FAQ

How secure is Turn it Off? How do I lock down the tool?

Yes, Turn It Off is built with security as a top priority. We offer a detailed security whitepaper, available upon request, which outlines our approach to safeguarding your environment. Our access to your environment is managed through IAM roles and service principals, allowing you full control over the scope of access. You can lock down access to specific resources or resource groups by account, subscription, or even tag. We have no access to data on your infrastructure at any time.

The agent aspect of the product is inherently secure because the agent operates entirely within your environment, not ours, ensuring that sensitive data and control remain within your own infrastructure.

Additionally, our internal processes follow ISO 27001-compliant practices (certification in progress), ensuring the highest standards of data protection. It’s important to note that we do not have direct access to any individual client account.

Does the Turn it Off page autherticate users or is it open to anyone?

The security of the Turn It On page depends on how you currently authenticate the endpoint. If you’re restricting access using Security Groups (SGs), Auto Scaling Groups (ASGs), Network Security Groups (NSGs), or by IP address, the same security measures will apply to the Turn It On page. However, if you’re using browser-based authentication (which prompts a login popup), the page would be open to anyone.

In those cases, we recommend relying on schedules and intelligent latency detection rather than using the Turn It Off page. You can always use the Turn It Off portal to bring environments back online when needed, ensuring secure and efficient management.

What data do we store from the cloud?

We store only the data that is returned from the cloud provider’s APIs, which typically includes basic information such as:

  • Resource ID

  • Resource Name

  • Tags

  • Sizing details

  • Some configuration options that have been specified

This minimal data allows us to manage and optimise your resources without storing any sensitive information.

What user data do we store and how do we use it?

We only store minimal user data, including names, email addresses, company names, and addresses—all of which fall under non-special category data in terms of GDPR. This means that the data we collect does not include sensitive information like health, race, or political views, and is considered less sensitive under data protection regulations. Additionally, all financial and card details are securely stored by our global payment partner, Stripe. We do not have access to or store any of your payment information, ensuring your financial data remains protected.

Last updated