Privacy Policy

Last updated: January 30, 2025 · Replace with final version before paid launch.

This Privacy Policy describes how IAM Armor collects, uses, and protects your information when you use our Service.

Our core data commitment

We never store your IAM policies or Terraform source code. Pull request diffs are parsed in memory to perform the analysis and are discarded immediately after the Check Run result is posted to GitHub. No Terraform source code, no IAM policy documents, and no credential data ever touches our persistent storage.

1. Information We Collect

GitHub data: If you install future hosted integrations (such as a GitHub App), we may receive repository metadata required to provide that integration.

PR diffs (transient): We receive the diff of pull requests that touch .tf files to perform IAM policy analysis. This data is processed entirely in memory and is never written to persistent storage. See Section 6A.

Usage data: We collect anonymized usage metrics (rule trigger counts, scan durations) to improve the Service. These metrics do not include source code content.

2. How We Use Your Information

To perform IAM policy analysis and return scanner results
To provide your usage dashboard
To send product update emails (with your consent)
To improve the Service

3. Data Retention

Check run results (pass/fail status, violation counts, rule IDs) are retained for 90 days. Pull request diffs and Terraform source code are never retained. We do not store your IAM policy documents.

4. Data Sharing

We do not sell your data. We share data only with service providers necessary to operate the Service (cloud infrastructure, error monitoring), or when required by law.

5. Security

We use industry-standard security practices including encryption in transit (TLS 1.2+) and at rest. Access to production systems is restricted to authorized personnel.

6A. IAM Policy and Terraform Source Code — Extended Commitment

This section formalizes our commitment regarding the most sensitive data we handle:

No storage: We never write Terraform source code, IAM policy documents, or AWS resource ARNs from your code to any database, log file, or object storage.
In-memory only: Analysis is performed in a short-lived, sandboxed compute environment. The diff content is loaded, analyzed, and the result is posted to GitHub within seconds. The process then terminates and memory is released.
No live AWS connection: iam-armor does not connect to your AWS accounts. Analysis is performed solely on your IaC files.
No model training: Your code is never used to train machine-learning models.

7. Your Rights

You may request deletion of your data at any time by disabling hosted integrations (if enabled) and emailing [email protected]. We will delete your account data within 30 days.

8. Contact

For privacy questions, contact us at [email protected].