Skip to main content

InfraMind — SaaS Product

Privacy Policy

How SolidStack collects, uses, and protects your data when you use InfraMind.

Last updated: April 22, 2026

Scope of this policy

This policy applies to InfraMind, the AWS infrastructure scanner, diagram generator, Terraform exporter, AI analysis tool, and compliance reporting service operated by SolidStack FZ-LLC ("SolidStack", "we", "us"). It describes how we process data that you, your users, and your AWS accounts generate when using the service.

SolidStack's general website and consultancy privacy notice is published separately at /privacy-policy. The present document governs the InfraMind product only. Where the two overlap, this document controls for InfraMind-related processing.

By creating an InfraMind account or connecting an AWS account to InfraMind, you acknowledge the practices described here.

Information we collect

Account information

Email address, hashed password, organization name, member role, and — for programmatic access — SHA-256 hashes of the API keys you generate. Plaintext keys are shown to you once at creation and never stored.

Billing information

If you subscribe directly, Stripe processes and stores card details; we receive only a customer ID, subscription status, and invoice metadata. If you subscribe through AWS Marketplace, AWS bills you and we receive entitlement and usage reports only.

AWS connection details

The IAM role ARN plus external ID you configure for cross-account access, or — for SSO — a refresh-capable access token scoped to the role you select in AWS IAM Identity Center. These are used only to assume the role you granted and can be revoked by you at any time.

AWS infrastructure metadata

Configuration of resources returned by AWS describe/list APIs across the ~55 services we support (e.g. EC2 instance types, security group rules, S3 bucket policies, RDS encryption flags). We do not read data inside your buckets, databases, queues, objects, or logs — only metadata about them.

Generated artefacts

Diagrams (Mermaid), Terraform HCL + import blocks, AI analysis reports, and compliance reports derived from your crawl snapshots.

Usage & diagnostic data

Metered events for billing (crawl counts, analyses run, resources scanned), request logs, and error traces. Logs are scrubbed of credentials and full resource state.

How AWS credentials are used

InfraMind accesses your AWS environment with read-only, customer-granted credentials. You retain control at all times.

  • For IAM role connections: you create a role in your account whose trust policy names our service principal and an external ID we provide. We call sts:AssumeRole at the moment a job runs; the resulting short-lived session credentials are held only in process memory and expire automatically.
  • For SSO connections: we store a refresh-capable access token obtained via AWS IAM Identity Center, scoped to the role and permission set you select. The token can be revoked from IAM Identity Center at any time.
  • We recommend attaching only the AWS-managed ReadOnlyAccess policy (or a narrower equivalent) to the role you grant. InfraMind does not call write or delete APIs and cannot modify your infrastructure.
  • Credentials are never logged, never sent to AI providers, and never shown to other organisations.

How we use the data

  • Operate the service: run crawls, generate diagrams, export Terraform, produce AI analyses and compliance reports.
  • Detect infrastructure changes between crawl snapshots and notify you when drift is found.
  • Enforce plan limits, meter usage, produce invoices, and prevent abuse.
  • Send transactional emails (crawl complete, analysis ready, invitations, billing events).
  • Respond to support requests and investigate security incidents.
  • Improve the product in aggregate — we do not use your AWS metadata to train AI models.
  • Comply with legal obligations and lawful requests from authorities with jurisdiction.

AI processing

When a user in your organisation runs an AI analysis or compliance report, we send the crawl snapshot (AWS resource metadata) and a task-specific prompt to the AI provider your organisation has selected.

  • AWS Bedrock (default): runs inside the AWS region configured for your organisation. Bedrock does not use your prompts or outputs to train foundation models.
  • Anthropic API (opt-in): requests go to Anthropic under their standard commercial terms. Anthropic does not use API inputs or outputs to train models by default.
  • Compliance reports combine your metadata with official framework rules published by authoritative sources (Prowler / AWS Config conformance packs for CIS, PCI DSS, HIPAA, SOC 2, ISO 27001, GDPR technical controls, NIST SP 800-53, FedRAMP). The AI interprets your state against those rules — it does not invent compliance requirements.
  • AI outputs are informational. They are not legal, audit, or certification advice. You are responsible for reviewing recommendations before acting on them.

