Data Flow & Architecture

This page explains the technical path your data takes during a migration. It is written for IT administrators and security reviewers who need to understand where data is processed and stored.

High-Level Flow

Your Browser
    │
    ▼
Migrayt Web App (app.migrayt.ai)
    │  HTTPS only
    ▼
Migrayt API (api.migrayt.ai)
    │  VPC-private
    ├──► AWS Secrets Manager  (credential storage)
    ├──► PostgreSQL (RDS)     (job state, mapping config)
    └──► Migration Worker (ECS Fargate, private subnet)
              │
              ├──► Azure DevOps API  (read only)
              └──► Jira Cloud API    (write)

Step-by-Step Data Path

1. Authentication

When you connect ADO or Jira, the OAuth token is stored immediately in AWS Secrets Manager. It never passes through the database. The API stores only the Secrets Manager ARN (a pointer, not the credential).

Browser → POST /api/auth/{platform}/callback
API → AWS Secrets Manager: CreateSecret(name="migrayt/connectors/{userId}/ado", value=token)
API → PostgreSQL: INSERT ConnectorAuth(userId, provider, secretArn)

2. Scan

The scan runs in a lightweight ECS task (scan-worker). It reads from ADO and writes aggregated statistics (counts, structure) to PostgreSQL. No work item content (titles, descriptions) is stored in the database.

Scan Worker → ADO API: GET /wit/wiql (read)
Scan Worker → ADO API: GET /wit/workitems?ids=... (read)
Scan Worker → PostgreSQL: INSERT JobScan(type_counts, iteration_paths, area_paths, ...)

3. Migration Execution

The migration worker is a short-lived ECS Fargate task that runs for the duration of the migration and terminates on completion.

At start:

Worker → AWS Secrets Manager: GetSecretValue(arn for ADO token)
Worker → AWS Secrets Manager: GetSecretValue(arn for Jira token)

During migration (for each item):

Worker → ADO API: GET /wit/workitems/{id}?$expand=all (read)
Worker → Jira API: POST /rest/api/3/issue (write)
Worker → PostgreSQL: UPDATE OutboxItem(status=COMPLETED, destId=PROJ-142)
Worker → PostgreSQL: UPDATE MigrationRun(successCount, progressPercent)

After migration:

Worker → Jira API: POST /rest/api/3/issueLink (links)
Worker → ADO API: GET /wit/workitems/{id}/attachments (read)
Worker → Jira API: POST /rest/api/3/issue/{key}/attachments (write)
Worker → PostgreSQL: UPDATE MigrationRun(status=COMPLETED)

4. Progress Streaming

The NestJS API polls MigrationRun.progressPercent and MigrationRun.successCount from PostgreSQL and streams updates to your browser via Server-Sent Events (SSE). Your browser never connects directly to the migration worker.

What Stays in Migrayt's Infrastructure

What Passes Through But Is Not Stored

Network Boundaries

The migration worker runs in a private VPC subnet with no inbound internet access. All outbound traffic goes through a NAT gateway.

• ADO API calls: outbound from worker to dev.azure.com via NAT
• Jira API calls: outbound from worker to *.atlassian.net via NAT
• Database: worker connects to RDS via VPC-private endpoint (no NAT)
• Secrets Manager: accessed via VPC endpoint (no internet egress)

You can optionally provide a list of egress IP addresses to allowlist on your corporate firewall. The outbound IP is the NAT gateway's Elastic IP address, available in your account settings.

Data Residency

Migrayt runs in AWS eu-west-1 (Ireland). All data — including credentials, migration state, and AI calls — is processed in the EU.

AI mapping suggestions are generated via the Anthropic API. Anthropic processes API requests in the US but with zero data retention. No customer data is stored or used for training.

If you require data residency in a specific region not listed, contact support@migrayt.ai.