Quick answers to the security questions we hear most during onboarding. For a detailed breakdown of what Parsivex reads from AWS, see What data can Parsivex see?.
Can Parsivex see my application data or secrets?
No. The IAM policy does not grant access to S3 object contents, Secrets Manager, SSM Parameter Store, or any service that stores application data. We see resource metadata and metrics — for example, that an S3 bucket exists and how large it is — but not the files inside it.
Can Parsivex make changes to my infrastructure?
No. All actions in the policy are read-only (Describe*, Get*, List*). There are no write permissions. Parsivex cannot create, modify, or delete any AWS resource. Remediation scripts are generated for you to review and run locally — Parsivex never executes them on your behalf.
How do I revoke access?
Delete the IAM role from your AWS console. Access is revoked immediately and permanently until you create a new role. See Revoking Parsivex access for step-by-step instructions and what happens to your data.
Is my billing data stored?
We store scan results — aggregated cost data and findings — to generate your report and track savings over time. We do not store raw billing line items beyond what is needed for report delivery. Revoking AWS access stops new data collection but does not delete existing scan history.
What is an External ID?
The External ID is a secret token unique to your Parsivex account. It is required in your IAM role trust policy to prevent confused-deputy attacks — a scenario where a third party tricks Parsivex into accessing the wrong AWS account. Even if someone knows the Parsivex AWS account ID, they cannot assume your role without your External ID.
Do you store my AWS credentials?
No. Parsivex stores only the Role ARN and External ID for each connection. When we need to access your account, we call AWS AssumeRole to obtain temporary credentials that expire after one hour. We never have or store long-term credentials for your AWS account.
Data retention
| Data type | Retained while connected | After revoking AWS access | After account deletion |
|---|---|---|---|
| Scan results and findings | Yes | Yes, until you delete your account | Permanently deleted |
| Report PDFs | Yes | Yes, until you delete your account | Permanently deleted |
| AWS connection (Role ARN, External ID) | Yes | Removed if you delete the connection in Integrations | Permanently deleted |
| Chat conversations (paid plans) | Yes | Yes, until you delete your account | Permanently deleted |
Scheduled scans stop immediately when AWS access is revoked. No new data is collected after the IAM role is deleted.
Where is data stored?
Parsivex stores your data in secure, managed cloud infrastructure. Scan results, findings, account settings, and generated PDF reports are encrypted in transit (TLS) and at rest. We do not sell your data or replicate your AWS resource information to third-party analytics or advertising platforms.
Account deletion
Deleting your Parsivex account permanently removes:
- All workspaces, scans, reports, and findings in accounts you solely own
- AWS connection records (Role ARN and External ID)
- Chat conversations and messages
- Your user profile and login credentials
If you are the only member of a team account, the entire account and its data are deleted. If you share an account with other members, you are removed as a member but the team's data is preserved.
Active Stripe subscriptions are cancelled immediately with no refund.
Account deletion does not remove IAM roles from your AWS account. After deleting your Parsivex account, go to IAM → Roles in the AWS console and delete the Parsivex role to fully revoke access.
To delete your account, go to Danger zone (/settings/danger) → Delete account.
Where is the IAM policy?
The current IAM policy JSON is always available on our Security & Trust page. Use that page when setting up or updating your role — it is the authoritative copy and stays in sync with the policy shown during onboarding.
Still have questions?
Email us at hello@parsivex.com — we are happy to walk through the access model on a call.