Code Climate Velocity is a Leader in the G2 Software Development Analytics Tools Grid! Learn More.

Background Graphic

Protected and Trusted

Unparalleled Security for Engineering Intelligence

See how we go above and beyond our SOC 2 Type II certification with the only enterprise-grade security solution in the market.

Header image 1

The Code Climate Difference

Engineering Intelligence that delivers the power of cloud-scale machine learning without risking your code

Our Engineering Management Platform leverages a proprietary Agent architecture to keep your source code behind your firewall. Our best-in-class solution provides the security of an on-prem solution with the lower operating costs and versatility of a cloud-based SaaS.

The Velocity Agent runs on your infrastructure, performing local source code analysis to give you full visibility into the way your team is working, without sacrificing security. The Agent only sends metrics and metadata to our cloud for analysis, which performs advanced machine learning en route to the Velocity app.

The Velocity Agent never sends source code beyond your network.

Third-Party Verified for Safety

We understand that the security of your engineering data is critical, so we go far and beyond industry best practices to keep our systems and your data safe. We have completed the rigorous SOC 2 Type II certification and maintain the highest standards of security and compliance with strict background checks, role-based access controls, and thorough security reviews of all changes.


We work with respected security firms, including NCCGroup, to perform expert penetration testing of both the Agent and SaaS application annually. Automated dynamic and static security scans of our code and infrastructure are performed on every release.

  • CSA Logo Logo
  • GDPR Logo Logo
  • Security Soc2 Type2 Logo
  • PCI Standards Council Logo Logo

Key Advantages

Enterprise-Grade Security

Icon Key

Bring Your Own Key (BYOK)

You retain full, local control of tokens granting access to data sources. Credentials are never transmitted to or accessible by Code Climate's services or staff.

Icon lines minimize

Data Minimization

When using the Velocity Agent, source code is never accessible from or processed by our cloud-based services. All static code analysis is performed locally.

Icon lines pad lock

Comprehensive Encryption

Data is transmitted over TLS 1.2+-encrypted connections and at rest with AES-256.

Icon lines fingerprint

SSO & SAML

Authentication and authorization are delegated to a centralized identity provider (IdP).

Learn More

Security Details

Network and Application Security

Data Hosting and Storage
Code Climate hosts its infrastructure and data in Amazon Web Services (AWS). We follow AWS’ best practices, which allow us to take advantage of their secured, distributed, fault tolerant environment. To find out more information about AWS security practices, see: https://aws.amazon.com/security/.

Failover and Disaster Recovery
Our systems were designed and built with disaster recovery in mind. Our infrastructure and data are spread across three AWS availability zones, so our systems will continue to work should any one of those data centers fail.

Virtual Private Cloud
All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.

Back Ups and Monitoring
Code Climate uses automation to backup all data stores that contain customer data. On an application level, we produce audit logs for all activity and forward logs to centralized storage for analysis; we use S3 for archival purposes.

Permissions and Authentication
Access to customer data is limited to authorized employees who require it for their job. All access to the Code Climate websites is restricted to HTTPS encrypted connections.

Code Climate enforces policies that requires strong password policies and two-factor authentication (2FA) on GitHub, Google, and AWS to ensure access to cloud services are protected.

Access to infrastructure is restricted with role-based-access, and all modifications are reviewed by our security team.

Encryption
All data sent to or from Code Climate systems is encrypted in transit using 256 bit encryption. Sensitive data such as tokens and credentials are stored in a secured database, salted and encrypted. We maintain an A+ from Qualys SSL Labs.

Pentests and Vulnerability Scanning
Code Climate uses third party security tools to continuously scan for vulnerabilities. We regularly engage third-party security firms like NCCGroup to perform thorough penetration tests on our application and infrastructure.

SOC 2 Type II Testing
Code Climate has successfully completed a SOC 2 Type II audit.

Incident Response
Code Climate implements an Incident Response Policy for handling security events, which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Application Security Datasheets
Download our datasheets for more information about how Code Climate’s applications store and process your data.

Additional Security Information

Training
All Code Climate employees complete security awareness training annually.

Policies
Code Climate has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Employee Vetting
Code Climate performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

Confidentiality
All employee contracts include a confidentiality agreement.

Headquarters Security
Code Climate headquarters employs door personnel, and badge access is required at all hours. Visitors are required to sign in and to be escorted at all times.

PCI Obligations
When you purchase a paid Code Climate subscription, your credit card data is neither transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available here.

Reporting Issues

Your input and feedback on our security, as well as responsible disclosure, is always appreciated. If you’ve discovered a security concern, please email us at security@codeclimate.com. We’ll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities, and we will work to promptly address any issues that arise.

Special Thanks

Thank you for helping us keep Code Climate safe. We’d also like to specially thank the following people who have worked with us to resolve vulnerabilities in the past:

Note: We appreciate reports for any and all security issues, but we reserve listing on this page for people who have disclosed unknown vulnerabilities of high or critical severity, or have helped us in an ongoing manner.

Resources

Home the latest image 1 1536x1024

How Velocity Metrics Can Help Your Team Achieve Continuous Delivery [Webinar]

Engineering leaders looking to drive high performance and achieve Continuous Delivery often hear that metrics are the answer.

Home the latest image 2

Customer Interview: Santiago García, CTO and Co-Founder at La Haus

In this customer interview, we talked to Santiago García, CTO and Co-Founder at La Haus. Santiago shared how using Velocity metrics helped him gain visibility into La Haus’s engineering processes and drive improvements.

Home the latest image 3 1536x1024

Using Velocity Metrics to Level Up Senior Engineers and Coach New Hires [Webinar]

In this free, 45-minute webinar for CTOs, VPs, and managers of managers, we explain how an engineering analytics tool like Velocity can help every member of your team excel — whether they’re a new hire or an emerging leader.

Got a small team? Try Velocity for Teams – for Free

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.