Data Handling Policy

Version 1.0 · Last updated: February 16, 2026

Our Core Commitment

Axiom Refract is an architecture analysis engine. We use AI services as part of our analysis pipeline to process structural data and generate insights. Your source code is analyzed for the sole purpose of generating your analysis report and is handled according to the policies described below.

1. What We Analyze

When you submit a repository for analysis, the Axiom Refract pipeline processes:

  • Source code files: Parsed via language-specific AST (Abstract Syntax Tree) blocks to extract structural information — functions, classes, imports, dependencies, and call graphs.
  • Configuration files: Dockerfiles, docker-compose files, Kubernetes manifests, Terraform configs, CI/CD pipeline definitions, and similar infrastructure-as-code files.
  • Package manifests: requirements.txt, package.json, go.mod, Cargo.toml, and other dependency declarations for supply chain analysis.
  • Database schemas: PostgreSQL schema dumps (when provided) for dead schema detection and database intelligence analysis.
  • Documentation: README files, inline documentation, and code comments for context enrichment.

2. How We Store Your Code

2.1 Storage Infrastructure

Uploaded source code and analysis artifacts are stored in MinIO, an S3-compatible object storage system. Data is encrypted at rest using server-side encryption.

2.2 Per-Tenant Isolation

All stored data is isolated on a per-tenant basis. Each tenant's data is stored under a unique path prefix, ensuring that no customer can access another customer's data. This isolation is enforced at the storage layer.

2.3 In-Transit Encryption

All data transmitted between your browser and our servers, and between internal services, is encrypted using TLS 1.2 or higher.

3. Analysis Pipeline

The analysis pipeline operates entirely within our infrastructure. Here is how your code flows through the system:

  1. 1
    Upload: Your repository archive is received by the API and stored in encrypted object storage.
  2. 2
    Ingest: Files are extracted, language detection runs, and the file tree is indexed. No code leaves the system at this stage.
  3. 3
    Analyze: AST parsing, dependency resolution, SPOF detection, and dead code analysis all run locally within our infrastructure.
  4. 4
    AI Processing: PII-redacted structural data may be processed by AI services to generate report narratives, contextual recommendations, and architectural summaries. See Section 4 for redaction details and Section 6 for AI usage specifics.
  5. 5
    Deliver: Report generation and bundle assembly. The final bundle (reports, diagrams, AI Index) is stored in your tenant's isolated storage path for download.

4. PII Redaction

Before any code content is sent to external services, personally identifiable information (PII) is automatically redacted. This includes:

  • Email addresses
  • API keys and secrets (detected via pattern matching)
  • Personal names in comments and documentation
  • URLs containing authentication tokens

The redaction process runs before any external API call, ensuring that sensitive information never leaves our infrastructure.

5. Retention and Deletion

5.1 Source Code Retention

Your uploaded source code is retained for the duration of the analysis plus your configured retention period. The default retention period is 30 days after analysis completion. After this period, source code is permanently deleted from our storage.

5.2 Analysis Artifacts

Analysis reports, health scores, AI Index files, and other generated artifacts are retained as long as your account is active. You may delete individual analysis results at any time through the dashboard.

5.3 Immediate Deletion

You may request immediate deletion of your source code at any time. Deletion requests are processed within 24 hours. Once deleted, source code cannot be recovered.

5.4 Account Deletion

When you delete your account, all associated data — source code, analysis artifacts, account information, and usage history — is permanently removed within 30 days.

6. How We Use AI

Axiom Refract uses AI services as part of the analysis pipeline to process structural data and generate architectural insights.

6.1 How AI Is Used

AI processes PII-redacted structural data and metadata to produce report content, including human-readable narratives, contextual recommendations, and architectural summaries. All AI processing occurs after the redaction step described in Section 4.

6.2 What AI Receives

AI services receive structural representations derived from your code: ASTs, dependency graphs, metric summaries, and architectural zone data. Raw, unredacted source code is never sent to AI services. Structural representations sent to AI services are identifier-abstracted and do not contain function bodies, variable names, repository names, or proprietary logic.

6.3 Third-Party AI Providers

We do not permit any third-party AI provider to retain or train on your data. All external AI calls are made under zero-retention, zero-training API agreements.

6.4 Customer Isolation

AI-generated outputs are scoped to your tenant and are never shared across customers.

7. Product Improvement & Architecture Intelligence

To improve the accuracy of Axiom Refract's structural risk detection, we collect anonymized architectural metadata derived from analysis results.

7.1 What This Includes

Aggregate structural patterns such as:

  • Dependency topology metrics
  • Single-point-of-failure (SPOF) frequency distributions
  • Architectural zone clustering signatures
  • Framework-level risk archetypes

7.2 What This Never Includes

This telemetry never contains:

  • Raw source code or function bodies
  • Variable names, comments, or documentation text
  • Repository names or customer identifiers

7.3 Relationship to Section 6

Architecture Intelligence telemetry is not AI training on your code. It is statistical aggregation of structural patterns — analogous to a city planner studying traffic flow without reading anyone's mail. The collected metadata cannot be reverse-engineered to reconstruct customer source code or proprietary logic.

7.4 Default Status & Opt-Out

Enabled by default for Free, Starter, and Startup tiers to ensure high-velocity product improvement. Disabled by default for Enterprise tiers. You may change this at any time via Settings → Privacy → Architecture Intelligence.

8. Support & Debugging Access

To resolve analysis failures and improve platform reliability, authorized Axiom Refract staff may access:

  • Generated analysis reports and health scores
  • System logs related to your tenant's pipeline execution

8.1 Source Code Access

Staff do not access raw source code in the normal course of operations. If manual code review is required to resolve a support issue, explicit one-time authorization will be requested from the account owner. All support access is role-based and follows the principle of least privilege — staff are granted the minimum access necessary to resolve the specific issue.

8.2 Audit Trail

All staff access to tenant data is logged in an immutable audit trail. This log records the staff member, timestamp, data accessed, and justification.

8.3 Opt-Out

This access may be disabled via Settings → Privacy → Operational Support Access. Note: disabling this may limit our ability to troubleshoot issues on your behalf.

9. Data Protection Commitments

No Sharing with Other Customers:

Your code and analysis results are never visible to, accessible by, or shared with other customers or tenants.

No Sale of Data:

We never sell your source code, personal information, or analysis data to any third party for any purpose.

No Indefinite Retention:

Source code is never retained beyond the configured retention period. Expired code is permanently deleted, not archived.

No Unauthorized AI Training:

Your source code is never used as training data for any AI model. Anonymized structural metadata may be used to improve Axiom's detection heuristics as described in Section 7.

10. Compliance

The Axiom Refract platform supports compliance reporting for the following frameworks:

  • SOC 2 Type II
  • HIPAA (healthcare data handling)
  • PCI-DSS (payment card industry)
  • GDPR (European data protection)
  • CCPA (California consumer privacy)

These compliance frameworks are available as analysis configuration options. The platform evaluates your codebase against the selected framework's controls and reports on compliance posture.

11. Contact and Data Requests

For questions about our data handling practices, to request data deletion, or to exercise your data rights, contact us at privacy [at] axiomrefract.com.

For urgent data deletion requests (e.g., accidentally uploaded sensitive code), contact security [at] axiomrefract.com for expedited processing.