Subprocessors

We use the following subprocessors to deliver InfraMind. Each is bound by a written contract that restricts use of customer data to the purposes described here.

Amazon Web Services (AWS) — US / EU / UAE regions

Hosts the InfraMind service (ECS, RDS Aurora, ElastiCache, S3), provides cross-account STS AssumeRole, and — when selected by your organisation as the AI provider — runs Claude models on AWS Bedrock. Data stays within the AWS region you choose.

Anthropic PBC — optional AI provider

If your organisation switches the AI provider from Bedrock to Anthropic, AI analysis requests (crawl metadata + prompts) are sent to Anthropic's API. Not used for training by default. You can stay on Bedrock to keep AI processing inside AWS.

Stripe, Inc. — direct billing

Processes subscriptions and card payments for customers who subscribe through our website. Stripe acts as an independent controller for payment data.

AWS Marketplace — marketplace billing channel

For customers who subscribe via AWS Marketplace, AWS handles billing, tax, and payment and shares entitlement/usage records with us.

Google Workspace (SMTP) — transactional email

Sends account notifications (crawl complete, analysis ready, invitations, billing alerts). Emails contain only your email address and the event context.

Tenant isolation and security

  • Every database query is scoped to your organisation ID; no cross-tenant reads are possible through the API.
  • Stored artefacts are namespaced in S3 under orgs/{orgId}/crawls/{crawlId}/... with per-tenant IAM boundaries.
  • Passwords are hashed with a modern password hashing function; API keys are stored as SHA-256 hashes.
  • JWT access tokens are short-lived (15 minutes); refresh tokens are rotated.
  • Cross-account role assumption requires an external ID supplied by us to prevent confused-deputy attacks.
  • Data is encrypted in transit (TLS 1.2+) and at rest (AWS-managed KMS keys).
  • Secrets are held in AWS Secrets Manager, not environment variables, in production.
  • Access to production systems is restricted to authorised engineers and audited.
  • No security system is perfect. We maintain incident response procedures and will notify affected customers of material breaches without undue delay.

Data retention

  • Free tier: crawl snapshots and generated artefacts are retained for 90 days, then deleted automatically.
  • Paid tiers: retained for the life of the subscription unless you delete them sooner.
  • Billing records are retained for the period required by applicable tax law (typically 5+ years).
  • Authentication logs are retained for 90 days.
  • When you delete an organisation, we remove crawl data and artefacts within 30 days. Backups expire on their own schedule (≤ 35 days).
  • You can export or delete data at any time from the dashboard or by emailing us.

International data transfers

InfraMind runs in AWS regions selected for each organisation. Where data crosses borders (for example, engineering support from the UAE to an EU-hosted tenant), we rely on Standard Contractual Clauses or equivalent safeguards under applicable data protection laws.

Your rights

Subject to applicable law (UAE PDPL, EU/UK GDPR, California CCPA, and others), you may:

  • Access the personal data we hold about you and the organisation you administer.
  • Correct inaccurate information.
  • Request deletion of your account and associated personal data.
  • Export your crawl data, reports, and audit trail.
  • Object to or restrict certain processing, and withdraw consent where processing is based on consent.
  • Lodge a complaint with your local data protection authority.

To exercise these rights, email legal@solidstack.ae from the address associated with your account. We respond within 30 days.

Children

InfraMind is not directed at individuals under 16 and is intended for business use. We do not knowingly collect personal data from minors.

Changes to this policy

We may update this policy to reflect changes in the service, subprocessors, or applicable law. Material changes will be announced by email to account owners and surfaced in the dashboard at least 14 days before they take effect. The "last updated" date above always reflects the current version.

Contact us

Questions about this policy, subprocessors, or a data subject request:

Email: legal@solidstack.ae

SolidStack FZ-LLC · Dubai Silicon Oasis, Dubai, United Arab Emirates

See also the InfraMind Terms of Service.