Authentication Methods
Email & Password
Standard authentication with secure password requirements
Multi-Factor Authentication
TOTP-based MFA for additional security
Single Sign-On (SSO)
SAML/OAuth integration with your identity provider
API Keys
Secure programmatic access to the API
Multi-Factor Authentication (MFA)
Add an extra layer of security with TOTP-based MFA:Enabling MFA
Scan QR Code
Use an authenticator app (Google Authenticator, Authy, 1Password, etc.) to scan the QR code
MFA at Login
With MFA enabled:- Enter your email and password
- Enter the current 6-digit code from your authenticator
- Access granted
Recovery Options
If you lose access to your authenticator:- Use a backup code (one-time use)
- Contact organization admin for MFA reset
- Contact support with identity verification
Single Sign-On (SSO)
Enterprise plans support SSO integration:Supported Providers
- Google Workspace: OAuth 2.0 integration
- Microsoft Azure AD: SAML/OAuth
- Okta: SAML 2.0
- OneLogin: SAML 2.0
- GitHub: OAuth (for developer teams)
- GitLab: OAuth
Configuring SSO
- Navigate to Organization Settings > Security > SSO
- Select your identity provider
- Configure the integration:
- Enter IdP metadata URL or details
- Configure attribute mapping
- Set default role for new users
- Test the configuration
- Enable SSO enforcement (optional)
SSO Enforcement
Organization admins can enforce SSO:- Require all users to authenticate via SSO
- Disable password-based login
- Auto-provision users on first SSO login
- Auto-deprovision when removed from IdP
Role-Based Access Control (RBAC)
Control what users can do with granular permissions:Organization Roles
| Role | Description | Permissions |
|---|---|---|
| Owner | Full organization control | All permissions, billing, member management |
| Admin | Organization administration | Manage workspaces, members, settings (no billing) |
| Member | Standard access | Access assigned workspaces, use agents |
| Viewer | Read-only access | View dashboards and reports only |
Workspace Roles
| Role | Description | Permissions |
|---|---|---|
| Workspace Admin | Full workspace control | All workspace operations, member management |
| Editor | Standard operations | Run agents, create recommendations, modify settings |
| Operator | Limited operations | Run agents, view data, cannot modify settings |
| Viewer | Read-only | View dashboards, reports, and recommendations |
Permission Matrix
| Action | Owner | Admin | Editor | Operator | Viewer |
|---|---|---|---|---|---|
| View dashboards | Yes | Yes | Yes | Yes | Yes |
| Run agent conversations | Yes | Yes | Yes | Yes | No |
| Create recommendations | Yes | Yes | Yes | No | No |
| Approve operations | Yes | Yes | Yes | No | No |
| Manage connections | Yes | Yes | Yes | No | No |
| Manage members | Yes | Yes | No | No | No |
| Organization settings | Yes | Yes | No | No | No |
| Billing | Yes | No | No | No | No |
API Authentication
Secure programmatic access to CloudThinker:API Keys
Generate API keys for automation:- Go to Profile > API Keys
- Click Create API Key
- Name the key and set expiration
- Copy the key (shown only once)
- Use in API requests
Key Management
- Rotation: Regularly rotate keys (recommended: every 90 days)
- Scoping: Limit keys to specific operations when possible
- Monitoring: Review key usage in audit logs
- Revocation: Immediately revoke compromised keys
OAuth Tokens
For integrations that use OAuth:- Tokens are automatically refreshed
- Revoke access from Settings > Connected Apps
- Monitor token usage in audit logs
Data Security
Encryption
CloudThinker protects your data with:| Layer | Protection |
|---|---|
| Transit | TLS 1.3 for all connections |
| At Rest | AES-256 encryption |
| Secrets | Encrypted credential storage |
| Backups | Encrypted database backups |
Bring Your Own Key (BYOK)
Enterprise customers can use their own encryption keys:- Configure AWS KMS or similar
- Provide key ARN to CloudThinker
- Your key encrypts sensitive data
- Maintain full key control
Configure BYOK
Set up Bring Your Own Key encryption
Data Residency
- Choose data region during workspace creation
- Data stays within selected region
- Multi-region options for redundancy
Audit Logging
Track all activities in CloudThinker:Logged Events
- User authentication (login, logout, MFA)
- Resource access and modifications
- Agent conversations and actions
- Administrative changes
- API access
Viewing Audit Logs
- Navigate to Organization Settings > Audit Log
- Filter by:
- User
- Action type
- Resource
- Date range
- Export logs for compliance
Log Retention
- Standard: 90 days
- Professional: 1 year
- Enterprise: Configurable (up to 7 years)
Security Best Practices
Enable MFA for All Users
Enable MFA for All Users
Require MFA for all organization members, especially those with admin access. Consider enforcing via SSO policies.
Use Least Privilege
Use Least Privilege
Assign the minimum role required for each user’s responsibilities. Review and adjust permissions regularly.
Rotate Credentials Regularly
Rotate Credentials Regularly
Rotate API keys, refresh tokens, and cloud credentials on a regular schedule.
Monitor Audit Logs
Monitor Audit Logs
Regularly review audit logs for suspicious activity. Set up alerts for critical events.
Secure Cloud Connections
Secure Cloud Connections
Use read-only credentials when possible. Limit scope to necessary services and regions.
Review Access Periodically
Review Access Periodically
Conduct quarterly access reviews. Remove inactive users and revoke unnecessary permissions.
Compliance
CloudThinker maintains compliance with:- SOC 2 Type II: Security, availability, and confidentiality
- GDPR: Data protection for EU users
- HIPAA: Healthcare data handling (Enterprise)
- ISO 27001: Information security management
Request Compliance Documents
Contact us for security questionnaires and compliance documentation