Last updated: July 2026
The savings check runs on one principle: we read, we don’t touch. This page sets out exactly what access we ask for, how documents you share are protected, and the lines we never cross.
View-only, from the first minute
The free savings check needs view-only access — enough to see where the money goes, and nothing more:
- Cost Management — billing and usage data.
- Azure Advisor — the recommendations Azure itself already generates.
- Resource metadata — SKUs, sizes, tags, and utilization signals.
We do not access application data, databases, secrets, or workload contents. There is no write access at any point during the savings check — nothing in your environment changes.
Azure Lighthouse for enterprise
For enterprise environments, access is delegated through Azure Lighthouse with view-only roles: scoped to the subscriptions you approve, visible in your own portal at all times, and revocable by you in one action. No accounts handed over, no credentials shared.
Changes come later — and only through your gates
If you proceed after the savings check, changes are made only through customer-approved gates: each change is proposed in writing, green-lit by you, then staged, tested, and reversible. You approve the what and the when — nothing ships without it.
Document uploads
If you prefer to share cost exports directly instead of granting access, the upload works like this:
- NDA-gated — the secure upload opens only after you accept the mutual confidentiality terms.
- Outside the public web root — files are never reachable by URL.
- Access-logged — every read of your files is recorded.
- Encrypted at rest — stored on encrypted disks, hosted in the EU.
- Deleted on request — and in any case when the engagement ends.
People
The work is done by certified Azure specialists under least-privilege access: only the people working on your engagement can see your data, and only at the level their task requires.
What we never do
- No agents or software installed in your environment — the savings check works from what Azure already exposes to a reader.
- No data exfiltration — we work from cost and configuration metadata; nothing leaves your tenant except what you explicitly choose to share with us.
- No production changes without written approval — ever.
Want the security detail in writing before you start? Email contact@valor-co.com — reply within one business day · Mon–Fri 08:00–17:00 CET.