Data Hosting and Storage
Code Climate hosts its infrastructure and data in Amazon Web Services (AWS). We follow AWS’ best practices, which allow us to take advantage of their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see: https://aws.amazon.com/security/.
Failover and Disaster Recovery
Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across three AWS availability zones, so our systems will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.
Back Ups and Monitoring
Code Climate uses automation to backup all data stores that contain customer data. On an application level, we produce audit logs for all activity and forward logs to centralized storage for analysis; we use S3 for archival purposes.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. All access to the Code Climate websites is restricted to HTTPS encrypted connections.
Code Climate enforces policies that requires strong password policies and two-factor authentication (2FA) on GitHub, Google, and AWS to ensure access to cloud services are protected.
Access to infrastructure is restricted with role-based-access, and all modifications are reviewed by our security team.
Encryption
All data sent to or from Code Climate systems is encrypted in transit using 256 bit encryption. Sensitive data such as tokens and credentials are stored in a secured database, salted and encrypted. We maintain an A+ from Qualys SSL Labs.
Pentests and Vulnerability Scanning
Code Climate uses third party security tools to continuously scan for vulnerabilities. We regularly engage third-party security firms like NCCGroup to perform thorough penetration tests on our application and infrastructure.
SOC 2 Type II Testing
Code Climate has successfully completed a SOC 2 Type II audit.
Incident Response
Code Climate implements an Incident Response Policy for handling security events, which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Application Security Datasheets
Download our datasheets for more information about how Code Climate’s applications store and process your data.