Temporary infrastructure access
CauseFlow never stores permanent AWS credentials for your infrastructure. When an investigation starts, CauseFlow uses AWS STS AssumeRole to generate temporary, scoped credentials for each AI agent.| Property | Value |
|---|---|
| Credential lifetime | 15 minutes |
| Scope | Per-agent session policy (minimum permissions) |
| Revocation | Immediately after investigation completes |
| Storage | In-memory only during the investigation session |
Per-agent session policies
Each AI agent receives only the permissions its specific task requires. No agent has broad infrastructure access.| Agent | Permissions granted |
|---|---|
log_analyst | logs:GetQueryResults, logs:StartQuery, logs:GetLogEvents |
metric_analyst | cloudwatch:GetMetricData, cloudwatch:GetMetricStatistics |
infra_inspector | ecs:Describe*, ec2:Describe* (read-only) |
remediator | ecs:UpdateService, ecs:RegisterTaskDefinition (only after human approval) |
ecs:UpdateService permission cannot be exercised without an approval record in the audit trail.
Encryption
OAuth tokens and sensitive credentials
OAuth tokens and integration secrets are protected with KMS envelope encryption using AES-256-GCM.Data in transit
All API traffic uses TLS 1.2 or higher. The CauseFlow Relay (for private network database access) communicates over WSS/443 — the same TLS-encrypted channel.PII masking via Relay
For customers using the CauseFlow Relay, PII masking runs inside your private network before any query results leave your infrastructure. Masked data is what CauseFlow AI agents receive — not raw records. Built-in masking patterns:| Pattern | Example |
|---|---|
| Email addresses | user@example.com → [EMAIL] |
| Credit card numbers | 4111 1111 1111 1111 → [CREDIT_CARD] |
| Phone numbers | +55 11 99999-9999 → [PHONE] |
| CPF (Brazil) | 123.456.789-09 → [CPF] |
| Bearer tokens | Bearer eyJ... → [TOKEN] |
Tenant data isolation
All data in CauseFlow is partitioned by tenant at the database level. DynamoDB partition keys includetenant_id as a component. This means:
- A query for tenant A’s incidents cannot physically return tenant B’s data
- There is no application-level filter that could be bypassed by a logic error
- Cross-tenant data access is architecturally impossible, not just policy-prevented
Data retention and deletion
Investigation data — incidents, analysis results, audit records — is retained for the lifetime of your tenant account. Right to deletion: You can request deletion of your tenant’s data at any time by contacting support@causeflow.ai. Deletion is processed within 30 days and confirmed in writing. Audit trail: Audit records are immutable by design and cannot be selectively deleted. A full tenant deletion removes the entire audit trail along with all other tenant data.GDPR and LGPD readiness
CauseFlow’s architecture aligns with GDPR and LGPD principles:- Data minimization — agents access only the data needed for the investigation
- Purpose limitation — credentials are scoped to investigation tasks and revoked immediately after
- Right to erasure — full tenant deletion available on request
- PII protection — Relay masking prevents raw PII from leaving your infrastructure
- Data processing agreements — available on request for compliance purposes