Tight Security, Cloud Flexibility
For those clients who need the security of an on-prem solution, Velocity leverages a proprietary Agent architecture that provides the lower operating costs and versatility of a cloud-based SaaS. The Velocity Agent only sends metrics and metadata to our cloud for analysis, and never sends source code beyond your network.
Data Hosting and Storage
Code Climate hosts its infrastructure and data in Amazon Web Services (AWS). We follow AWS’ best practices, which allow us to take advantage of their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see: https://aws.amazon.com/security/.
Failover and Disaster Recovery
Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across three AWS availability zones, so our systems will continue to work should any one of those data centers fail.
Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.
Back Ups and Monitoring
Code Climate uses automation to backup all data stores that contain customer data. On an application level, we produce audit logs for all activity and forward logs to centralized storage for analysis; we use S3 for archival purposes.
Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. All access to the Code Climate websites is restricted to HTTPS encrypted connections.
Code Climate enforces policies that requires strong password policies and two-factor authentication (2FA) on GitHub, Google, and AWS to ensure access to cloud services are protected.
Access to infrastructure is restricted with role-based-access, and all modifications are reviewed by our security team.
All data sent to or from Code Climate systems is encrypted in transit using 256 bit encryption. Sensitive data such as tokens and credentials are stored in a secured database, salted and encrypted. We maintain an A+ from Qualys SSL Labs.
Pentests and Vulnerability Scanning
Code Climate uses third party security tools to continuously scan for vulnerabilities. We regularly engage third-party security firms like NCCGroup to perform thorough penetration tests on our application and infrastructure.
SOC 2 Type II Testing
Code Climate has successfully completed a SOC 2 Type II audit.
Code Climate implements an Incident Response Policy for handling security events, which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.
Application Security Datasheets
Download our datasheets for more information about how Code Climate’s applications store and process your data.
All Code Climate employees complete security awareness training annually.
Code Climate has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.
Code Climate performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.
All employee contracts include a confidentiality agreement.
Code Climate headquarters employs door personnel, and badge access is required at all hours. Visitors are required to sign in and to be escorted at all times.
When you purchase a paid Code Climate subscription, your credit card data is neither transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available here.
Your input and feedback on our security, as well as responsible disclosure, is always appreciated. If you’ve discovered a security concern, please email us at email@example.com. We’ll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities, and we will work to promptly address any issues that arise.
Thank you for helping us keep Code Climate safe. We’d also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:
- Ishan Anand
- Kamil Sevi
- Manish Kumar Yadav
- Narendra Bhati
- Yogendra Sharma
- Aditya Agrawal
- Zee Shan
- Stefan Sundin
- Harry Gertos
- Md. Nur A Alam Dipu
- Ismail Tasdelen
- Foysal Ahmed Fahim
- Marek Jilek
Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.
"Being in the financial services industry, it's important that our partners maintain high levels of information security. Code Climate provides us with immensely useful insights while being a great steward of our data."
Data in Context
"Our teams know that the actual numbers matter less than what those numbers mean. Code Climate allows us to look deeper to understand the context behind changes."
Insights for Scale
"As orgs scale, it can be extremely hard for executives and leadership to understand which teams are impacted or blocked. Large orgs make it impossible and highly unproductive to spend much time in code reviews, PR reviews or in standups, nor is it a smart use of time. Code Climate provides an easy-to-digest overview of team health, allowing you to identify which teams may be blocked and then focus on specific areas to unblock them. Code Climate has been the single most valuable tool in my toolbelt through multiple companies and roles, and I would recommend it to any leader at an organization of any size."