InfraCanvas Docs

Security & data handling

What the InfraCanvas agent reads, what leaves your machine, and what we never store.

InfraCanvas is infrastructure tooling, so this is the most important page. Here's exactly how data flows.

The agent connects outbound only

The agent opens a single outbound WebSocket (WSS) to InfraCanvas. It never listens on an inbound port, so you don't open firewall holes or expose your machine to the internet.

What the agent reads

Within its scope, the agent reads infrastructure metadata: hosts, containers, images, Kubernetes objects, and resource metrics. It reads this locally using the same interfaces you already have — the Docker socket and your kubeconfig.

What we never store

  • Secret values. Environment variables are reported as names only — the values are redacted at the source, on your machine, before anything is sent. Kubernetes Secret contents are never transmitted.
  • Credentials. Your kubeconfig, Docker credentials, and cloud keys never leave the machine.

Terminals and actions

Terminal sessions and actions are initiated from the dashboard and executed by the agent on your machine. Every action is recorded in the Audit Log with the acting user's email, the target, and a timestamp.

Isolation

All data is scoped per organization. Metrics, topology, and audit records are keyed by organization — one account can never read another's data, even when the same physical machine is connected to multiple accounts.

Revoking access

  • Disconnect one account: rotate or delete that account's API key under Settings → API Keys.
  • Disconnect a machine entirely: uninstall the agent.

Plans & limits

InfraCanvas plans compared — machines, team seats, retention, and which features come with each tier.

Troubleshooting

Common issues connecting machines and reading topology, and how to fix them.

On this page

The agent connects outbound onlyWhat the agent readsWhat we never storeTerminals and actionsIsolationRevoking access