Security & Data Handling

Last updated: May 2026

A short reference for IT and security teams reviewing Caleta Cost Review during procurement. For full detail, see the Privacy Policy and Terms of Service.

Data residency

  • All customer data (cost data, scan results, account information) is stored exclusively in the UK South Azure region
  • The marketing website (caleta.io) is delivered via a global CDN; only static page content passes through the CDN, no customer data

Encryption

  • In transit: TLS 1.2+ for all connections to and from the service
  • At rest: AES-256 in the underlying Azure database

Access controls

  • Role-based access control (RBAC) on all administrative interfaces
  • Multi-factor authentication required for all Caleta personnel
  • Customer data access is limited to Caleta personnel performing your review

Permissions requested in your tenant

  • Reader (built-in role) – resource inventory via Azure Resource Graph
  • Cost Management Reader (built-in role) – cost data via the Cost Management API
  • Advisor recommendations – read-only via the Advisor API (covered by Reader)

All access is read-only. Caleta cannot make changes to your Azure environment.

What we do NOT request

  • No write access to any resource
  • No data plane access (no VM disks, no database contents, no storage blob contents)
  • No Microsoft Graph / directory access (no users, no groups, no sign-in logs)
  • No Key Vault access

Sub-processors

  • Microsoft Azure (UK South) – hosting, database storage, AI-assisted analysis via Azure AI Foundry, and read-only Cost Management API access to the subscriptions you authorise
  • Microsoft 365 – transactional email delivery and customer communication
  • Cloudflare – DNS and secure tunnel for the API endpoint

See the Privacy Policy for the full sub-processor terms.

Customer controls

  • Revoke the service principal at any time from your Azure portal – access stops immediately
  • Request data export or deletion at any time
  • Customer data deleted within 7 days of an offboarding request or account closure

Incident response

Suspected security incidents involving customer data should be reported to privacy@caleta.io. We will acknowledge receipt within one business day and provide updates as the investigation progresses.

Related Policies

For the legal and contractual position, please review the Privacy Policy and Terms of Service.

Privacy Policy →

Terms of Service →