Cloud credentials stay in the customer environment. Hosted services stay narrow in scope.
Cloud Waste Scanner separates product delivery from cloud inspection. The hosted side handles downloads, licensing, purchase lifecycle, and documentation. Provider credentials, scans, and day-to-day cloud access stay on the machine or network where the customer runs the app.
Stored locally
Credentials and scan context
Provider keys and account settings remain under customer control by default.
Called directly
Provider APIs
The desktop app connects from the customer environment instead of tunneling cloud access through a hosted proxy.
Handled by service
Licensing, payments, docs
Operational support data is limited to the product service boundary and policy-covered workflows.
Trust Boundary
Local scope and hosted scope
Customer side
The installed app stores provider credentials locally, runs scans from the customer environment, and exports PDF or CSV evidence for internal review.
Provider side
Cloud provider APIs are contacted directly through the customer network path, including direct internet or approved proxy routes.
Hosted side
The public service supports downloads, licensing, payment lifecycle, refunds, docs, and support communications. It is not the default execution path for cloud discovery.
Boundary view
1. Customer environment
Desktop app, local credential store, scan execution, report export.
2. Cloud providers
AWS, Azure, GCP, storage platforms, and other supported runtimes.
3. Hosted service scope
Downloads, entitlement checks, order records, support messages, docs, and public site operations.
Control Surface
Security review points buyers usually ask first
| Area | Current posture | Where to verify |
|---|---|---|
| Credential custody | Stored locally on the device running the application. | Provider credential reference |
| Inspection traffic | Provider APIs are contacted directly from the customer environment. | Cloud accounts and proxy |
| Hosted service data | Licensing, orders, refunds, docs, and support workflow records. | Privacy Policy |
| Payment processing | Processor-hosted checkout through Paddle. | Pricing · Refund Policy |
| Support evidence | Customers choose what logs or references to share for diagnosis. | Troubleshooting FAQ |
Review Packet
Use these pages together during technical due diligence
Privacy Policy
Review what the public service stores and what remains outside the hosted boundary.
Terms of Service
Check commercial terms, usage expectations, and payment-service alignment.
Architecture references
See provider setup, proxy guidance, troubleshooting, and reporting flows.
Company page
Review product direction, operating model, and support channels from the public site.
FAQ
Common security review questions
Do you have access to my cloud account?
No. In the default product workflow, provider credentials remain local and the hosted service does not proxy cloud inspection calls.
What permission level is recommended?
Read-only scope is recommended for discovery. If a team later enables cleanup actions, write access should be limited to the resource classes they intentionally manage.
Does the product work behind a corporate proxy?
Yes. Proxy routing is supported and can be configured for restricted or segmented network environments.
Validate the trust boundary with the product, the docs, and the published security path in one flow.
Save your first $1,000 before the next billing cycle.