Data Processing Agreement

    Last updated: July 5, 2026

    A signed DPA is available for Enterprise and Big Migration customers. This page summarizes what it covers; the executable agreement is countersigned on request.

    In it, Refactyl is the Processor and you are the Controller. It governs how we process any personal data contained in the source code you migrate, under GDPR, UK GDPR, and CCPA/CPRA.

    What the DPA commits us to

    • Process only on your instructions: solely to perform the migration you requested, never for our own purposes.
    • Delete on handoff: your source code and all intermediate artifacts (clone, upload, Docker workspace, prompt context) are deleted immediately on delivery, with a short backstop sweep and a per-deletion audit log. Deletion is certified on request.
    • Never train on your code: your source and its personal data are never used to train, fine-tune, or evaluate any model, ours or a sub-processor's. We hold our LLM provider to the same commitment contractually.
    • Security measures: AES-256-GCM at rest, TLS 1.2+ in transit, isolated ephemeral Docker sandbox per migration, least-privilege access with logging.
    • Sub-processor control: a published sub-processor list, at least 14 days' notice before adding or replacing one, and a right to object.
    • 72-hour breach notice: we notify you without undue delay and within 72 hours of becoming aware of a personal-data breach affecting your data.
    • International transfers: Standard Contractual Clauses (and the UK addendum where applicable) for personal data leaving the EEA/UK.
    • Audit: we make available the information needed to demonstrate compliance, satisfiable by our third-party audit report (SOC 2 Type II, once available; see our security page for the roadmap).

    Data we process

    Only what your repository contains: potentially developer names/emails embedded in code, commit metadata, configuration files, and environment-variable names, never secret values, which we don't request. Processing lasts for the migration job and no longer.

    Self-hosted deployments

    If you run Refactyl in your own cloud (single-tenant Docker/Helm), your code never reaches our infrastructure at all, so the transfer and sub-processor terms largely fall away. The DPA still covers our software and support relationship.

    Request the signed DPA

    We'll countersign our standard DPA, or review yours. Reviewing security for a purchase? We can share the sub-processor list and answer a questionnaire.

    Request a signed DPA → or email security@refactyl.com.

    This summary is provided for convenience and is not itself a contract or legal advice; the signed DPA governs.