/ Security

We touch your production code.
Here is exactly what that means.

SOC 2 Type 2 audited. Sandboxed execution. No model training on your code. Deploy in SaaS, your VPC, or fully air-gapped. Every commitment is contractual.

SOC 2 Type 2

Annual audit. Continuous controls monitoring. Report available under NDA.

Never trained on your code

Not for our models. Not for third-party models. Contractually enforced.

Your deployment, your choice

SaaS, your cloud (AWS / GCP / Azure), or fully on-prem. Same product.

Sandboxed execution

Every agent run happens in an isolated environment. No production access, no exfiltration paths.

Deployment

Three ways to run Codeflash.

SaaS

Hosted by us

Fastest to start. Code is accessed via ephemeral, read-only clones in an isolated sandbox. Deleted at end of run.

US-hosted, SOC 2 audited
SSO / SAML
Audit log export

Your cloud

VPC deployment

We deploy the agent into your AWS / GCP / Azure account. Your IAM, your network, your logs. We provide the control plane.

No code leaves your boundary
Terraform / Helm provisioned
BYO keys

On-prem

Fully air-gapped

For regulated environments. Standalone install, no egress required. Model weights delivered as signed artifacts.

Zero-egress mode
Signed update channel
Deployed in financial and defense contexts

Data handling

What we see, store, and forget.

Data	What we do
Source code	Read in sandbox only. Not persisted beyond the run. Never used to train models.
Code sent to LLMs	Only the functions under analysis are passed to the model, not your full codebase. We use enterprise API agreements with zero training rights. Your code is not used to improve any model.
Runtime inputs (traces)	Stored encrypted. Scrubbed on request. Used only for benchmarking and regression tests.
Benchmark results	Stored in your tenant. Exportable. Retained per your contract.
Secrets / credentials	Never stored. Sandbox has no egress to secret stores.
PII / customer data	Not needed. Benchmarks run on synthetic or scrubbed inputs.

Full subprocessor list available on request.

Controls

The shortlist your security team will ask for.

SSO / SAML

Okta, Entra, Google Workspace. SCIM provisioning available.

Role-based access

Admin, engineer, and auditor roles. Fine-grained repo-level permissions.

Audit logs

Every agent action, every PR merge, every export. Structured JSON, exportable to your SIEM.

Data residency

US regions at launch. EU region on request. GDPR and CCPA compliant.

Encryption

TLS 1.3 in transit. AES-256 at rest. Annual penetration test by independent firm.

Key management

BYO KMS in VPC and on-prem deployments. HSM support on request.

Vulnerability disclosure

Found a vulnerability?

Responsible disclosure goes to security@codeflash.ai. We respond within one business day. We do not pursue legal action against researchers acting in good faith under our disclosure policy.

Disclosure policy PGP key

Security review in progress?

Pre-reviewed security packet available on request. SOC 2 Type 2 report available under NDA. We turn most security questionnaires around in 48 hours.

Request security packet Talk to our team →

We touch your production code.Here is exactly what that means.