Last Updated: February 15, 2026
At VikingCloud, security is not just a feature we offer to our customers — it is the foundation of everything we build. As a cloud security platform, we hold ourselves to the highest standards of data protection and operational security. This page describes the measures we take to protect your data and our infrastructure.
1. Our Security Commitment
We understand that you trust VikingCloud with access to your cloud infrastructure. We take that trust seriously. Our security program is built on the principles of defense in depth, least privilege access, and transparency. We continuously evaluate and improve our security posture, and we apply the same rigorous standards to our own infrastructure that we help our customers achieve.
2. Infrastructure Security
VikingCloud is hosted entirely on Google Cloud Platform (GCP) in the Tokyo (asia-northeast1) region. Our infrastructure benefits from GCP's extensive security controls, including:
- Physical security of data centers with 24/7 monitoring, biometric access controls, and multi-layered perimeter defenses
- Hardware-level encryption and secure boot for all compute instances
- Network isolation through Virtual Private Cloud (VPC) configurations
- Automated infrastructure patching and security updates
- DDoS protection provided by Google's global network infrastructure
3. Credential Security
Protecting your cloud credentials is our highest priority. VikingCloud implements multiple layers of protection for all stored credentials:
- Authenticated Encryption: All cloud credentials are encrypted using industry-standard authenticated encryption that provides both confidentiality and integrity protection. Each credential is encrypted with a unique initialization vector and includes an authentication tag to detect any tampering.
- Separate Key Management: Encryption keys are managed through a dedicated key management service, completely separate from the encrypted credential data. Keys are never stored in application code, configuration files, or version control.
- No Plaintext Storage: Credentials are never stored in plaintext at any point in our pipeline. They are encrypted immediately upon receipt and only decrypted in memory at the moment a scan is executed.
- User-Controlled Lifecycle: You maintain full control over your credentials and can delete them at any time through the dashboard. Deletion is permanent and immediate.
4. Data Security
4.1 Database Protection
Our database is powered by Supabase (PostgreSQL) with comprehensive security measures:
- Row-Level Security (RLS): Every table has RLS policies that ensure users can only access data belonging to their own accounts and teams. RLS is enforced at the database level, making it impossible to bypass through application code.
- Encryption at Rest: All data stored in the database is encrypted at rest using industry-standard encryption.
- Encryption in Transit: All connections to the database use TLS encryption, ensuring data is protected during transmission.
4.2 Data Isolation
Customer data is logically isolated at the database level. Each customer's scan results, credentials, and configuration data are associated with their account and protected by RLS policies. There is no shared access between customer accounts.
5. Agentless Scanning Architecture
VikingCloud uses a fully agentless scanning architecture. This design decision has significant security benefits:
- No Software on Your Infrastructure: We never install agents, daemons, or any software on your cloud resources. This eliminates an entire class of supply chain and persistence risks.
- Read-Only Access: Our scanning infrastructure connects to your cloud provider APIs using the credentials you provide. We request and recommend read-only permissions only. We do not modify, create, or delete any resources in your environments.
- Minimal Attack Surface: Because we operate entirely through cloud provider APIs, there is no additional attack surface introduced into your infrastructure.
- No Network Access Required: VikingCloud does not require network-level access to your infrastructure. All communication occurs through cloud provider management APIs.
6. Access Control
VikingCloud implements multiple layers of access control to protect your account and data:
- Team-Based Access: Organize your cloud security management by teams, with each team having its own set of credentials, scan results, and security findings.
- Role-Based Permissions: Team members can be assigned different roles (owner, admin, member) with appropriate permission levels for managing credentials, viewing scan results, and administering the team.
- Authentication: User authentication is handled through Supabase Auth with secure password hashing, session management, and support for email-based authentication.
- Internal Access Controls: Our team follows the principle of least privilege. Access to production systems is restricted to essential personnel and is logged and audited.
7. Network Security
- HTTPS Everywhere: All communications between your browser and VikingCloud are encrypted using TLS. We enforce HTTPS on all endpoints with no fallback to unencrypted connections.
- Secure API Endpoints: All API endpoints require authentication and are protected against common web vulnerabilities including injection attacks, cross-site scripting (XSS), and cross-site request forgery (CSRF).
- Service-to-Service Security: Internal communications between our services (frontend, workers, database) use authenticated and encrypted connections.
8. Vulnerability Management
We practice what we preach. VikingCloud applies rigorous vulnerability management to our own infrastructure:
- We regularly scan our own cloud infrastructure using VikingCloud
- Dependencies are monitored for known vulnerabilities and updated promptly
- Container images used in our scanning infrastructure are regularly rebuilt with the latest security patches
- We conduct periodic security reviews of our codebase and architecture
9. Incident Response
VikingCloud maintains an incident response plan to address security events promptly and effectively:
- Detection: We monitor our infrastructure for anomalous activity and potential security events.
- Response: Upon detection of a security incident, our team follows a structured response process to contain, investigate, and remediate the issue.
- Notification: If a security incident affects your data, we will notify you promptly with details about the incident, its impact, and the steps we are taking to address it.
- Post-Incident Review: After every incident, we conduct a thorough review to identify root causes and implement measures to prevent recurrence.
10. Responsible Disclosure
We welcome responsible security research and disclosure. If you discover a security vulnerability in VikingCloud, please report it to us so we can address it promptly.
- Report To: security@vikingstrike.com
- Please provide sufficient detail to reproduce the issue, including steps, affected components, and potential impact.
- We ask that you give us a reasonable amount of time to investigate and address the issue before any public disclosure.
- We will not take legal action against researchers who act in good faith and in compliance with this disclosure policy.
11. Compliance Roadmap
VikingCloud is committed to meeting industry-recognized security standards. Our current compliance roadmap includes:
- SOC 2 Type II: We are actively working toward SOC 2 Type II certification, which will independently verify our security, availability, and confidentiality controls.
- ISO 27001: We are working toward ISO 27001 certification for our information security management system.
While we have not yet achieved these certifications, the security controls and practices described on this page reflect our commitment to operating at the standards required by these frameworks. We will update this page as we achieve certification milestones.
12. Questions
If you have questions about our security practices or would like to discuss our security posture in more detail, please contact us: