CloudAct.ai Achieves SOC 2 Type II Certification for Enterprise Security

SUNNYVALE, Calif. — October 1, 2025 — CloudAct.ai, the intelligent cloud cost management platform for modern enterprises, today announced it has successfully completed its SOC 2 Type II audit, achieving certification across all five Trust Services Criteria: Security, Availability, Processing Integrity, Confidentiality, and Privacy. The certification validates that CloudAct.ai maintains rigorous, enterprise-grade security controls for organizations entrusting the platform with sensitive cloud spending and financial data.

The SOC 2 Type II examination, conducted by an independent third-party auditor over a six-month observation period, confirmed that CloudAct.ai's security infrastructure, operational processes, and data handling practices meet the stringent standards set by the American Institute of Certified Public Accountants (AICPA). The audit evaluated controls across the company's entire platform stack, including its multi-tenant data architecture, API authentication layer, encryption systems, and access management protocols.

A Milestone for Security-First FinOps

Cloud cost management platforms occupy a uniquely sensitive position within enterprise infrastructure. They ingest billing data from every cloud provider, GenAI service, and SaaS subscription an organization uses — providing a comprehensive financial picture that demands the highest levels of data protection.

"Security isn't a feature we bolt on — it's the architectural foundation everything else is built upon. From day one, CloudAct.ai was designed with a security-first mindset, and achieving SOC 2 Type II certification is the independent validation that our approach works. Our customers handle millions of dollars in cloud spend through our platform, and they deserve absolute confidence that their data is protected at every layer."

— Priya Mehta, Chief Information Security Officer, CloudAct.ai

The certification comes at a critical time for the FinOps industry. As enterprises accelerate cloud adoption and GenAI spending, the volume of sensitive cost and usage data flowing through management platforms has grown exponentially. Regulatory requirements including GDPR, CCPA, and industry-specific mandates make robust security controls not just desirable but essential.

Six-Layer Security Architecture

CloudAct.ai's SOC 2 certification reflects a defense-in-depth approach built around a proprietary six-layer tenant security model that ensures complete data isolation across its multi-tenant platform:

• Layer 1 — Authentication: All API access is authenticated via cryptographically generated API keys validated using HMAC comparison, eliminating timing-based attack vectors. Administrative operations require a separate root key (X-CA-Root-Key) with additional verification.
• Layer 2 — Authorization: Role-based access controls enforce that users can only access resources within their organization. Every request is validated against organization membership before processing.
• Layer 3 — Agent Scoping: The platform's AI assistant, ELSA, operates within strict organizational boundaries. All AI-generated queries are scoped to the requesting organization's dataset, preventing cross-tenant data leakage through natural language interactions.
• Layer 4 — Query Isolation: Every database query uses parameterized org_slug binding. The org_slug identifier is validated against a strict pattern (^[a-z0-9_]{3,50}$) at every entry point, preventing injection attacks and ensuring tenant isolation at the query level.
• Layer 5 — Dataset Isolation: Each organization's cost data resides in a dedicated BigQuery dataset ({org_slug}_prod), providing physical data separation rather than relying solely on row-level security filters.
• Layer 6 — Dry-Run Gate: All dynamically constructed queries pass through BigQuery's dry-run validation before execution, catching malformed or potentially dangerous queries before they touch production data.

Encryption and Key Management

All sensitive credentials — including cloud provider service account keys, GenAI API tokens, and SaaS integration secrets — are encrypted at rest using Google Cloud Platform Key Management Service (GCP KMS). Encryption keys are rotated on a regular schedule, and all key operations are logged for audit purposes. Data in transit is protected via TLS 1.3 across all service-to-service communications.

Comprehensive Audit Logging

Every mutation across the platform — from budget creation and hierarchy modifications to integration setup and pipeline execution — generates structured JSON audit log entries. These logs capture the authenticated user, organization context, timestamp, action type, and affected resources, providing a complete forensic trail for compliance and incident response.

Enterprise Customers Validate the Approach

CloudAct.ai's security posture has been a decisive factor for enterprise customers evaluating the platform for production deployments.

"When we evaluated FinOps platforms, security wasn't negotiable. We process over $40 million in annual cloud spend, and every dollar of that data flows through our cost management tooling. CloudAct.ai's six-layer isolation model and SOC 2 Type II certification gave our security team the confidence to approve a full production rollout. The dedicated dataset architecture means our data never co-mingles with other tenants — that's the kind of isolation we require."

— David Kowalski, CISO, Meridian Financial Technologies

The SOC 2 Type II report is available to prospective and current customers under NDA through CloudAct.ai's security team. The company maintains a public trust page with an overview of its security practices, compliance certifications, and data processing policies.

Looking Ahead: ISO 27001 and Beyond

Building on the SOC 2 Type II milestone, CloudAct.ai has initiated the process toward ISO 27001 certification, targeting completion in the first half of 2026. The company is also evaluating additional compliance frameworks relevant to its expanding enterprise customer base, including CSA STAR and HIPAA readiness for healthcare-sector customers managing cloud infrastructure costs.

"SOC 2 Type II is an important milestone, but it's not the finish line," added Mehta. "We're committed to meeting our customers wherever their compliance requirements take them. The ISO 27001 process is already underway, and we're building our security program to scale alongside the platform."

About CloudAct.ai

CloudAct.ai is an intelligent cloud cost management platform headquartered in Sunnyvale, California. The platform provides unified visibility across cloud infrastructure (GCP, AWS, Azure, OCI), GenAI services (OpenAI, Anthropic, Google Gemini, DeepSeek, Azure OpenAI, AWS Bedrock, GCP Vertex), and SaaS subscriptions — all normalized to the FOCUS 1.3 open standard. Featuring AI-powered cost analysis through its conversational assistant ELSA, hierarchical budget management, automated alerting, and multi-currency support across 20 currencies, CloudAct.ai helps enterprises understand, optimize, and govern their technology spending. For more information, visit cloudact.ai.

Media Contact:
CloudAct.ai Communications
press@cloudact.ai