Security Overview

Security Program

• Ownership and governance: security is led by engineering leadership with company-wide policies for acceptable use, access, incident response, change management, and software delivery.
• Risk management: we maintain a risk register and perform periodic reviews of threats across infrastructure, application, agent endpoints, and third-party services.
• Employee practices: background checks where legally permitted, security training, and least-privilege access to systems and data.

Data Protection and Isolation

• Tenant isolation: logical isolation at the application and data layers with identifiers validated and scoped by workspace and organization.
• Data minimization: we store only metadata needed to operate the service and never store your actual database data.
• Credential storage: database and agent credentials are never stored on the Migratrix platform. They are encrypted and stored locally on your deployed agent machine.

Zero Data Retention

Migratrix operates on a zero data-retention principle for customer database contents and credentials.

• We do not copy, store, or retain your production data on Migratrix servers.
• Database credentials and connection secrets are encrypted and stored only on local or self-hosted agent machines under your control.
• The platform retains only operational metadata necessary to deliver the service.
• Transient data transmitted between your agents and Migratrix is encrypted in transit and discarded after processing.

Encryption

• In transit: TLS 1.2 or higher for all client-to-service and service-to-agent communications.
• At rest: AES-256 or provider-managed encryption for databases, object storage, and backups.
• Key management: keys are rotated and access-controlled, with production keys restricted to secure runtime environments.

Network and Infrastructure Security

• Segmentation: public edges are separated from private services and administrative interfaces are restricted.
• Firewalls and WAF: ingress traffic is filtered and rate-limited with automated blocking for abusive patterns.
• Patching: base images and operating system packages are updated regularly with automated vulnerability notifications.

Application Security and SDLC

• Secure development: code review, dependency scanning, static analysis, and infrastructure scanning on change.
• Secrets hygiene: no plaintext secrets in code and short-lived CI tokens backed by secret stores.
• Change management: peer-reviewed pull requests and controlled rollouts with monitoring and rollback.

Agent Security

• Outbound-only: agents establish outbound TLS connections to Migratrix. No inbound ports are required.
• Scoped authentication: agents use short-lived tokens tied to organization, workspace, and environment.
• Least privilege: agents run with only the operating system and database permissions required for enabled operations.
• Auditability: all agent actions are logged with correlation identifiers for traceability.

Database Credentials and Connections

• Transport: credentials are transmitted only over TLS and are never logged.
• Rotation: rotating credentials is supported without downtime.
• Just-in-time access: optional JIT credentials can be provided through your own secret manager or database-native temporary users.

Access Management

• RBAC: fine-grained roles with environment-aware permissions.
• Authentication: SSO and social login options with MFA through your identity provider.
• Administrative access: production access is tightly restricted, audited, and time-bounded.

Logging and Monitoring

• Telemetry: application, agent, and infrastructure logs with centralized aggregation and defined retention limits.
• Alerting: on-call rotations with alert thresholds for availability, error rates, and security events.
• Privacy: logs exclude customer secrets and sensitive payloads by design.

Vulnerability Management

• Scanning: continuous dependency, code, and container scans with prioritized remediation for high and critical issues.
• Third-party libraries: pinning, minimal dependency sets, and rapid patch rollouts.
• Penetration testing: periodic third-party testing with remediation tracked to closure.

Incident Response and Continuity

• Runbooks: defined severity levels, roles, and communication channels.
• Customer notification: affected customers are notified without undue delay if a data incident is confirmed.
• Post-mortems: corrective actions and prevention steps are documented after incidents.
• Backups and redundancy: encrypted automated backups and multi-AZ coverage where applicable.

Compliance and Disclosure

• DPA: available on request via legal@migratrix.com.
• Customer controls: logging, access controls, and data-handling options help customers meet common framework obligations.
• Disclosure: if you believe you have found a vulnerability, email security@migratrix.com with details and reproduction steps.

Subprocessors, Regions, and Contact

We use select third-party providers for cloud hosting, email, and payments. We operate in reputable cloud providers with certified data centers. For security questions, contact security@migratrix.com. For privacy and legal matters, contact legal@migratrix.com.