Skip to main content

Trust & Safety

Security

How we protect your data and keep your account secure.

Data Encryption

  • All data in transit is encrypted with TLS 1.2+.
  • Passwords are hashed using bcrypt with a per-user salt.
  • API keys are stored as one-way hashes — the plaintext is never persisted after generation.
  • Database connections require SSL/TLS.

Privacy & Data Practices

  • Your source code never leaves your machine — analysis runs entirely on the CLI.
  • We collect only what is necessary: usage telemetry (token counts, model, timestamp) and account metadata.
  • We do not sell or share personal data with third parties.
  • You can request deletion of all your data at any time by emailing team@refactron.dev.

Compliance & Certifications

  • GDPR compliant — data processing agreements available on request.
  • Data is stored in EU/US regions depending on your account location.
  • Retention policy: usage logs are retained for 12 months, then automatically deleted.
  • SOC 2 Type II audit in progress.

Access Controls

  • API keys are scoped per environment (production / development).
  • API keys can be revoked individually from the dashboard at any time.
  • JWT access tokens expire after 15 minutes; refresh tokens rotate on use.
  • Enterprise plans include SSO (SAML/OIDC) and audit log access.

Responsible Disclosure

If you discover a security vulnerability, please email us immediately at security@refactron.dev. We ask that you give us reasonable time to investigate and address the issue before public disclosure.

We acknowledge all reports within 48 hours and aim to resolve critical issues within 7 business days.

Questions about our security practices? Contact us