How LegacyCode MRI protects your code and your data.
AES-256-CBC token encryption
GitHub OAuth tokens are encrypted at rest using AES-256-CBC with unique per-token IVs. Keys are stored separately from the database.
Zero code retention
Repository clones live in a temporary directory that is deleted immediately after each scan — typically within 5 minutes. Your source code never touches persistent storage.
TLS in transit
All connections between client, API, and third-party services use TLS 1.2 or higher. Certificates are managed and auto-renewed.
Read-only GitHub access
We request only the minimum GitHub scopes needed: read access to list and clone repositories. We never push, open issues, or modify your code.
Isolated scan execution
Each scan runs in an isolated directory. Scans cannot access data from other users' clones. Concurrent scan count is capped to prevent resource exhaustion.
JWT session security
Authentication uses short-lived JWTs (15-minute expiry) with separate session tracking. Sessions can be revoked individually from account settings.
If you discover a security vulnerability in LegacyCode MRI, please report it via our contact form with the subject "Security vulnerability". We will acknowledge your report within 24 hours, work to reproduce and fix the issue, and credit you if desired.
Please do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them (typically 90 days).
LegacyCode MRI runs on Railway (API and workers) and Vercel (frontend), both of which maintain SOC 2 Type II compliance. The database is hosted on a managed PostgreSQL provider with daily backups and encryption at rest.