Your code runs in a sandbox.
Then it's gone.
It runs in an isolated Docker sandbox, never trains a model, and is purged the moment you have your result. Here's the full data flow, every sub-processor, and the encryption behind it.
How your code moves through the system
Upload or clone
HTTPS only. Accepted hosts: GitHub, GitLab, Bitbucket. Private-IP ranges, cloud metadata endpoints, and non-git URLs are rejected before any content is fetched.
Isolated Docker sandbox
Each migration job runs in its own ephemeral container. No shared filesystem, no network access to other jobs. The container is destroyed when the job ends, pass or fail.
Transform and verify
Deterministic rules handle known breaking changes. The LLM handles judgment calls. Every output file passes the real compiler (tsc, @vue/compiler-sfc, or next build), and compiler errors feed a repair loop before anything ships.
Deleted on handoff
The moment your migrated artifact is ready, your source and every job artefact are purged. Each deletion is logged. Nothing is kept for training.
Encryption
At rest
All stored data (source uploads, job artefacts, migrated output) is encrypted with AES-256-GCM before it touches disk.
Sensitive database columns (OAuth tokens, 2FA secrets) receive a second layer of field-level AES-256-GCM, keyed separately from the storage layer. Raw database access does not expose them.
In transit
All connections (API, WebSocket, and repository clone) require TLS 1.2+. Live migration logs stream over WSS.
Repository clones are restricted to HTTPS on approved hosts. Private-IP ranges, cloud metadata endpoints, and non-git URLs are blocked at the network layer before any bytes are read.
Sub-processors
Full list with DPA and transfer-mechanism links at /legal/sub-processors
| Provider | Purpose | Sees source code? | Notes |
|---|---|---|---|
| OpenAI | LLM inference for code transformation | Yes, encrypted | OpenAI does not train on API inputs; we hold this contractually. Enterprise customers can supply their own API key or an on-premises endpoint to eliminate this transfer. |
| Cloud host | Compute and encrypted object storage | Yes, encrypted | Source is encrypted at rest (AES-256-GCM) and deleted on handoff. Local dev environments keep files local, with no cloud storage. |
| Paddle | Payment processing | No | Billing only. No source code is transferred to Paddle. |
| Email provider | Transactional email | No | Email address and notification content only. |
Contractual commitments
Never used for training
Your source and migrated output never train, fine-tune, or evaluate a model, ours or a sub-processor's. OpenAI doesn't train on API inputs, and we hold them to that in writing.
You own everything
The migrated output is yours. We claim no intellectual-property interest in your code, before or after we touch it. Our Terms of Service state this explicitly.
DPA available
A signed Data Processing Agreement is available for Enterprise and Big Migration customers, covering GDPR/CCPA, sub-processor obligations, 72-hour breach notification, and deletion certification. Request one →
Security roadmap
We name what isn't live yet. Claiming unshipped capability is the one thing we won't do.
Live now
Active- Ephemeral Docker isolation per migration job
- AES-256-GCM encryption at rest
- TLS 1.2+ in transit (WSS for live log streams)
- Field-level AES-256-GCM for sensitive DB columns (OAuth tokens, 2FA secrets)
- Automated source deletion on handoff + audit log entry
- Private-IP / SSRF blocking on repository clones
- HttpOnly refresh cookie, no tokens in localStorage
- TOTP 2FA with hashed backup codes
- Rate limiting and per-user concurrency caps
- Admin endpoints fail-closed if credentials are unset
- Self-host / BYO-cloud: run single-tenant in your own cloud (Docker Compose or Helm)
Planned
Roadmap- SOC 2 Type ITarget: 2026 Q4
- SOC 2 Type IITarget: 2027 Q2
- Third-party penetration testIn scope with SOC 2
- Status page (status.refactyl.com)In progress
Need self-host or SOC 2 on a committed timeline? See Enterprise →
Report a vulnerability
Email security@refactyl.com with a description and reproduction steps. We'll acknowledge within 48 business hours. We follow coordinated disclosure: report privately, fix, then disclose publicly.
No bug bounty yet. Report in good faith and we won't come after you legally.
DPA and security reviews
For DPA requests, sub-processor questions, and enterprise security reviews, email security@refactyl.com or use the contact form.