Skip to main content

Data Policy

Your data is important to us​

As a service provider, we understand the importance of providing clear information about our security practices, tools, resources, and responsibilities within Overmind so that our customers can feel confident in choosing us as a trusted service provider.

Access we need​

AWS: Overmind requires read only access to your AWS accounts. This is achieved using an IAM role that uses the AWS Account trusted entity type along with an external ID to allow Overmind to read from the required AWS APIs.

The required permissions are documented here ‍

Kubernetes: Overmind needs Get, List and Watch permissions for all resources in a cluster. This is configured automatically using a ClusterRole. These permissions are then applied via ServiceAccount to the Overmind agent which runs anywhere in the cluster.

If required Overmind can be configured with fewer permissions on an account-by-account or cluster-by-cluster basis, but this will limit functionality.

Data​

What we gather:

Overmind performs risk analysis using OpenAI’s LLM models in combination with our proprietary blast radius calculation data. To do this, when a change is created via our Github action, all sensitive data from the Terraform Plan is removed and then sent securely to Overmind.

From there we:

Infrastructure Details​

Get the current metadata about the resources being changed. This is the data that is returned from the AWS API. For example if you were to change an EC2 instance, the data sent would be the same as that from from the aws ec2 describe-instance command.

Information about resources within the blast radius of this change. This includes resources that are related to those being changed and that might therefore be affected. The amount of data in this set depends on the resource being changed, more important resources will have a larger blast radius than less important ones.

Examples​

AWS: The output of the “Get” or “Describe” API action for each supported type For example the ec2 reference docs.

Kubernetes: The details of all kubernetes objects. This is the same data that would be returned from kubectl get {object}

Calculating risks​

Overmind sends the following data to OpenAI as part of the risk analysis prompt:

  • Details of the pull request

  • Code changes

  • Title

  • Description

  • Information about resources within the blast radius of this change. This includes resources that are related to those being changed and that might therefore be affected. The amount of data in this set depends on the resource being changed, more important resources will have a larger blast radius than less important ones.

What we do with it​

Overmind is purely graph based. We don’t need to scan your infrastructure and store it in a database. Our data gathering is done on-demand.

As per Overmind’s agreement with OpenAI, your data will not be used in training OpenAI’s models. Their security details can be found here. OpenAI’s models are SOC 2 compliant and use data encryption at rest (AES-256) and in transit (TLS 1.2+)

The obvious things we store are:

  • Snapshots of your infrastructure that you create (items and their attributes) so that we can show you what changed.

The definitions of apps that you create:

We do however store one thing other than the obvious:

  • A cache of the last-discovered topology of your infrastructure. It includes the names and relationships of all items, but not the actual attributes. How long we hold them:
  • Topology cache: 1 week
  • Snapshots of changes: Until you delete them
  • All other data: While you’re a customer (or design partner)

Isolation​

We’re ops people at heart, we care about things being architected and run properly. To that end Overmind employs a partial isolation model to protect against attacks. Some infrastructure is shared, but each source (the part of Overmind that can access your AWS) is run in an isolated environment (a container) with per-customer partitioning at the AWS, application and messaging layer.

Need further information?​

If you require any further information regarding our data policies please feel free to get in touch.