Authenticated access
Supabase Auth sessions, organization context and server-side RBAC guard sensitive workflows.
Trust center
Security by architecture, not by checklist.
TurboFinOps treats tenant isolation, encrypted credentials, guarded actions and audit trails as first-class architecture — not bolt-on policies.
Controls
Layered defense, audit-ready.
Tenant isolation
Every tenant data path is scoped to organizationId before resources, findings or actions are returned.
Encrypted credentials
Cloud credentials and AI keys are encrypted at rest, never logged, and never returned to the client.
Immutable audit trail
State-changing operations produce audit logs with actor, timestamp, action and result.
Architecture
Four layers, one trust model.
Controls are distributed across API, workers, data access and governance workflows so no single UI state is trusted as the source of authorization.
1
Control plane
Auth, RBAC, request validation, tenant context
2
Execution plane
BullMQ workers, state machines, credential scoping
3
Data layer
Prisma models, organization scoping, encrypted secrets
4
Governance layer
Rules, action guardrails, evidence artifacts
Processed
- Cloud resource metadata
- Findings and scores
- Action and audit history
- Integration configuration
Not processed
- Storage object contents
- Customer application logs
- Customer workload end-user records
- Network packet data
Responsible disclosure
Report vulnerabilities to security@turbofinops.com. Acknowledgement within 3 business days, triage within 10. Full terms and safe-harbor commitment at /security/vulnerability-disclosure.
Certification status
TurboFinOps is building toward formal third-party certifications. Enterprise teams can request current controls, architecture details and readiness documentation.
Get started
Find recoverable spend before the next invoice lands.
Connect one AWS, Azure or GCP scope, approve the safest savings actions, and give finance a receipt when the savings verify.
Read-only scan first. Approval gates before remediation.