Policies & Security

1. Who we are

SkyNimbus ("we", "us", "our") operates the cloud cost intelligence platform at skynimbus.net. This policy explains how we handle personal information in compliance with Japan's Act on the Protection of Personal Information (APPI, 個人情報保護法), as amended and effective April 1, 2022. For privacy enquiries, contact privacy@skynimbus.net.

2. Purpose of use

Under APPI Article 17, we are required to specify the purposes for which personal information is used. We collect and use personal information for the following purposes only:

• Providing, operating, and improving the SkyNimbus platform and its features.
• Authenticating user identity and securing accounts.
• Fetching cloud cost and usage data from providers you explicitly authorise.
• Sending transactional communications (account setup, billing, security alerts).
• Responding to support enquiries and resolving technical issues.
• Complying with applicable laws and regulations.

We will not use personal information beyond these stated purposes without obtaining prior consent.

3. Information we collect

• Account information — name, work email address, company name, and a hashed password on registration.
• Billing information — payment details processed by Stripe. We never store raw card numbers.
• Cloud provider credentials — read-only API keys or IAM role ARNs you supply. These are encrypted at rest (AES-256) and never shared with third parties.
• Cloud cost and usage data — spend records, service names, regions, and resource tags retrieved from your connected accounts on your instruction.
• Usage data — pages visited, features used, session timestamps, and browser type, used to diagnose issues and improve the product.
• Communications — messages sent via the contact form or email, retained for support purposes.

4. Third-party provision and sub-processors

We do not sell, rent, or trade personal information. Under APPI Article 27, we disclose that the following sub-processors receive personal information as required to operate the service:

Sub-processor	Purpose	Country
Hetzner Online	Application hosting and database	Germany (EU — adequacy recognised by Japan PPC)
Stripe	Payment processing	United States (contractual safeguards)
Resend	Transactional email delivery	United States (contractual safeguards)
AWS / Azure / GCP	Cost data retrieval on your instruction (read-only)	Varies per your connected account

5. Cross-border transfer

Where personal information is transferred outside Japan, we ensure appropriate safeguards are in place consistent with APPI Chapter IV. The EU has received a Japan PPC adequacy finding. For transfers to the United States, we rely on contractual protections with each sub-processor. You may request details of these safeguards by contacting privacy@skynimbus.net.

6. Data retention

Account data is retained for the duration of your subscription and for up to 90 days after account deletion, after which it is permanently purged. Cloud cost records are retained per your plan's history limit (30 days on Solo, up to 24 months on Business). Audit logs are retained for 12 months.

7. Your rights under APPI

As a data subject under APPI, you have the right to request disclosure, correction, addition, deletion, suspension of use, and erasure of your personal information held by us, as well as the right to file a complaint. To exercise any of these rights, contact privacy@skynimbus.net. We will respond within a reasonable period and no later than 30 days.

8. Security management measures

We implement the technical and organisational security controls described in our Security Approach section below, in fulfilment of our APPI security management obligations (安全管理措置).

9. Cookies

The marketing site uses no third-party tracking cookies. The application sets a session cookie required for authentication. No advertising or analytics cookies are placed without consent.

10. Changes to this policy

Material changes will be notified to account owners by email at least 14 days before they take effect. Continued use after the effective date constitutes acceptance.

11. Contact and complaints

Privacy enquiries: privacy@skynimbus.net. If you are unsatisfied with our response, you may contact the Personal Information Protection Commission of Japan (PPC) at ppc.go.jp.

1. Acceptance

By creating an account or using any part of the SkyNimbus platform you agree to be bound by these Terms and our Privacy Policy. If you are accepting on behalf of a company or organisation, you represent that you have authority to bind that entity.

2. Account registration

• You must provide accurate registration information and keep it current.
• You are responsible for maintaining the security of your credentials and for all activity under your account.
• Accounts may not be shared with individuals outside your organisation's tenant.
• You must be at least 18 years of age to use the service.

3. Permitted use

SkyNimbus grants you a limited, non-exclusive, non-transferable licence to access and use the platform for your internal business purposes. You may not:

• Reverse-engineer, decompile, or attempt to extract source code from the platform.
• Use the service to store or transmit malicious code or interfere with other users.
• Resell, sublicense, or commercialise access to SkyNimbus without written consent.
• Circumvent any rate limits, access controls, or security features.
• Use automated tools to scrape or extract data beyond what the API permits under your plan.

4. Plans, billing and payment

• Paid plans are billed monthly or annually in advance. Prices are displayed on the pricing page and exclude applicable consumption tax (消費税) where applicable.
• Annual plans are non-refundable except as required by law. Monthly plans may be cancelled at any time; access continues to the end of the paid period.
• Failure to pay may result in service suspension after a 7-day grace period following the due date.
• We may change pricing with 30 days' notice. Continued use after notice constitutes acceptance of the new pricing.

