Security

Enterprise-grade security built in, not bolted on.

Your source code is the most sensitive asset Replixa ever touches. The architecture is designed around one constraint: code must never persist after review runs. Not in logs, not in caches, not in the style graph itself.

Contact for security review
Security Principles

Four foundations that don't flex for convenience.

Data Isolation

Your code is never stored post-review. Diffs are processed in-memory within isolated execution environments and discarded immediately after analysis. The style graph stores pattern metadata only — no source code.

Scoped Tokens

Replixa requests least-privilege by default. GitHub App requires only pull_requests: read/write and contents: read. No admin access, no organization-wide write permissions. You control the scope.

Encryption in Transit

All data in transit uses TLS 1.3. Webhook payloads are validated with HMAC-SHA256 before processing. API endpoints enforce HTTPS with HSTS. Certificate pinning available for Enterprise customers.

Audit Logging

Every review action is logged: who triggered it, which repository, which PR, what suggestions were posted, when. Audit logs are immutable and exportable. Enterprise tier includes log streaming to your SIEM.

Architecture

How code flows through Replixa without persisting.

PR Diff arrives via webhook Isolated sandbox (in-memory) Style Graph pattern match (no code) Suggestions posted to PR Diff Discarded sandbox destroyed All processing in isolated memory. No source code leaves the sandbox. No storage after review.
Compliance Stance

Built with SOC 2 controls in mind.

Replixa is not SOC 2 certified. We are a bootstrapped company founded in 2024. What we are: architected from day one against SOC 2 Type II control categories for availability, confidentiality, and processing integrity. Audit readiness is a near-term goal, not a distant aspiration.

For enterprise evaluations, we provide security architecture documentation under NDA. Data processing agreements are available for customers who require them contractually. If your security team has a questionnaire, send it to [email protected] — Priya responds personally.

SOC 2 Controls

Architecture aligned

DPA Available

Enterprise agreements

SAML / SSO

Enterprise tier

Running a vendor security review? We'll work with you.

Security questionnaires, architecture walkthroughs, DPA negotiation — all handled directly by the founding team, not a ticketing system.

Contact for security review Privacy Policy