ConformScan is built from the ground up for EU data sovereignty. We never access, modify, or store your cloud credentials. Here is exactly how we protect your information.
We only request read-only permissions to your cloud account. ConformScan never creates, modifies, or deletes any resource in your infrastructure.
All data is encrypted at rest (AES-256) and in transit (TLS 1.3). Database connections use encrypted channels. API keys are hashed before storage.
All infrastructure runs on Netcup servers located in Germany. Your data never leaves the EU. No US subprocessors, no transatlantic data transfers.
We only store scan metadata and compliance results. We do not store your cloud credentials — we use temporary cross-account IAM roles.
Unlike most compliance tools, we use no US-based services. No AWS, no GCP, no Datadog, no Sentry. 100% European infrastructure stack.
A simple, auditable architecture designed for EU compliance from day one.
You deploy a CloudFormation stack (or Terraform module) in your AWS account that creates an IAM role with ReadOnlyAccess. You control the trust policy — you can revoke access at any time.
Our scanner uses AWS STS AssumeRole to get temporary credentials (valid 1 hour). We never see or store your root credentials, access keys, or secrets.
Each scan runs in a dedicated container on our German servers. Prowler and Checkov check your configuration against the selected frameworks. No data leaves Germany.
Scan results (compliance scores, finding metadata) are stored in PostgreSQL with AES-256 encryption at rest. Raw cloud API responses are discarded after processing.
Access your results via the dashboard or REST API. Generate PDF reports for auditors. Delete your data at any time — we support full data portability and erasure (GDPR Art. 17 & 20).
This is the exact IAM policy ConformScan requires. Read-only access, nothing more. You can audit every permission.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::CONFORMSCAN_ACCOUNT_ID:root"
},
"Action": "sts:AssumeRole",
"Condition": {
"StringEquals": {
"sts:ExternalId": "YOUR_EXTERNAL_ID"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ConformScanReadOnly",
"Effect": "Allow",
"Action": [
"iam:Get*",
"iam:List*",
"s3:GetBucketPolicy",
"s3:GetEncryptionConfiguration",
"ec2:Describe*",
"rds:Describe*",
"cloudtrail:GetTrailStatus",
"kms:ListKeys",
"sts:GetCallerIdentity"
/* ... view full policy in the app ... */
],
"Resource": "*"
}
]
}
Role: Reader (built-in)
Scope: Subscription level
Assignment:
az role assignment create \
--assignee <CONFORMSCAN_SERVICE_PRINCIPAL_ID> \
--role "Reader" \
--scope /subscriptions/<YOUR_SUBSCRIPTION_ID>
100% hosted in Germany. Built with modern, secure open-source technologies.
Karlsruhe, Germany
Encrypted at rest (AES)
Containerized
EU-only data flow
No. We only request read-only permissions (AWS ReadOnlyAccess / Azure Reader). ConformScan cannot create, modify, or delete any resource. You can verify this by auditing the IAM policy above.
All data is stored on Netcup servers in Karlsruhe, Germany. We do not use any US-based cloud providers (no AWS, no GCP, no Azure for our own infrastructure). Your data never leaves the EU.
Yes. You can delete your account and all associated scan data at any time from the dashboard. We support GDPR Article 17 (Right to Erasure) and Article 20 (Data Portability). Deleted data is purged from all systems within 24 hours.
No. We use AWS STS AssumeRole with an external ID. You create an IAM role in your account with a trust policy pointing to our AWS account. We never see or store your access keys or secrets.
Yes. For Enterprise clients who require full data sovereignty, ConformScan can be deployed entirely within your own infrastructure. You get private Docker images, a license key, and installation support. Contact us for details.
5 free scans per month. No credit card required. Your data stays in Germany.
Start Free Scan