Security

ParkMyAWS connects to your AWS account using a cross-account IAM role — the same mechanism AWS recommends for third-party access. We never ask for or store your AWS access keys.

When we need to discover or schedule your resources, we call AWS STS AssumeRole to obtain short-lived, temporary credentials that expire automatically. The IAM role lives in your AWS account, so you have full control and can revoke access at any time.

Our IAM policy is scoped to the minimum permissions required: read-only discovery of EC2 and RDS resources, plus the ability to start and stop them on schedule. No access to your data, networking, IAM, or any other AWS service.

• Encryption in transit — All connections use TLS 1.2 or higher. Traffic between our servers and AWS uses HTTPS exclusively.
• Encryption at rest — All stored data is encrypted at rest using AES-256.
• No credential storage — We never store AWS access keys or secrets. We use temporary STS credentials that expire after each session.
• Minimal data retention — We store only the resource metadata needed to run your schedules (instance IDs, types, tags, and states). We do not store application data from your AWS resources.
• Secure payments — Billing is handled entirely by Paddle. We never see or store your credit card details.

We back up your data every day and store those backups separately from the servers that run the Service, so they survive the loss of any single machine.

• Daily automated backups — Your database is backed up automatically every day. No manual step is required.
• Encrypted and off-site — Backups are encrypted at rest and stored in Amazon S3, separate from the application server.
• 30-day retention — We keep a rolling 30 days of backups.
• Monitored — Automated alerts notify us if a backup fails or is missed.

We rely on a small number of trusted third parties to operate ParkMyAWS. Each one processes only the data needed for its function. We do not sell your data or share it with third parties for advertising.

• Amazon Web Services (EU — Ireland)Hosting, database, and transactional email (Amazon SES), all within the eu-west-1 region. Your application and account data are stored here.
• PaddleOur Merchant of Record for payments. Processes your name, billing address, and payment details. We never see or store your card number.
• GitHubOptional OAuth sign-in. Processes your GitHub email address and profile only when you choose to sign in with GitHub.
• SentryError monitoring. May process diagnostic data when something goes wrong. We scrub known personal data from error reports before they are sent.

• Password confirmation — Destructive actions like removing an AWS account require re-entering your password.
• OAuth login — Sign in securely with GitHub instead of managing another password.
• Session management — View and revoke active sessions from your account settings.

If you discover a security vulnerability, we'd appreciate your help in disclosing it to us responsibly. Please email us at security@parkmyaws.com with details of the issue. We'll acknowledge receipt within 48 hours and work to address it promptly.

Please do not publicly disclose the issue until we've had a chance to investigate and release a fix.

If you have questions about our security practices or need information for a vendor assessment, reach out at hello@parkmyaws.com. You can also review our Privacy Policy and IAM Policy documentation.