Compliance and regulatory mapping
DevSafe's architecture makes compliance easier by keeping your data, your keys, and your storage under your direct control. This page maps DevSafe's security properties to common regulatory frameworks.
This page describes how DevSafe's architecture aligns with common compliance requirements. It does not constitute a legal opinion or guarantee of compliance. Consult your compliance officer or legal counsel for your specific situation.
SOC 2 Type II
SOC 2 evaluates systems against five trust service principles: security, availability, processing integrity, confidentiality, and privacy. DevSafe's architecture maps cleanly to these principles because the data boundary is controlled by the customer, not by HXA Labs.
Trust principle mapping
| Trust Principle | DevSafe Architecture |
|---|---|
| Security | All git bundles are encrypted with AES-256-GCM (nonce-unique AEAD) before leaving your machine. Keys are generated locally and never transmitted to HXA Labs. |
| Availability | Backups are stored in your own S3-compatible storage. Availability depends on your chosen provider (Cloudflare R2, AWS S3, etc.), not on HXA infrastructure. |
| Processing integrity | Every git bundle is verified with git bundle verify before encryption. The tamper-evident chain detects any modification after upload. devsafe verify confirms restorability without trusting the storage provider. |
| Confidentiality | User-owned storage means the customer defines who can access backups. HXA Labs never has access to your encrypted data or your keys. |
| Privacy | DevSafe does not collect, process, or store your source code. The CLI runs locally. No telemetry touches your repository content. |
Designated-verifier audits
When your auditor needs evidence that backups are intact, DevSafe provides designated-verifier proofs. These proofs demonstrate that a backup is authentic, complete, and restorable, all without exposing your encryption keys or decrypting the data. Your auditor can verify the proof independently. Your keys stay on your machine.
$ devsafe audit --format soc2 --output evidence/ ✓ generated 14 backup integrity proofs ✓ chain verification: all sequences intact ✓ evidence pack written to evidence/
GDPR
The General Data Protection Regulation requires that organizations know where personal data is stored, who processes it, and how it is protected. DevSafe simplifies all three questions.
Data residency
Your backups go wherever you point them. If you configure an S3 bucket in eu-west-1, your data stays in the EU. If you use Cloudflare R2 with a European storage hint, your data stays in European data centers. DevSafe does not choose your storage region. You do.
No data processing by HXA Labs
DevSafe is a local CLI tool. Your source code never leaves your machine in unencrypted form. The encrypted git bundles go directly from your machine to your own storage provider. HXA Labs does not operate any servers that receive, process, or store your code. This means HXA Labs is not a data processor under GDPR for your repository content.
Key residency
Encryption keys are generated on your machine using HKDF-SHA256 key derivation. They are stored locally (or in your organization's key management system). Keys never leave your machine during normal operation. There is no key escrow and no recovery service hosted by HXA Labs.
Because you own your storage, you can delete any backup at any time by removing files from your S3 bucket. HXA Labs holds no copies. Deletion is immediate and complete.
HIPAA
Healthcare organizations that handle protected health information (PHI) must comply with HIPAA's Security Rule. If your source code repositories contain PHI (configuration files with patient identifiers, test fixtures with health records, etc.), DevSafe's architecture supports HIPAA compliance.
Encryption requirements
| HIPAA Requirement | DevSafe Implementation |
|---|---|
| Encryption at rest | AES-256-GCM (nonce-unique AEAD). Every git bundle is encrypted before it leaves your machine. NIST SP 800-38D compliant. |
| Encryption in transit | TLS 1.3 for all connections to S3-compatible storage providers. DevSafe enforces TLS and rejects downgrade attempts. |
| Access controls | User-owned storage means the covered entity controls bucket IAM policies. DevSafe credentials are stored in the system keychain (macOS Keychain, Linux secret-tool). |
| Audit controls | devsafe audit generates a complete log of backup and restore operations with timestamps, repository identifiers, and verification results. |
Business Associate Agreement
HXA Labs offers a Business Associate Agreement (BAA) for healthcare teams on the Enterprise plan. Because DevSafe's architecture keeps PHI in customer-controlled storage and never transmits unencrypted data to HXA infrastructure, the BAA scope is narrow. Contact sales@devsafe.com for details.
DevSafe encrypts what you back up, but it does not scan for PHI. If your repositories contain patient data, you are responsible for ensuring that data is handled according to your organization's HIPAA policies. Consult your compliance officer.
Export controls
DevSafe uses AES-256, which is classified as EAR99 under U.S. Export Administration Regulations. EAR99 items do not require an export license for most destinations. AES-256 is a widely available, standard encryption algorithm with no special export restrictions for commercial software.
DevSafe does not implement any custom or proprietary cryptographic algorithms. All cryptographic operations use well-known primitives (AES-256-GCM, HKDF-SHA256) from vetted libraries.
If your organization operates under specific export control requirements (ITAR, sanctions programs), consult your export compliance counsel before deploying any encryption software.
Evidence generation
Compliance is only useful if you can prove it. DevSafe includes two commands purpose-built for generating audit evidence.
devsafe audit
The devsafe audit command produces a complete record of backup operations for a given time range. It verifies the tamper-evident chain, confirms that every backup in the sequence is present and unmodified, and outputs the results in a structured format.
$ devsafe audit --from "2026-01-01" --to "2026-06-30" --format json { "period": "2026-01-01 to 2026-06-30", "repositories": 14, "total_backups": 4291, "chain_intact": true, "gaps": 0, "verification_failures": 0 }
devsafe export-proof
The devsafe export-proof command generates a standalone proof file that a third party (your auditor, your compliance team) can verify independently. The proof confirms that a specific backup exists, that it has not been tampered with, and that it is restorable. The proof does not contain your encryption key or any decrypted data.
$ devsafe export-proof --repo api-server --output proof-q2-2026.json ✓ proof covers 612 backups (Jan 1 to Jun 30) ✓ Merkle root: a3f7c9...d12e ✓ written to proof-q2-2026.json # your auditor verifies with: $ devsafe verify-proof proof-q2-2026.json ✓ proof valid, chain intact, 612/612 backups verified
What the evidence proves
- Completeness. Every backup in the sequence is accounted for. No gaps in the chain.
- Integrity. No backup has been modified after creation. The tamper-evident chain catches any alteration.
- Restorability. Each backup can be decrypted and restored to a valid git repository. This is verified cryptographically, not by actually restoring every backup.
- Temporal ordering. Backups are sequenced. The chain proves that backup N existed before backup N+1.
Run devsafe audit on a schedule (cron, GitHub Actions, CI pipeline) and store the output alongside your other compliance artifacts. When audit season arrives, the evidence is already collected.
Framework summary
| Framework | Key Property | DevSafe Mechanism |
|---|---|---|
| SOC 2 | Data boundary control | User-owned storage, designated-verifier proofs |
| GDPR | Data residency, no processing | Customer chooses region, no HXA servers touch code |
| HIPAA | Encryption, access control | AES-256-GCM at rest, TLS 1.3 in transit, BAA available |
| EAR | Export classification | AES-256 is EAR99, no license required for most countries |