5. Free trial

New accounts receive a 14-day free trial on the Team plan. No credit card is required to start. At the end of the trial you may choose a paid plan or your account will revert to read-only access. Trial data is retained for 30 days after trial expiry.

6. Your data

You retain full ownership of all data you bring into SkyNimbus. You grant us a limited licence to process that data solely to provide the service. On account termination, you may export your data within 30 days using the built-in export tools, after which data is permanently deleted.

7. Intellectual property

SkyNimbus, its logo, platform, and all associated software are protected by intellectual property rights. Nothing in these terms transfers any ownership to you.

8. Availability and service levels

We target 99.9% monthly uptime for the API and dashboard, excluding scheduled maintenance. Business and Enterprise customers receive SLA commitments in their order forms. We are not liable for downtime caused by third-party cloud providers or infrastructure outside our direct control.

9. Disclaimer and limitation of liability

The service is provided on an "as is" basis. To the maximum extent permitted by Japanese law, SkyNimbus shall not be liable for indirect, incidental, special, or consequential damages. Our aggregate liability for direct damages shall not exceed the fees paid by you in the 12 months preceding the claim. Nothing herein excludes liability for wilful misconduct or gross negligence under the Japanese Civil Code (民法).

10. Termination

Either party may terminate at any time. We may suspend or terminate your account immediately for material breach of these terms, non-payment, or as required by law. Upon termination your licence to use the service ends immediately.

11. Governing law and jurisdiction

These terms are governed by the laws of Japan. Any disputes arising out of or relating to these terms shall be subject to the exclusive jurisdiction of the Tokyo District Court (東京地方裁判所) as the court of first instance, unless mandatory consumer protection laws in your jurisdiction provide otherwise.

12. Language

These terms are provided in English. In the event of any discrepancy between an English version and any translated version, the English version shall prevail.

13. Contact

Legal enquiries: legal@skynimbus.net or via the contact form.

Encryption

All data stored in the SkyNimbus database is encrypted at rest using AES-256. All data in transit between your browser and our servers, and between our servers and cloud provider APIs, is encrypted using TLS 1.2 or higher. HTTPS is enforced across all endpoints.

Cloud credential security

Cloud provider credentials (API keys, IAM role ARNs) are encrypted at the application layer before being written to the database, using a key stored separately from the data. We request only the minimum permissions required to retrieve cost and usage data — no write, delete, or infrastructure-modification permissions are ever requested. We recommend dedicated read-only IAM roles following the principle of least privilege.

Authentication and access control

• Passwords are hashed using bcrypt (work factor 12) before storage. Plain-text passwords are never stored or logged.
• Short-lived JWT access tokens (15-minute expiry) combined with rotating refresh tokens (7-day expiry) limit exposure if a token is compromised.
• Role-based access control (RBAC) is enforced at the API level across Owner, Admin, FinOps, Engineer, and Viewer roles.
• All sensitive actions are recorded in an immutable audit log retained for 12 months.

Tenant isolation

Each customer organisation (tenant) is isolated at the database row level. Every query is scoped to a tenant ID derived from your authenticated session — it is architecturally impossible for one tenant to access another's data. Parameterised queries are used throughout to prevent SQL injection.

Infrastructure security

• All public API endpoints are rate-limited (500 requests per 15 minutes globally; 50 per 15 minutes on authentication routes).
• The database port is not exposed to the public internet. Connections use TLS with strict timeout controls.
• Dependency updates are reviewed regularly; high-severity CVEs are patched within 72 hours of disclosure.
• Server access is restricted to named engineers via SSH key authentication. Password-based SSH is disabled.

APPI security management measures (安全管理措置)

In fulfilment of our obligations under APPI, we implement the following categories of security management measures:

• Organisational measures — defined internal policies, designated privacy responsibilities, and regular staff awareness.
• Personnel measures — confidentiality obligations for all personnel with access to personal information.
• Physical measures — access controls on infrastructure environments; devices with access to personal data are secured.
• Technical measures — encryption at rest and in transit, access control systems, intrusion detection, and vulnerability management as described above.

Incident response and breach notification

In the event of a confirmed security incident affecting personal information, we will notify the Personal Information Protection Commission (PPC) and affected account owners within the timeframe required by APPI (as a general guide, promptly and without undue delay). Notifications will include the nature of the incident, categories of data affected, and remediation steps taken.

Support hours (JST)

Our security and support team is available Monday to Friday, 09:00–18:00 JST. Enterprise customers have access to emergency support outside these hours per their SLA.

Responsible disclosure

If you discover a security vulnerability in SkyNimbus, please report it to security@skynimbus.net. Please do not publicly disclose the issue until we have had a reasonable opportunity to address it. We will acknowledge reports within 2 business days (JST) and keep you updated on progress.