Refacto.AI Security Policy
Last Updated: May 30, 20251.
Introduction and Purpose
This Security Policy outlines the commitment of DevDynamics, Inc. ("Company," "we," "us," or "our") to protecting the data processed by our AI-powered code review service, Refacto.AI ("Service"). The purpose of this policy is to establish the framework of controls and measures designed to ensure the confidentiality, integrity, and availability of the data entrusted to us, particularly the Source Code analyzed by the Service, and any associated metadata or review results.We are committed to maintaining the trust of our users by implementing and adhering to robust security best practices throughout our operations and the lifecycle of the Service. While Refacto.AI currently does not hold specific compliance certifications, this policy reflects our dedication to securing user data and the Service itself.
2. Scope
This Security Policy applies to:All data processed by the Refacto.AI Service, including Source Code, Repository Metadata, Review Results (as defined in our Privacy Policy and Terms and Conditions).All systems, networks, and infrastructure used to provide and support the Refacto.AI Service.All Company Personnel (employees and contractors) involved in the design, development, operation, and maintenance of the Refacto.AI Service.
3. Security PrinciplesOur approach to security is guided by the following core principles:
Security by Design and Default: Integrating security considerations into every phase of the Service development lifecycle.
Defense in Depth: Implementing multiple layers of security controls to protect against a wide range of threats.
Principle of Least Privilege: Granting users, systems, and applications only the minimum level of access necessary to perform their intended functions.
Confidentiality: Protecting sensitive information, especially Source Code, from unauthorized disclosure.
Integrity: Ensuring the accuracy and completeness of data and processing methods.
Availability: Ensuring that the Service and associated data are accessible to authorized users when needed.
Accountability: Tracking actions and security events to ensure responsibility.
Continuous Improvement: Regularly reviewing and enhancing our security measures in response to evolving threats and best practices.
4. Data Security
4.1. Data Classification:
Source Code: Treated as highly sensitive and confidential. Handled ephemerally during analysis.
Repository Metadata & Review Results: Classified as confidential and protected accordingly.
User Account Information (Personal Data): Handled as per our Privacy Policy.
4.2. Source Code Handling:Ephemeral Processing: When you submit Source Code for analysis, Refacto.AI processes it ephemerally (e.g., in memory or temporary, secure processing environments). We do not persistently store your raw Source Code on our primary systems after the analysis is complete.
Secure Transmission: All Source Code and data transmitted to and from the Service, and between internal components, are encrypted using strong transport layer security (TLS) protocols.
Data Minimization: Refacto.AI is designed to access only the necessary Source Code (e.g., pull request diffs, relevant contextual files) required to perform its review functions.
Processing by Third-Party AI Models: If Source Code snippets are sent to third-party AI model providers for analysis, this is done ephemerally under strict confidentiality agreements. These providers are contractually obligated not to store or use the snippets for training their general models or for any other purpose beyond providing the requested analysis for Refacto.AI.
4.3. Stored Data Security (Repository Metadata, Review Results):
Encryption at Rest: Any Repository Metadata or Review Results (which may include illustrative code snippets as part of a suggestion) that are stored by the Service are encrypted at rest using industry-standard encryption algorithms (e.g., AES-256).
Access Controls: Access to stored data is strictly controlled based on the principle of least privilege.
4.4. Payment Information:Refacto.AI does not collect or store full payment card details. All payment transactions are handled by PCI-compliant third-party payment processors.
5. Access Control
5.1. Authentication:Unique user identifiers are required for all users accessing the Service.Strong password policies are enforced for user accounts.Multi-Factor Authentication (MFA) is mandatory for all Personnel accessing internal systems and infrastructure supporting the Service.
5.2. Authorization:The principle of least privilege is applied. Users and Personnel are granted access only to the data and system resources necessary for their roles and responsibilities.Role-Based Access Control (RBAC) is implemented for internal systems and access to customer data stores (e.g., stored metadata and review results).
5.3. Access Logging and Monitoring:Access to sensitive systems and data, including production environments, is logged and regularly monitored for unauthorized or suspicious activity.
