Tight Security, Cloud Flexibility
For those clients who need the security of an on-prem solution, Velocity leverages a proprietary Agent architecture that provides the lower operating costs and versatility of a cloud-based SaaS. The Velocity Agent only sends metrics and metadata to our cloud for analysis, and never sends source code beyond your network.
SOC 2 Type II Compliance
We are SOC 2 Type II certified, and maintain the highest standards of security and compliance with strict background checks, role-based access controls, and thorough security reviews of all changes.
Bring Your Own Key (BYOK)
Velocity is the only solution in the market that enables you to retain full, local control of API tokens granting access to data sources. We never have access to your credentials.
Data Minimization
When using the Velocity Agent, your source code is never stored by our cloud-based services. All static code analysis is performed locally.
Comprehensive Encryption
Data is transmitted over TLS 1.2+-encrypted connections and at rest with AES-256.
SSO & SAML
Authentication and authorization are delegated to a centralized identity provider (IdP).
Find out why members of the Fortune 500 trust us to deliver actionable engineering insights.
Speak to a Velocity specialistThird-Party Verified for Safety
We work with respected security firms, including NCCGroup, to perform expert penetration testing annually. Furthermore, for every release, we perform automated dynamic and static
security scans of our code and infrastructure.
Security Details
Data Hosting and Storage
Code Climate hosts its infrastructure and data in Amazon Web Services (AWS). We follow AWS’ best practices, which allow us to take advantage of their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see: https://aws.amazon.com/security/.
Failover and Disaster Recovery
Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across three AWS availability zones, so our systems will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.
Back Ups and Monitoring
Code Climate uses automation to backup all data stores that contain customer data. On an application level, we produce audit logs for all activity and forward logs to centralized storage for analysis; we use S3 for archival purposes.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. All access to the Code Climate websites is restricted to HTTPS encrypted connections.
Code Climate enforces policies that requires strong password policies and two-factor authentication (2FA) on GitHub, Google, and AWS to ensure access to cloud services are protected.
Access to infrastructure is restricted with role-based-access, and all modifications are reviewed by our security team.
Encryption
All data sent to or from Code Climate systems is encrypted in transit using 256 bit encryption. Sensitive data such as tokens and credentials are stored in a secured database, salted and encrypted. We maintain an A+ from Qualys SSL Labs.
Pentests and Vulnerability Scanning
Code Climate uses third party security tools to continuously scan for vulnerabilities. We regularly engage third-party security firms like NCCGroup to perform thorough penetration tests on our application and infrastructure.
SOC 2 Type II Testing
Code Climate has successfully completed a SOC 2 Type II audit.
Incident Response
Code Climate implements an Incident Response Policy for handling security events, which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Application Security Datasheets
Download our datasheets for more information about how Code Climate’s applications store and process your data.
Training
All Code Climate employees complete security awareness training annually.
Policies
Code Climate has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Employee Vetting
Code Climate performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
Confidentiality
All employee contracts include a confidentiality agreement.
Headquarters Security
Code Climate headquarters employs door personnel, and badge access is required at all hours. Visitors are required to sign in and to be escorted at all times.
PCI Obligations
When you purchase a paid Code Climate subscription, your credit card data is neither transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available here.
Your input and feedback on our security, as well as responsible disclosure, is always appreciated. If you’ve discovered a security concern, please email us at security@codeclimate.com. We’ll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities, and we will work to promptly address any issues that arise.
Thank you for helping us keep Code Climate safe. We’d also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:
- Ishan Anand
- Kamil Sevi
- Manish Kumar Yadav
- Narendra Bhati
- Yogendra Sharma
- Aditya Agrawal
- Zee Shan
- Stefan Sundin
- Harry Gertos
- Md. Nur A Alam Dipu
- Ismail Tasdelen
- Foysal Ahmed Fahim
- Marek Jilek
Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.
