Security & Privacy

How we handle your data

IntegraBridge analyzes webMethods integration packages. Those packages contain your business logic, partner endpoints, and sometimes credentials. We treat them accordingly — minimum data retention, transparent subprocessors, and an air-gapped option for customers who can't send code to a SaaS.

Last reviewed: June 2026

The short version

What we do

  • Process packages in memory and delete the upload immediately after the scan.
  • TLS everywhere — TLS 1.2+ at our hosting edges (Railway, Vercel).
  • Scrub credential-shaped strings (passwords, tokens, PEM keys, JDBC URLs) before any AI processing.
  • Per-IP rate limiting and hard caps on AI processing to prevent abuse and cost runaways.
  • Modern security headers (HSTS, strict CSP, no referer leakage) on every API response.
  • Offer a CLI / air-gapped mode for customers who can't use a SaaS at all.

What we don't do

  • Store your package zip file or scan results on our servers after the scan completes.
  • Train any model on your data — neither ours nor our subprocessors'.
  • Sell, share, or expose your data to third parties beyond the listed subprocessors.
  • Claim certifications we don't hold. SOC 2 / ISO 27001 are on our roadmap and we'll publish them when achieved.
  • Touch your package without you explicitly clicking Upload.

Data flow for a scan

Here is exactly what happens when you upload a package, in order:

  1. Upload — your browser sends the package zip over HTTPS to our API server (Railway, US East). File size is capped at 50 MB per package; uploads above that are rejected before any buffering.
  2. Extraction — the zip is written to a per-request temp directory on the server and unpacked in memory. CPU work happens in a single Node.js process.
  3. Parsing — we extract service definitions, flow graphs, and metadata. No external network calls happen at this step.
  4. Rule-based scoring— health and migration scores are computed locally from the parsed structure. This is the only step that happens for users who haven't opted in to AI.
  5. (Optional) AI analysis— only if you toggled it on. We build a prompt from the parsed metadata and developer comments, scrub credential patterns from it (see below), and send it to Anthropic's Claude API over TLS. Anthropic does not use API inputs for training by default.
  6. Response & cleanup — the assembled scan result is returned to your browser. The temp upload file is unlinked. No copy remains on our server.
  7. Browser-only state — the results live in your browser session. We do not write them to a database. Refreshing the tab loses the scan; that is intentional.

What gets scrubbed before AI processing

webMethods code occasionally contains hard-coded credentials. Before we send any prompt to Anthropic, we apply regular-expression scrubbing for these patterns:

  • PEM private key blocks (RSA, EC, OpenSSH, PGP)
  • AWS access key IDs (AKIA…, ASIA…)
  • JWT tokens (three-segment base64url shape)
  • Authorization: Bearer / Basic headers
  • URL-embedded credentials (scheme://user:pass@host — host preserved, password redacted)
  • JDBC connection strings
  • password=, secret=, token=, api_key=, client_secret= assignments

Schema labels (a parameter literally named password) are intentionally not touched — only values that look like secrets. We log a count of how many redactions fired per scan; we do not log the redacted content itself.

Subprocessors

These are the third parties we share data with in order to deliver the service. We update this list when it changes.

ProviderPurposeData sharedLocation
Anthropic (Claude API)AI analysis of services (optional, opt-in)Parsed package metadata & developer comments — credential patterns scrubbed firstUS
RailwayAPI server hostingIn-memory request processing; no persistent storageUS East
VercelStatic frontend hosting & edge deliveryStandard request logs (IP, user agent, timestamp)Global edge

Engineering controls

A short list of the technical controls in place today, not aspirational language:

  • TLS 1.2+ enforced at every public endpoint (Railway edge, Vercel edge)
  • Strict-Transport-Security with one-year max-age and includeSubDomains
  • Content-Security-Policy on every API response with default-src 'none'
  • CORS allowlist — only our published frontend origins can call the API
  • Per-IP rate limits on scan and multi-scan endpoints (10 / 5 per 15 minutes)
  • Hard caps on the number of services sent to AI per scan
  • Credential-pattern redaction before any AI call (details above)
  • No customer data in application logs
  • X-Powered-By disabled

The air-gapped option

For customers under regulatory or policy constraints that prevent code leaving the corporate network, we offer two SaaS-free paths:

  • CLI mode— the same parser and scoring engine, run as a command-line tool on the user's machine. The package never leaves their device.
  • Self-hosted backend — the API server packaged as a container that you run inside your own VPC, optionally with your own Anthropic API key. Available on request.

Contact us at security@integrabridge.com for container access or evaluation help.

Compliance posture

We're honest about what we hold and what we don't. Today, IntegraBridge is not SOC 2 or ISO 27001 certified. The technical controls listed above mirror those frameworks' expectations for a stateless analysis service, and a formal SOC 2 Type I track is on our roadmap once customer demand warrants the audit cost.

We are happy to fill out security questionnaires (CAIQ-Lite, SIG-Lite) for evaluating customers and sign a Data Processing Agreement (DPA) with standard contractual clauses on request.

Reporting a security issue

If you believe you've found a security vulnerability in IntegraBridge, email security@integrabridge.com with the details and ideally a way to reproduce. We will acknowledge within two business days.

We don't currently operate a paid bug-bounty program but we'll credit responsible disclosures on this page if you'd like.