Security

Your data is not our product

Migrayt processes sensitive enterprise data — work items, credentials, and employee information. This page documents exactly how we protect it.

Infrastructure Security

Hosted exclusively on AWS eu-west-1 (Ireland). Private VPC with no direct internet ingress to compute or data layers.

Credential Protection

OAuth tokens stored exclusively in AWS Secrets Manager with KMS CMK encryption — never in the database, never in logs.

Data Minimisation

Work item content passes through memory only. Nothing beyond job metadata is persisted to our database.

Short Retention

Attachment staging files deleted after 30 days. Container logs after 90 days. No long-lived copies of your migration data.

No AI Training

Your work item titles, descriptions, and comments are never used to train or fine-tune any AI model by Migrayt or any third party.

72-Hour Breach Notification

In the event of a personal data breach, we notify affected customers and the ICO within 72 hours as required by UK GDPR.

Encryption

Data in transit

TLS 1.2+ enforced on all endpoints. HTTP is redirected to HTTPS.

Data at rest

AES-256 for RDS PostgreSQL, S3, and Secrets Manager. KMS Customer Managed Keys for secrets.

Passwords

Bcrypt with 12 rounds. Plaintext passwords are never stored or logged.

OAuth tokens

AWS Secrets Manager with KMS CMK. ARN reference stored in DB — not the token value.

Network

VPC isolation

API and migration workers run in private subnets with no inbound internet access.

Egress

All outbound traffic to ADO and Jira APIs routes through a NAT gateway with a fixed Elastic IP.

Database access

RDS accessible only via RDS Proxy from within the VPC. No public endpoint.

Secrets access

AWS Secrets Manager accessed via VPC endpoint — no internet egress.

DDoS protection

AWS Shield Standard on all load balancers. Rate limiting on auth endpoints.

Authentication & Access

Multi-factor authentication

MFA enforced for all Migrayt internal admin accounts.

SSO

Enterprise customers can authenticate via Azure AD OIDC or SAML 2.0 — no separate password needed.

Role-based access control

Three roles: owner, admin, member. Endpoints enforce minimum required role per operation.

Session tokens

Access tokens: 15-minute expiry. Refresh tokens: 30-day expiry, server-side revocation.

Tenant isolation

All database queries are scoped by tenantId. Cross-tenant data access is architecturally impossible.

Application Security

Input validation

All API inputs validated and sanitised using class-validator with strict allowlist mode.

SQL injection

Parameterised queries via Prisma ORM. Raw SQL not used.

CSRF

SameSite=Lax cookie policy. CORS restricted to known origins.

Content Security Policy

CSP headers set on all responses via Helmet middleware.

Dependency scanning

npm audit and Trivy run on every commit. Critical CVEs block deployment.

SAST

Static analysis (ESLint security rules, Bandit for Python) in the CI pipeline.

Operational Security

Principle of least privilege

IAM roles grant only the permissions required for each service. No wildcard policies in production.

Audit logging

All API requests logged with correlation IDs. CloudTrail enabled for all AWS API calls.

Monitoring

CloudWatch alarms on error rate, latency, DLQ depth, and ECS task health. PagerDuty for P1/P2 alerts.

Backups

RDS automated backups with 7-day retention. Pre-migration RDS snapshot taken before every deployment.

CI/CD security

GitHub Actions uses OIDC trust (no static AWS keys). Deployments require all security checks to pass.

Compliance

UK GDPRCompliant

Data residency in EU (Ireland). DPA available on request.

EU GDPRCompliant

SCCs in place for any transfers to US sub-processors.

SOC 2 Type IIIn progress

Audit scheduled Q4 2026.

ISO 27001Planned

Target certification 2027.

Penetration TestingAnnual

Independent third-party test. Results available under NDA.

PECR (UK Cookie law)Compliant

No advertising cookies. Strictly necessary cookies only.

Sub-Processors

Sub-Processor

Purpose

Data Region

Amazon Web Services

Compute, storage, secrets, networking

EU — Ireland (eu-west-1)

Anthropic PBC

AI mapping suggestions (field names & counts only — no content)

USA — zero data retention

Stripe Inc.

Payment processing

EU / USA

AWS SES

Transactional email

EU — Ireland

Microsoft (Entra ID)

Enterprise SSO federation (identity assertion only)

All sub-processors are bound by Data Processing Agreements and, where applicable, Standard Contractual Clauses. Updates to this list are notified to customers with 30 days' notice.

Vulnerability Disclosure

If you discover a security vulnerability in Migrayt, we ask that you disclose it responsibly. Please email security@migrayt.ai with:

A description of the vulnerability and the potential impact
Steps to reproduce or a proof-of-concept
Your contact details so we can follow up

Acknowledgement

Within 24 hours

Critical fix

Within 72 hours

Non-critical fix

Within 30 days

Public disclosure

Co-ordinated with reporter

We do not pursue legal action against researchers who act in good faith under this policy. We do not currently offer a formal bug bounty programme, but we acknowledge all valid reports.

Security questions?

For security reviews, penetration test results (under NDA), or DPA requests, contact our security team.

security@migrayt.ai →