Licensing Guide¶
CertifyClouds uses a tiered licensing model with feature gating based on your subscription level.
License Tiers¶
STARTER Tier¶
Entry-level license for small teams getting started with Key Vault security.
Features Included:
- Asset Discovery scanning
- Compliance scoring
- Email and webhook alerts
- Audit logging
- Manual secret rotation (3 per month)
Limits:
- Maximum 4 Azure subscriptions
- Single user account
- 3 manual rotations per month
Best For: Small teams, initial evaluation, basic monitoring needs
PRO Tier¶
Full-featured license for teams requiring automation and multi-cloud capabilities.
Everything in STARTER, plus:
- Secret Rotation (App Registration credential rotation)
- Multi-Cloud Sync (Azure to AWS/GCP)
- Dependency Mapping (resource impact analysis)
- Full-stack rotation (credential + dependent resources)
- SSO/OIDC authentication
- B2C Tenant Registry
- Multi-user support
Limits:
- Up to 20 Azure subscriptions
- Unlimited users
Best For: Security teams, multi-cloud environments, automated credential lifecycle
ENTERPRISE Tier¶
Commercial package for larger Azure estates or customers needing custom legal, security, onboarding, or support terms.
Everything in PRO, plus:
- 21+ subscriptions or agreed subscription scope
- MSA, DPA, and signed support schedule
- Guided onboarding
- Procurement and security review support
- Dedicated escalation path
Best For: Regulated teams, larger estates, and customers with procurement or support requirements beyond the standard Pro terms
Feature Comparison¶
| Feature | STARTER | PRO | ENTERPRISE |
|---|---|---|---|
| Asset Management | |||
| Key Vault Discovery | |||
| Secret/Key/Certificate inventory | |||
| Expiration tracking | |||
| Dependency mapping | |||
| Compliance evidence (disclaimer) | |||
| Compliance dashboard + violation findings | |||
| Framework evidence mappings (HIPAA, PCI-DSS, SOC 2, ISO 27001, NIST 800-53, CIS Azure, Azure Security Benchmark) | |||
| Custom compliance rules | |||
| Auditor-grade evidence packages (CSV + PDF bundle with customer assertion) | |||
| Alerts | |||
| Email notifications | |||
| Webhook (Slack/Teams) | |||
| Digest scheduling | |||
| Automation | |||
| Secret rotation | 3/month | Unlimited | Unlimited |
| Multi-cloud sync | |||
| Full-stack rotation | |||
| SSO and users | |||
| SSO/OIDC | |||
| SAML 2.0 | Planned | Planned | |
| B2C Tenant Registry | |||
| Multiple users | |||
| Limits and terms | |||
| Subscriptions | 4 | 20 | 21+ / agreed scope |
| Users | 1 | Unlimited | Unlimited |
| Commercial terms | Standard | Standard | MSA/DPA + support schedule |
Obtaining a License¶
Request Evaluation License¶
For a 30-day PRO evaluation license:
- Email sales@certifyclouds.com
- Include:
- Organization name
- Number of Azure subscriptions
- Intended use case
- Receive your evaluation license key within 1-2 business days
Purchase Production License¶
Contact sales@certifyclouds.com with:
- Organization name
- Desired tier (STARTER, PRO, or ENTERPRISE)
- License duration (annual recommended)
- Number of subscriptions
Activating Your License¶
Environment Variable¶
Set the CERTIFYCLOUDS_LICENSE_KEY environment variable:
# In .env file
CERTIFYCLOUDS_LICENSE_KEY=CC-XXXX-XXXX-XXXX
# Or via Azure Container Apps
az containerapp update \
--name cc-uks-prd \
--resource-group rg-cc-uks-prd \
--set-env-vars CERTIFYCLOUDS_LICENSE_KEY=CC-XXXX-XXXX-XXXX
Verify License Status¶
After starting CertifyClouds, check the license status:
Via API:
Via UI: Navigate to Settings > License to view:
- Organization name
- License tier
- Expiration date
- Feature availability
License Validation¶
How Validation Works¶
- On startup, CertifyClouds validates your license against
license.certifyclouds.com - Validation confirms tier, expiration, and feature flags
- License is cached locally for offline operation
Offline Operation¶
If the license server is unreachable:
- Grace period: 7 days (configurable via
CERTIFYCLOUDS_LICENSE_GRACE_DAYS) - During grace: Full functionality continues using cached license
- After grace: Application enters degraded mode
Network Requirements¶
CertifyClouds needs outbound HTTPS access to:
license.certifyclouds.com(license validation)management.azure.com(Azure Resource Manager)*.vault.azure.net(Key Vault data plane)
License Expiration¶
Before Expiration¶
You'll receive email notifications at:
- 30 days before expiration
- 14 days before expiration
- 7 days before expiration
- 1 day before expiration
On Expiration¶
When your license expires:
- Access to the application is blocked
- All scheduled operations stop
- Existing data remains in your database
- Contact sales@certifyclouds.com to renew
Renewal¶
To renew your license:
- Contact sales@certifyclouds.com
- Receive your new license key
- Update the
CERTIFYCLOUDS_LICENSE_KEYenvironment variable - Restart the application (or it will auto-validate on next check)
Upgrading Tiers¶
From STARTER to PRO or ENTERPRISE¶
To upgrade from STARTER to PRO or Enterprise:
- Contact sales@certifyclouds.com
- Receive your new license key or Enterprise order terms
- Update the environment variable
- New subscription limits and licensed features become available immediately
No data migration required - your existing scan history, alerts, and settings are preserved.
License Security¶
What's in the License Key¶
License keys are cryptographically signed and contain your entitlements (tier, expiration, subscription limits, and enabled features). They cannot be tampered with.
What We Validate¶
During validation, we verify:
- Key authenticity
- Expiration date
- Usage limits (abuse prevention)
What We DON'T Send¶
License validation does NOT send:
- Azure resource names, IDs, or tags
- Secret values, certificate material, or any credential data
- Scan result content
- Audit log contents
- User-identifying information
What we DO send (opt-out)¶
When fleet visibility is enabled (default, toggle in Settings → Advanced → App Behaviour), the licence heartbeat carries aggregate operational counts and timestamps — e.g. how many scans you've run, how many rotations succeeded in the last 30 days, whether SSO is configured. Counts only, no names. Used to power our internal customer-success digest. Disable any time without affecting licence validation or any product feature.
Feature Gating¶
When you attempt to use a PRO feature on a STARTER license, CertifyClouds returns HTTP 403 with a LICENSE_REQUIRED error code naming the tier you need. The dashboard surfaces this as a lock icon and an upgrade prompt on the relevant page - no error toast on click. The exact response body shape lives in your deployment's /docs.
FAQ¶
Can I try PRO features before purchasing?¶
Yes! Request a 30-day evaluation license with full PRO features from sales@certifyclouds.com.
What happens if I exceed subscription limits?¶
On STARTER tier (4 subscription limit):
- Adding a 5th subscription returns an error
- Existing subscriptions continue to work
- Upgrade to PRO for up to 20 subscriptions, or Enterprise for larger estates
Can multiple installations use the same license?¶
No. License keys are tied to a single installation. For multiple environments (dev, staging, prod), contact sales for appropriate licensing.
Is the license hardware-locked?¶
No. You can move CertifyClouds between servers or containers without issues. The license is validated against our server, not tied to specific hardware.
Support¶
For licensing questions:
- Sales: sales@certifyclouds.com
- Technical Support: support@certifyclouds.com