The extractor is read-only
Display-level only
The ABAP extractor requires only display authorisation on procurement tables (EKKO, EKPO, LFA1, MARA, etc). No write access. No transport requests. No system modifications.
You run it, not us
You execute the report in your own system using SE38. We never connect to your ECC or S/4HANA. We never have credentials to your system. The extractor produces a flat file that you choose to upload.
Inspect it first
The extractor source code is provided to you. Your security team can review every line of ABAP before it runs. There are no hidden calls, no external connections, no data exfiltration.
No production writes
The diagnostic is entirely read-only. It reads your source data, proves the transformation, and reports the result. At no point does any process write to your source or target system.
Ephemeral tenant lifecycle
Your data is processed in a dedicated, isolated tenant. No other customer's data shares the same schema. The tenant follows a strict five-phase lifecycle:
Provision: A dedicated PostgreSQL schema is created for your engagement. Complete isolation — no shared tables, no shared connections, no cross-tenant access.
Ingest: Your uploaded extract is loaded into the isolated schema. Data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Process: The proof engine runs the bijective test on every record within the isolated tenant. Forward transform, inverse transform, field-by-field comparison. Results are generated.
Deliver: The Intelligence Report is generated and delivered to you. The Ownership Ledger with cryptographic hashes is included.
Destroy: After the retention window (7 days by default, configurable), the entire tenant schema is dropped. All tables, all data, all intermediate results. A Destruction Certificate is issued confirming the date, time, and scope of deletion.
What we keep, what we don't
What we keep (anonymised)
Before destruction, anonymised statistical patterns are extracted into our knowledge graph. These are aggregate patterns — not your data. Examples: "12% of suppliers in manufacturing verticals have non-ISO country codes." No record-level data. No field values. No identifiers.
What we destroy
Your raw data. Your transformed data. Your proof results at the record level. Your field values. Your supplier names, PO numbers, material codes — everything identifiable. Gone. Destruction Certificate issued.
Encryption
In transit: All uploads and downloads use TLS 1.2 or higher. No unencrypted connections are accepted.
At rest: Data stored in the ephemeral tenant is encrypted using AES-256. Encryption keys are tenant-specific and destroyed with the tenant.
Access control
Who sees your data: The proof engine processes your data autonomously. Five AI personas (Beacon, Razor, Atlas, Prism, Maestro) handle chain discovery, precondition checking, transformation, proof, and reporting. They operate on the data programmatically.
Human access: In the current operating model, the founder may review proof results to ensure report quality. This access is logged. As the platform matures toward full self-serve, human access to customer data will be eliminated entirely — the engine will operate without human involvement.
No third-party access: Your data is not shared with any third party. It is not used to train language models. It is not sold. It is not transferred. It exists in your ephemeral tenant and nowhere else.
PII and sensitive data
The diagnostic requires procurement master data and transaction data — supplier names, material descriptions, PO numbers, and similar business records. It does not require personal employee data, salary information, social security numbers, or financial account credentials.
If your extract contains PII inadvertently (e.g. contact names on supplier records), it is processed within the ephemeral tenant and destroyed with everything else. We recommend excluding unnecessary PII fields from the extract where possible.
Data residency
Processing currently runs on European cloud infrastructure. If your organisation requires specific data residency guarantees (e.g. UK-only, EU-only, or specific cloud region), contact us and we will confirm whether your requirement can be met.
Compliance
Migration Proof is designed with GDPR principles in mind: data minimisation (we process only what the extract contains), purpose limitation (processing only for the diagnostic), storage limitation (ephemeral tenant with destruction), and transparency (this page, plus the Destruction Certificate).
We are a small, early-stage operation. We do not yet hold ISO 27001 or SOC 2 certification. We are transparent about this. What we do offer is architectural security by design — ephemeral tenants, tenant-specific encryption, destruction certificates, and read-only access to source systems. As we grow, formal certifications will follow.
Questions
If your security, InfoSec, or procurement team has questions about our data handling that are not answered here, contact us directly. We will answer every question honestly and in writing.
We read every message. We reply to every question.