Replicated takes security very seriously (Security at Replicated - Replicated). We limit the amount of data that is necessary for Replicated to deliver your application to your customers, and by default/design none of the data that they put into the private instance of your application will ever leave their environment without their explicit action to do so (it is there data, they can do what they want with it).
When it comes to the security of your application’s code we do what we can to limit the distribution of your images and oversee their security when in our possession. First, if you use our private registry we implement a lot of security best practices to secure their storage and transmission: Security.
Before you ever push those images to our registry we generally advise our customers to obfuscate their code and compile it to make source code discoverability harder. Tools such as Ruby Encoder are used by applications such as GitHub Enterprise (there are similar tools for most scripting languages like GitHub - vercel/pkg: Package your Node.js project into an executable for nodejs). Replicated doesn’t do anything special to add in DRM, obfuscation or any other container hardening in order to increase the complexity of source code discovery, so this is the vendor’s responsibility.
Once your application is in Replicated we suggest enabling “Require Activation” for all licenses that you create (see 2-Factor Authentication for Customer Licenses). This will ensure that only customers who have possession of your license AND access to the email address associated with it will be able to pull your images.