTarget / report dateNotes
SOC 2 Type IIIn auditReport expected Q3 2026Type I completed; Type II observation period underway with Big-4 auditor.
GDPRAlignedIn placeDPA available. EU-first architecture. Designated EU Data Protection contact.
ISO 27001PlannedReadiness Q4 2026 · cert Q2 2027Following SOC 2 audit. ISMS framework in build.
CSA STAR Level 1Self-assessedSubmittedCloud Security Alliance CAIQ available on request.
Penetration testAnnualLast: Q1 2026 · next: Q1 2027Independent firm. Executive summary available under NDA.
Subprocessors

The third parties we use, what they process, and where.

ProviderPurposeDataRegion
Google Cloud PlatformHosting, compute, BigQuery, KMSAll customer dataEU (europe-west4) / US (us-central1)
Keycloak (self-hosted on GCP)Identity & SSOUser identityEU / US
MailjetTransactional email + scheduled reportsEmail, attachmentsEU (France)
SentryError monitoringApplication errors (no customer PII)EU

30-day advance notice for any subprocessor change. Subscribe via the trust portal — contact security@instantview.ai.

Responsible disclosure

Found a vulnerability? Tell us.

We run a coordinated disclosure programme. Submit findings to security@instantview.ai — PGP key on the site. We acknowledge within 48 hours, triage within 5 working days, and pay bounties on a published severity scale.

Contact
Security & vulnerabilities: security@instantview.ai
Privacy / GDPR: privacy@instantview.ai
Trust documents (DPA, SOC 2, pen-test, CAIQ): trust@instantview.ai
Status page: status.instantview.ai

Need our security pack for procurement?

SOC 2 audit-progress letter, CAIQ, pen-test summary, DPA, subprocessor list, and security questionnaire responses — bundled and sent within one business day.

Request the security pack See pricing