Security
Archyl implements multiple security measures to protect your architecture data and code analysis. This guide explains our security practices and how to configure secure access.
Data Protection
Encryption
| Type | Protection |
|---|---|
| In Transit | All connections use TLS 1.3 encryption |
| At Rest | Data encrypted using AES-256 |
| API Keys | Hashed and salted before storage |
Data Isolation
- Each organization's data is fully isolated
- No cross-organization data access
- Role-based access within organizations
Authentication Security
OAuth Integration
Archyl uses OAuth for Git provider authentication:
- No credentials stored: We never store your Git passwords
- Minimal permissions: Only repository read access requested
- Token-based: OAuth tokens with limited scope
- Revocable: Disconnect anytime from provider settings
Supported Providers
| Provider | OAuth | Access Tokens |
|---|---|---|
| GitHub | Yes | Yes |
| GitLab | Yes | Yes |
| Bitbucket | Yes | Yes |
| GitHub Enterprise | - | Yes |
| GitLab Self-Hosted | - | Yes |
| Azure DevOps | - | Yes |
| Gitea | - | Yes |
JWT Session Management
- Short-lived access tokens (24 hours)
- Secure HTTP-only cookies
- Automatic token refresh
- Session invalidation on logout
Private Repositories
Using Private Repos
Archyl fully supports private repositories:
- OAuth authentication: Grants read-only access to your repos
- Self-hosted providers: Use personal access tokens
- Selective access: You choose which repos to connect
What We Access
When analyzing a repository:
- File structure and paths
- Code content (only during analysis)
- Configuration files
What We Don't Store
- Source code (only metadata and discovered architecture)
- Git credentials
- OAuth tokens are encrypted and scoped
AI Analysis Security
How AI Discovery Works
During AI-powered discovery:
- Code is sent to the configured AI provider
- Only code structure is analyzed
- Results require your approval
- No code is permanently stored
Access Control
Organization Roles
| Role | Capabilities |
|---|---|
| Owner | Full control, billing management |
| Admin | Team and project management |
| Editor | Create and modify architecture |
| Viewer | Read-only access |
Team-Based Access
- Members are invited at the team level
- Different roles per team
- Project access controlled by team membership
API Key Permissions
- Read-only or Read-Write permissions
- Scoped to specific operations
- Expiration dates supported
- Audit trail of key usage
Compliance
Data Handling
- GDPR compliant data handling
- Data deletion on request
- Export your data anytime
- No data sold to third parties
Infrastructure
- Hosted on secure cloud infrastructure
- Regular security audits
- Automated vulnerability scanning
- Incident response procedures
Security Best Practices
For Your Organization
- Use team-based access: Don't share credentials
- Enable MFA: Secure your Git provider accounts
- Rotate API keys: Change keys periodically
- Audit access: Review team membership regularly
For AI Discovery
- Review before approving: Check discovered elements
- Use Ollama for sensitive code: Keep analysis local
- Limit discovery scope: Only analyze needed paths
- Exclude sensitive files: Configure exclusion patterns
For Sharing
- Set expiration dates: Don't create permanent links unnecessarily
- Review shared links: Periodically audit active shares
- Use team access: Prefer team membership over share links for internal use
Reporting Security Issues
If you discover a security vulnerability:
- Do not disclose publicly
- Email security@archyl.com
- Include detailed reproduction steps
- We'll respond within 24 hours
Next Steps
- Team Collaboration - Configure team access
- Authentication - Secure API access
- AI Discovery - Configure AI providers