To enable cloud scanning, Firefly asks for a Read-Only permission set, which allows the scanning for the configuration of cloud resources, and not their data. For example, Firefly will know about the existence of a storage bucket, but can’t read or know about the objects inside it.
To discover IaC state files (and specifically Terraform’s .tfstate files), Firefly asks for Read-Only permissions [S3:GetObject] to AWS S3 Buckets which hold “.tfstate” files.
Firefly doesn't collect any personal data, PII or any data on it's customers' customers (e.g Company's customers). Firefly has Data Protection Policy that is available in Firefly's security portal as part of SOC2 Type2 compliance, The policy reviewed and updated on an annual basis by the CTO.