CAST AI takes the confidentiality and integrity of its customer data very seriously and strives to ensure that data is protected from unauthorized access and is available when needed.

Certifications and audits

CAST AI maintains the following industry-standard certifications:

• ISO 27001: This certification demonstrates our commitment to information security management. It ensures we have a comprehensive system in place to manage and protect information assets.
• SOC 2 Type II: This attestation verifies that our service commitments and system requirements are based on the trust services criteria relevant to security, availability, processing integrity, confidentiality, and privacy.

To ensure ongoing compliance and security, we undergo third-party audits three times a year.

Data security overview

• No sensitive data leaves your cluster: CAST AI cannot access sensitive user data such as Kubernetes Secrets or ConfigMaps.
• Pre-analysis data scrubbing: Before analysis, our agent removes sensitive environment variables from workload manifests, including passwords, tokens, keys, and secrets.
• Limited data collection: The most sensitive information collected is workload names. We do not collect or process any Personally Identifiable Information (PII), Payment Card Industry (PCI) data, or Health Care (HIPAA) data.

Customer data protection

Data storage and encryption

• Cloud storage: Customer data is stored on Google Cloud Platform (GCP) in the US-East4 (North Virginia) region by default.
• Encryption at rest: All production data is stored on encrypted disks, enforced by our cloud service provider's encryption policy.
• Encryption in transit: All data in flight is encrypted with a minimum of TLS 1.2.

Authentication

• Third-party authentication: User login data (emails, passwords, SSO IDs) is handled by Auth0 (Okta), a secure third-party authentication provider.
• API token security: We do not store user API tokens; we only store secure hashes for validation.

Customer data usage policy

CAST AI is committed to maintaining strict data privacy standards:

• We do not use customer data to train AI models and maintain complete separation between our services and any AI/ML training datasets
• All customer data is used solely for providing and improving our core services, such as optimizing Kubernetes clusters

Data retention

• Kubernetes metadata is retained for at least 10 years.
• Audit logs are retained and accessible in the console for 90 days, after which they are archived (see Audit Log Retention Policy for details).
• Data from inactive customer accounts is marked accordingly but never deleted to ensure data integrity and potential future access.
• Kubernetes Security product:
  • Maximum of 5000 unique image repositories.
  • Last 20 image versions for each image repository.
  • 30 days of anomaly records.
  • 30 days of runtime events.
  • 30 days of netflows.
  • 30 days of process tree events.

Audit Log Retention Policy

CAST AI maintains the following retention policy for audit logs:

• Audit logs are retained and directly accessible in the CAST AI console for 90 days.
• After 90 days, audit logs are archived and no longer available through the console interface.
• Access to logs older than 90 days is available upon request through our customer support team. We provide a raw archive of historical logs when needed.
• Archived logs are retained indefinitely per our unlimited retention policy (subject to fair use).

💡

Tip

We recommend using our open source Audit Log Exporter to ensure continuous access to audit log data beyond the 90-day retention period. This tool allows users to store logs in their own systems indefinitely, meeting specific compliance or data retention requirements.

Examples of collected data

To provide transparency, here are examples of the types of metadata we collect:

Node metadata (extract)

labels:
  addon.gke.io/node-local-dns-ds-ready: "true"
  beta.kubernetes.io/arch: "amd64"
  beta.kubernetes.io/instance-type: "e2-custom-4-16896"
  beta.kubernetes.io/os: "linux"
  cloud.google.com/gke-boot-disk: "pd-standard"
  cloud.google.com/gke-container-runtime: "docker2"
  cloud.google.com/gke-cpu-scaling-level: "2"
  cloud.google.com/gke-max-pods-per-node: "110"
  cloud.google.com/gke-netd-ready: "true"
  cloud.google.com/gke-os-distribution: "cos"
  failure-domain.beta.kubernetes.io/region: "us-east4"
  failure-domain.beta.kubernetes.io/zone: "us-east4-b"
  iam.gke.io/gke-metadata-server-enabled: "true"
  kubernetes.io/arch: "amd64"
  kubernetes.io/hostname: "gke-dev-master-cast-pool-c19ff18f"
  kubernetes.io/os: "linux"
  node.kubernetes.io/instance-type: "e2-custom-4-16896"
  node.kubernetes.io/masq-agent-ds-ready: "true"
  projectcalico.org/ds-ready: "true"

Pod replica metadata (extract)

▾ metadata:
  name: "dashboard-metrics-scraper-c45b7869d"
  namespace: "kubernetes-dashboard"
  resourceVersion: "637593368"
  generation: 1
  creation Timestamp: "2022-08-16T12:10:33Z"
  ► labels: { ... }
  ► annotations: { ... }
  ► ownerReferences: { ... }
▾ spec:
  replicas: 1
  ▾ selector:
    ▾ matchLabels:
      k8s-app: "dashboard-metrics-scraper"
      pod-template-hash: "c45b7869d"
▾ template:
  ▾ metadata:
    creation Timestamp: null
  ▾ labels:
    k8s-app: "dashboard-metrics-scraper"
    pod-template-hash: "dashboard-metrics-scraper"

Commitment to privacy and security

CAST AI is dedicated to maintaining the highest data protection and privacy standards. We continuously update our security measures to align with industry best practices and regulatory requirements.

To learn more about our security policies and compliance, head over to the security portal.