Frequently Asked Questions

Your raw policy text is never stored or logged. We record only service-usage metadata (timestamp, character count, units consumed) and the AI-generated score and risk level — not the policy content itself. This data powers your History and Usage panels. You can disable history recording in Settings → Privacy. This is a core product commitment.

The SHA-256 hash reveals nothing about your policy. A hash is like a fingerprint: it confirms identity without revealing the person. Even with unlimited computing power, it is computationally infeasible to reverse a SHA-256 hash back to the original input. The stored hash is useless to anyone who does not already know the exact input — and if they already know the input, they have nothing to gain from our cache. Your policies remain private.

Yes, and it is always opt-in. When you click "Share", we store only the AI-generated findings (risk scores, severity ratings, recommendations) — never your original policy text. Shared links expire automatically after 30 days. You can disable link sharing entirely in Settings → Privacy, and you can delete any shared link immediately from the History panel. Nothing is ever shared without you explicitly initiating it.

We record service-usage metadata and basic AI results: a timestamp, your input's character count (not the content), AI units consumed, your plan tier, and the AI-generated security score and risk level. This powers your History panel, Usage dashboard, and daily cap enforcement. Your raw policy text and detailed AI findings (individual finding descriptions, remediation steps) are never stored.

Yes. In Settings → Privacy you can disable history tracking — no usage records will be stored from that point forward. You can request full account deletion from your Profile page; we will purge all records tied to your user ID within 30 days. For privacy questions, email support@shieldly.io.

No. All payments are handled by Polar, our merchant of record, which processes cards through PCI DSS Level 1 certified infrastructure. We never see, receive, or store your card number, billing address, or any payment credentials. Our billing system only receives a webhook signal from Polar confirming your subscription status and plan tier. For billing issues or subscription questions, email billing@shieldly.io.

No. Shieldly analyzes only the policy text you paste or upload. It never connects to your AWS account unless you explicitly use the AWS Connect feature, which uses read-only IAM roles you create with a specific ExternalId. We never write to, modify, delete, or provision any AWS resource.

A unit is AI token usage — 1 unit equals 1,000 tokens (input and output combined). Billing is based on actual tokens consumed after your analysis completes, rounded up to the nearest unit. A simple IAM policy typically uses 1–3 units; a large CloudFormation template or compliance audit can use 6–10+ units. A pre-analysis estimate is shown before you submit so there are no surprises.

No. Units scale with how much the AI actually reads and writes. Standard AI analyses (Free plan) use approximately 1–3 units. Advanced AI (Builder/Pro) uses 3–5 units. Enterprise AI (Team) uses 6–10+ units because it produces richer output: full remediation policies, compliance mappings, and affected statement blocks. The exact cost is shown after each analysis.

Pay-As-You-Go (PAYG) lets paid users continue past their daily unit cap at $0.09/unit, billed on actual token usage. Available on Builder, Pro, Team, and Enterprise plans — not available on the free plan or demo. Toggle it in Settings and set a hard cap to prevent unexpected charges.

Free ($0): 20 units/day, Standard AI, IAM and all policy types. Builder ($19): 150 units/day, Advanced AI, history, API keys, PAYG. Pro ($49, Most Popular): 300 units/day, Advanced AI, Cost Advisor, compliance panel, priority support. Team ($99, Best Value): 600 units/day, Enterprise AI, AWS Account Connect, REST API, webhooks, dedicated support.

No — they all draw from the same daily unit pool for your plan. Run an analysis on the web, via API key, in your IDE, or in a CI pipeline and they all count against one shared balance. This is intentional: your plan gives you a daily unit budget that works everywhere.

On Builder plans and above: if PAYG is enabled, your next analysis continues at $0.09/unit (billed on actual token usage). If PAYG is disabled, you can enable it in Settings or upgrade. Free plan users cannot enable PAYG — upgrade to Builder to unlock it. Demo users get 5 free analyses; sign up to get a daily unit cap.

The demo gives you 5 free IAM analyses — no signup required. Demo usage is counted in analyses, not units, so there is no token math to think about. Sign up for a free account to get 20 units/day (Standard AI) — that is roughly 7–20 analyses/day depending on policy complexity. Paid plans add Advanced or Enterprise AI, higher unit caps, API keys, history, and PAYG.

Each plan tier uses an increasingly capable AI model for analysis. Standard AI (Free/Demo) is fast and great for basic IAM checks. Advanced AI (Builder/Pro) adds multi-statement context awareness for complex policies. Enterprise AI (Team) delivers the deepest analysis with the most comprehensive remediation guidance. Model names are intentionally not disclosed.

Yes. Builder plans and above include API keys. Send IAM policies or CloudFormation templates to our REST API and receive structured JSON findings. A GitHub Action and VS Code extension are also available. See the API & Integrations tab for examples.

No. API key generation requires a Builder plan or above. This ensures the API is available to developers who need it for CI/CD without overloading the free tier. You can upgrade on the Pricing page.

Yes. Each policy analyzed by Auto-Scan uses AI units from the team plan owner's shared daily pool — exactly the same as running a manual analysis. Only new or changed policies are re-analyzed on each run; unchanged policies are skipped automatically, so you are never charged twice for the same policy. Auto-Scan results appear in Policy Browser so all team members can see scores without running separate analyses.

Yes. Each schedule has a configurable policies-per-scan limit (5 to 50, default 10). You can update it when creating a schedule or editing an existing one. If the team plan owner hits their daily unit cap mid-run, the current scan stops gracefully and resumes on the next scheduled run.

Yes. You can enable or pause individual schedules at any time from the Auto-Mode tab. Pausing a schedule stops future scans and preserves existing results. You can also delete a schedule entirely. No units are consumed while a schedule is paused.

Both JSON and YAML CloudFormation templates are supported. Upload a file and Shieldly extracts the matching resource types (IAM roles, S3 bucket policies, Lambda permissions, SQS queues, KMS keys, SNS topics) based on the analysis type you select.

Shieldly supports: IAM identity policies (roles, users, groups), trust policies, resource-based policies (S3, Lambda, SQS, KMS, SNS), cross-account role configurations, and CloudFormation templates containing any of these policy types.

Analysis quality scales with your plan tier. Standard AI reliably catches common misconfigurations and overly permissive actions. Advanced AI provides deeper multi-statement analysis and privilege escalation detection. Enterprise AI offers the most comprehensive coverage with detailed remediation steps. Results should complement, not replace, a human security review.

No. Shieldly is an independent security tool built to analyze AWS IAM policies. We use "AWS" descriptively to indicate which service we integrate with — this is standard fair use.

Install the Shieldly extension from the VS Code Marketplace, then enter your API key (from the API Keys tab). Right-click any IAM policy or CloudFormation file to run analysis directly in your editor. The extension requires a Builder plan or above.

Email support@shieldly.io for all plan questions, technical issues, and privacy or data deletion requests. Team plan members receive priority response. We aim to respond within one business day.