5.4. Account Review:User access rights are reviewed periodically, and access is revoked promptly upon termination of employment or contract, or change in role.
6. Network Security
6.1. Firewalls: Network firewalls are implemented to protect the perimeter of our infrastructure.
6.2. Intrusion Detection/Prevention Systems (IDS/IPS): We utilize IDS/IPS solutions to monitor network traffic for malicious activity and potential threats.
6.3. Secure Configuration: Network devices and systems are configured securely according to industry best practices, with unnecessary ports and services disabled.
6.4. Segmentation: Production networks are segmented from development and corporate networks to limit the potential impact of security incidents.7.
Application Security (Refacto.AI Service)
7.1. Secure Software Development Lifecycle (SSDLC): We adhere to secure software development practices in the design, development, testing, and deployment of Refacto.AI. This includes:Security requirements definition.Threat modeling for new features and significant changes.Secure coding training for developers.Regular internal code reviews with a security focus.Use of static and dynamic analysis tools on our own codebase.
7.2. Vulnerability Management:We conduct regular vulnerability scans of our applications and infrastructure.Identified vulnerabilities are triaged, prioritized, and remediated based on risk.We encourage responsible disclosure of potential vulnerabilities found by external parties.
7.3. API Security: APIs exposed by the Service are designed with security best practices, including authentication, authorization, and input validation.
8. Third-Party Vendor Management
8.1. Due Diligence: We perform security due diligence on critical third-party vendors, including cloud hosting providers and AI model providers, to ensure they meet our security standards.
8.2. Contractual Agreements: We maintain contractual agreements with vendors that include security, confidentiality, and data protection obligations.8.3. Data Processing Agreements: Where applicable (e.g., for GDPR), Data Processing Agreements (DPAs) are established with vendors processing personal data or Source Code snippets on our behalf.
9. Incident Response Plan
9.1. Plan: We maintain a documented Incident Response Plan that outlines procedures for detecting, responding to, containing, mitigating, and recovering from security incidents affecting the Service or user data.
9.2. Team: A designated incident response team is responsible for managing incidents.
9.3. Communication: The plan includes procedures for internal communication and external notification to affected customers and relevant authorities in the event of a significant data breach, as outlined in our Privacy Policy and in accordance with applicable laws.
9.4. Post-Incident Review: After any significant incident, a post-incident review is conducted to identify lessons learned and improve our security measures and response procedures.
10. Employee and Contractor Security
10.1. Security Awareness Training: All Personnel receive regular security awareness training covering topics such as data protection, secure coding practices (for developers), phishing awareness, and incident reporting.
10.2. Confidentiality Agreements: All Personnel are required to sign confidentiality agreements.
10.3. Background Checks: Background checks may be conducted for Personnel in sensitive roles, in accordance with applicable laws.
10.4. Acceptable Use: Personnel are required to adhere to acceptable use policies regarding company systems and data.
11. Physical Security
Refacto.AI primarily utilizes reputable cloud service providers for its infrastructure. As such, we rely on the robust physical security measures implemented by these providers at their data centers (e.g., access controls, surveillance, environmental protections). Access to any Company physical premises where sensitive development or operational activities occur is controlled.
12. Policy Review and UpdatesThis Security Policy is reviewed at least annually, or as significant changes occur in our services, infrastructure, threat landscape, or regulatory requirements. Updates to this policy will be communicated to relevant stakeholders.
13. Compliance and Best PracticesWhile Refacto.AI does not currently hold formal certifications for specific compliance standards (e.g., SOC 2, ISO 27001), we are committed to:Adhering to widely recognized industry best practices for information security and secure software development.Continuously evaluating our security posture against relevant frameworks and standards.Working towards relevant certifications as our Service and organization mature.Our practices are informed by principles found within frameworks such as NIST Cybersecurity Framework (CSF), OWASP guidelines, and general secure development principles.
14. Contact InformationIf you have any questions about this Security Policy or our security practices, or if you need to report a security concern, please contact us at:Email: [email protected]