CodeRaptor
Back to Security
Security First

Security Policy

Our comprehensive security policy and responsible disclosure program.

1. Security Overview

Security is fundamental to CodeRaptor. We implement industry-leading security practices to protect your code and data.

2. Security Certifications

SOC 2 Type II

Independently audited security, availability, and confidentiality controls

ISO 27001

Information security management system certification

GDPR Compliant

Full compliance with European data protection regulations

HIPAA Ready

Healthcare compliance available for enterprise customers

3. Security Measures

3.1 Data Encryption

  • In Transit: TLS 1.3 with perfect forward secrecy
  • At Rest: AES-256 encryption for all stored data
  • Backups: Encrypted backups with separate key management
  • Keys: AWS KMS for key management with automatic rotation

3.2 Access Controls

  • Role-based access control (RBAC) with principle of least privilege
  • Multi-factor authentication (MFA) required for all accounts
  • SSO support via SAML 2.0 and OIDC
  • Session timeout after 30 minutes of inactivity
  • IP whitelisting for enterprise customers

3.3 Infrastructure Security

  • Deployed on AWS with SOC 2 certified infrastructure
  • Network segregation and private VPC configuration
  • Web Application Firewall (WAF) with DDoS protection
  • Regular security patching and updates
  • Intrusion detection and prevention systems (IDS/IPS)

3.4 Application Security

  • Secure development lifecycle (SDL)
  • Automated security testing in CI/CD pipeline
  • Dependency scanning for vulnerabilities
  • Static application security testing (SAST)
  • Dynamic application security testing (DAST)
  • Regular code reviews and security audits

4. Data Protection

4.1 Code Handling

Your code is treated with the utmost care:

  • Zero Knowledge: We never train AI models on your code
  • Isolated Processing: Each review runs in isolated environment
  • Limited Retention: Code snippets deleted after 30 days
  • No Sharing: Your code is never shared with other customers
  • No AI Providers: Code not sent to third-party AI services

4.2 Data Residency

  • EU data remains in EU regions (for GDPR compliance)
  • US data remains in US regions
  • Custom regions available for enterprise
  • On-premise deployment option for maximum control

5. Monitoring and Detection

5.1 Security Monitoring

  • 24/7 security operations center (SOC)
  • Real-time threat detection and alerting
  • Log aggregation and SIEM integration
  • Automated anomaly detection

5.2 Audit Logging

  • Comprehensive audit trails for all actions
  • Logs retained for 2 years (compliance requirement)
  • Tamper-proof log storage
  • Available for customer review (enterprise)

6. Incident Response

6.1 Incident Management

We have a documented incident response plan:

  • Detection: Automated monitoring and alerts
  • Response: Immediate containment and investigation
  • Recovery: Service restoration and forensics
  • Post-Mortem: Root cause analysis and prevention

6.2 Communication

  • Status page updates: status.coderaptor.ai
  • Email notifications to affected customers
  • Post-incident reports within 72 hours
  • Regulatory notifications as required

7. Vulnerability Management

7.1 Regular Testing

  • Quarterly penetration testing by third-party firm
  • Annual security audits
  • Continuous vulnerability scanning
  • Bug bounty program (see below)

7.2 Patch Management

  • Critical vulnerabilities patched within 24 hours
  • High-severity within 7 days
  • Medium and low per risk assessment
  • Coordinated disclosure for dependencies

8. Responsible Disclosure Program

Report a Security Vulnerability

We appreciate the security research community's efforts to help keep CodeRaptor secure. If you discover a security vulnerability, please report it responsibly.

How to Report

  • Email: security@coderaptor.ai
  • PGP Key: Available on our security page
  • Include: Detailed description, reproduction steps, impact assessment

Our Commitment

  • Response within 24 hours
  • No legal action against good-faith researchers
  • Public acknowledgment (if desired)
  • Bug bounty rewards for critical findings

8.1 Safe Harbor

We provide legal safe harbor for security researchers who:

  • Report vulnerabilities in good faith
  • Do not access user data beyond what's necessary
  • Do not disrupt our services
  • Keep findings confidential until we've patched

8.2 Bug Bounty Program

We offer rewards for qualifying security vulnerabilities:

  • Critical: $5,000 - $10,000
  • High: $2,000 - $5,000
  • Medium: $500 - $2,000
  • Low: $100 - $500

9. Employee Security

9.1 Background Checks

  • Criminal background checks for all employees
  • Employment verification
  • Reference checks

9.2 Training

  • Security awareness training during onboarding
  • Annual security refresher training
  • Phishing simulation exercises
  • Secure coding training for developers

9.3 Access Management

  • Minimum necessary access principle
  • Regular access reviews
  • Immediate revocation upon termination

10. Third-Party Security

10.1 Vendor Assessment

  • Security questionnaires for all vendors
  • SOC 2 reports required for critical vendors
  • Annual vendor reviews
  • Contractual security obligations

10.2 Sub-Processors

All sub-processors undergo security review and sign DPAs:

  • AWS (Cloud infrastructure - SOC 2)
  • Stripe (Payment processing - PCI DSS)
  • SendGrid (Email delivery - SOC 2)

11. Compliance

11.1 Regulatory Compliance

  • GDPR: Full compliance with EU regulations
  • CCPA: California Consumer Privacy Act
  • SOC 2: Annual Type II audits
  • ISO 27001: Information security management
  • HIPAA: Available for healthcare customers

11.2 Audit Rights

Enterprise customers can:

  • Request SOC 2 reports
  • Conduct security questionnaires
  • Perform security assessments (with notice)
  • Review audit logs

12. Security Contacts

Get in Touch

Last Updated: October 22, 2025