Security Overview
Migrayt processes sensitive enterprise data. This page explains the security controls in place.
Credential Storage
Your ADO and Jira credentials are never stored in the database.
When you connect a platform, the OAuth token or API key is written directly to AWS Secrets Manager with AES-256 encryption at rest. The database stores only a reference ARN pointing to the secret.
Database: { userId, provider: "ado", secretArn: "arn:aws:secretsmanager:..." }
Secret: { access_token: "...", refresh_token: "..." } ← never in DBSecrets are fetched by the migration worker immediately before it starts and are not cached or logged.
Data in Transit
All traffic is encrypted with TLS 1.2+. The API is served over HTTPS. There is no unencrypted endpoint.
Data at Rest
| Storage | Encryption |
|---|---|
| PostgreSQL (RDS) | AES-256 (AWS managed key) |
| S3 (attachments staging) | AES-256 |
| Secrets Manager | AES-256 with AWS KMS CMK |
Data Retention
| Data | Retention |
|---|---|
| Migration run records | Indefinite (your audit trail) |
| Per-item state (OutboxItems) | Indefinite (needed for incremental migrations) |
| Attachment staging (S3) | 7 days in dev, 30 days in production |
| Container logs (CloudWatch) | 7 days |
| ADO/Jira tokens | Until you disconnect the platform |
What Migrayt Logs
Migrayt logs job metadata — item counts, durations, error types, phase completions — but never logs:
- Work item titles, descriptions, or content
- Assignee names or email addresses
- OAuth tokens or API keys
- Attachment content
Network Isolation
The migration worker runs in a private VPC subnet with no internet-facing IP address. All outbound traffic to ADO and Jira APIs goes through a NAT gateway. Inbound connections to the worker are not permitted.
The API server is behind an Application Load Balancer. Direct access to the database or worker is not possible from outside the VPC.
AI and Data Privacy
Migrayt uses AI to generate mapping suggestions (work item types, fields, iterations, areas). The AI receives only:
- Field names and types
- Work item type names and hierarchy levels
- Item counts
The AI never receives:
- Work item content (titles, descriptions, acceptance criteria)
- Comments or attachment data
- User names or email addresses
- Customer organisation name
AI calls use the Anthropic API with zero data retention enabled. No data is used for training.
Compliance
| Standard | Status |
|---|---|
| SOC 2 Type II | In progress |
| GDPR | Compliant (data residency in EU-West-1 Ireland) |
| ISO 27001 | Planned |
Responsible Disclosure
If you discover a security vulnerability in Migrayt, please email security@migrayt.ai. We aim to acknowledge within 24 hours and resolve critical issues within 72 hours.