What the DPA commits us to
- Process only on your instructions: solely to perform the migration you requested, never for our own purposes.
- Delete on handoff: your source code and all intermediate artifacts (clone, upload, Docker workspace, prompt context) are deleted immediately on delivery, with a short backstop sweep and a per-deletion audit log. Deletion is certified on request.
- Never train on your code: your source and its personal data are never used to train, fine-tune, or evaluate any model, ours or a sub-processor's. We hold our LLM provider to the same commitment contractually.
- Security measures: AES-256-GCM at rest, TLS 1.2+ in transit, isolated ephemeral Docker sandbox per migration, least-privilege access with logging.
- Sub-processor control: a published sub-processor list, at least 14 days' notice before adding or replacing one, and a right to object.
- 72-hour breach notice: we notify you without undue delay and within 72 hours of becoming aware of a personal-data breach affecting your data.
- International transfers: Standard Contractual Clauses (and the UK addendum where applicable) for personal data leaving the EEA/UK.
- Audit: we make available the information needed to demonstrate compliance, satisfiable by our third-party audit report (SOC 2 Type II, once available; see our security page for the roadmap).
Data we process
Only what your repository contains: potentially developer names/emails embedded in code, commit metadata, configuration files, and environment-variable names, never secret values, which we don't request. Processing lasts for the migration job and no longer.
Self-hosted deployments
If you run Refactyl in your own cloud (single-tenant Docker/Helm), your code never reaches our infrastructure at all, so the transfer and sub-processor terms largely fall away. The DPA still covers our software and support relationship.
Request the signed DPA
We'll countersign our standard DPA, or review yours. Reviewing security for a purchase? We can share the sub-processor list and answer a questionnaire.
Request a signed DPA → or email security@refactyl.com.
This summary is provided for convenience and is not itself a contract or legal advice; the signed DPA governs.