Skip to content
Feature: Security

Enterprise-Grade Security for Every Organization

Code Climate is trusted by thousands of organizations to deliver the power of cloud-scale machine learning without risk to your code.

Security diagram
Unparalleled Protection

Tight Security, Cloud Flexibility

For those clients who need the security of an on-prem solution, Velocity leverages a proprietary Agent architecture that provides the lower operating costs and versatility of a cloud-based SaaS. The Velocity Agent only sends metrics and metadata to our cloud for analysis, and never sends source code beyond your network.

Find out why members of the Fortune 500 trust us to deliver actionable engineering insights.

Speak to a Velocity specialist
Certifications & Partners

Third-Party Verified for Safety

We work with respected security firms, including NCCGroup, to perform expert penetration testing annually. Furthermore, for every release, we perform automated dynamic and static
security scans of our code and infrastructure.

Learn More

Security Details

Data Hosting and Storage
Code Climate hosts its infrastructure and data in Amazon Web Services (AWS). We follow AWS’ best practices, which allow us to take advantage of their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see:

Failover and Disaster Recovery
Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across three AWS availability zones, so our systems will continue to work should any one of those data centers fail.

Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.

Back Ups and Monitoring
Code Climate uses automation to backup all data stores that contain customer data. On an application level, we produce audit logs for all activity and forward logs to centralized storage for analysis; we use S3 for archival purposes.

Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. All access to the Code Climate websites is restricted to HTTPS encrypted connections.

Code Climate enforces policies that requires strong password policies and two-factor authentication (2FA) on GitHub, Google, and AWS to ensure access to cloud services are protected.

Access to infrastructure is restricted with role-based-access, and all modifications are reviewed by our security team.

All data sent to or from Code Climate systems is encrypted in transit using 256 bit encryption. Sensitive data such as tokens and credentials are stored in a secured database, salted and encrypted. We maintain an A+ from Qualys SSL Labs.

Pentests and Vulnerability Scanning
Code Climate uses third party security tools to continuously scan for vulnerabilities. We regularly engage third-party security firms like NCCGroup to perform thorough penetration tests on our application and infrastructure.

SOC 2 Type II Testing
Code Climate has successfully completed a SOC 2 Type II audit.

Incident Response
Code Climate implements an Incident Response Policy for handling security events, which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Application Security Datasheets
Download our datasheets for more information about how Code Climate’s applications store and process your data.

All Code Climate employees complete security awareness training annually.

Code Climate has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Employee Vetting
Code Climate performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

All employee contracts include a confidentiality agreement.

Headquarters Security
Code Climate headquarters employs door personnel, and badge access is required at all hours. Visitors are required to sign in and to be escorted at all times.

PCI Obligations
When you purchase a paid Code Climate subscription, your credit card data is neither transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available here.

Your input and feedback on our security, as well as responsible disclosure, is always appreciated. If you’ve discovered a security concern, please email us at We’ll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities, and we will work to promptly address any issues that arise.

Thank you for helping us keep Code Climate safe. We’d also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:

Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.