← Back to GreenPilot AI

Security at GreenPilot AI

Last updated: 10 May 2026

GreenPilot AI is a cloud optimization platform in active pilot development. This page describes how GreenPilot approaches security in its current pilot stage, what controls are in place, and what is on the roadmap. We do not claim security certifications or capabilities that we cannot currently demonstrate.

1. Access Model

Read-only by default

During the assessment phase, GreenPilot connects to your AWS environment using read-only access. No production resources are modified, started, stopped, scaled, or deleted during this phase. Read-only access is the default and cannot be upgraded without explicit written agreement between GreenPilot AI and the customer.

Least-privilege AWS permissions

GreenPilot requests only the AWS IAM permissions necessary to analyse cloud usage, cost, and configuration data. The customer configures and reviews the IAM role or access credentials before granting access. GreenPilot will provide a documented list of required permissions before onboarding.

Customer-controlled access

The customer retains full administrative control of their AWS account at all times. GreenPilot does not store long-term AWS credentials beyond what is necessary to deliver the service. Access can be revoked by the customer at any time by deleting the IAM role, rotating API keys, or removing the cross-account trust policy.

Revocable credentials

There is no vendor lock-in on access. The customer may revoke GreenPilot's AWS access at any time without prior notice. GreenPilot commits to cease data collection immediately upon credential revocation.

2. Action Control

No production changes without approval

GreenPilot does not make production changes to cloud resources without explicit customer approval of each recommended action. The approval-based execution model is a core design principle, not an optional feature. Optimization recommendations are presented for customer review before any execution is possible.

Approval-based execution

When a customer opts into the paid optimization phase, each recommended action is presented individually for approval. Actions are not batched or automatically applied. The customer may approve, defer, or reject each recommendation.

Rollback planning

For each approved action, GreenPilot provides manual rollback guidance before execution. Automated rollback is on the roadmap. In the current pilot stage, rollback relies on standard AWS mechanisms (snapshots, versioning, instance restore) documented per action.

Audit logging

Full audit logging of recommendations and approved actions is on the development roadmap. In the current pilot stage, GreenPilot maintains internal logs of actions discussed and approved with each customer. Customers are encouraged to enable AWS CloudTrail for their own audit records.

3. Data Handling

What data GreenPilot processes

GreenPilot processes cloud account metadata, usage statistics, billing data, and configuration information. This data is used exclusively for the purpose of delivering the optimization assessment and recommendations. GreenPilot does not access application-level data, database contents, customer data stored in cloud services, or personal data held within the customer's AWS workloads.

EU-first data handling

GreenPilot AI is committed to EU-first data handling principles. Infrastructure and data-transfer decisions are made with EU data protection requirements in mind. Until full infrastructure hosting configuration is confirmed and documented, GreenPilot describes its approach as "EU-first data handling" rather than making specific EU-hosted infrastructure claims.

GreenPilot AI does not currently hold ISO 27001, SOC 2, or equivalent third-party security certifications. These are roadmap objectives. Customers requiring certified security posture should note the current pilot stage of the product.

Encryption in transit

All data transmitted between GreenPilot and AWS, and between GreenPilot and the customer dashboard, uses HTTPS/TLS encryption. Encryption at rest depends on the hosting provider's default encryption settings. Product-level encryption-at-rest documentation is on the roadmap.

Minimal data collection

GreenPilot collects only the data necessary to deliver the optimization service. It does not collect or store customer secrets, application credentials, database passwords, or end-user personal data from within the customer's AWS workloads.

4. Data Processing Agreement

A Data Processing Agreement (DPA) is available to customers and pilot participants before onboarding begins. The DPA governs how GreenPilot processes cloud account data and sets out the obligations of both parties under applicable data protection law. Customers are encouraged to review and sign the DPA before providing any cloud access credentials.

Read the full DPA →  |  To discuss or sign, contact: info@greenpilotai.com

5. Third-Party Services

GreenPilot uses the following third-party services in the delivery of the website and platform:

Vercel

Website hosting and content delivery. Vercel's infrastructure provides HTTPS, DDoS protection, and global CDN distribution.

Formspree

Contact and demo request form processing. Form submissions are securely transmitted to Formspree for delivery to GreenPilot.

Google Analytics 4

Optional website analytics, loaded only after explicit visitor consent via the cookie consent banner.

AWS (Customer environments)

GreenPilot reads data from customer AWS accounts using IAM roles or API credentials provided by the customer under agreed access scope.

6. Responsible Pilot Operation

GreenPilot AI is a product in active pilot development. As a pilot-stage product:

  • The product is not yet a mature enterprise platform
  • Customers are onboarded selectively and with individual attention
  • Security and governance practices are being developed alongside the product
  • Customers retain full control and are not subject to automated production changes
  • GreenPilot AI commits to transparent communication about current capabilities and limitations

7. Security Roadmap

The following security capabilities are planned for future releases:

  • Role-based access control (RBAC) for dashboard users
  • Full audit logging of all recommendations and approved actions
  • Automated rollback support for approved optimization actions
  • EU-confirmed infrastructure hosting documentation
  • Product-level encryption-at-rest documentation
  • Penetration testing and third-party security review
  • ISO 27001 or equivalent certification (long-term roadmap)

8. Reporting Security Concerns

If you believe you have identified a security vulnerability or concern relating to GreenPilot AI, please report it promptly to:

  • Email: info@greenpilotai.com
  • Subject line: Security concern — GreenPilot AI

GreenPilot AI commits to acknowledging security reports within 5 business days and to investigating all credible reports in good faith.

← Back to Home Privacy Policy →