Skip to content
CC
CodeContext
← Legal Center

Security & Trust Center

Last updated: March 23, 2026

Our Commitment

At CodeContext, security is foundational to everything we build. Your coding standards, API specifications, and organizational data are critical assets, and we treat their protection as our highest priority.

This page provides an overview of the security measures and practices we employ to protect your data.

Data Encryption

We use industry-standard encryption to protect your data:

  • In transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all connections and use HSTS headers to prevent downgrade attacks.
  • At rest: All data stored in our databases and backup systems is encrypted using AES-256 encryption (including infrastructure-level encryption provided by our database host).
  • Credentials: Passwords are hashed using modern, industry-standard hashing algorithms with unique salts. We never store passwords in plain text.
  • Application-level encryption (Enterprise): Enterprise organizations may optionally enable additional encryption for coding standards and API specification content using AES-256-GCM, with per-organization data encryption keys.
  • Bring your own key (BYOK): Enterprise customers may supply and manage their own encryption keys (customer-managed keys) instead of using platform-managed keys, subject to configuration and support from our team.
  • Key lifecycle: Encryption keys support rotation. Scheduled key revocation includes a 72-hour cooling-off period during which the revocation can be cancelled; after that period, revocation is finalized.
  • Crypto-shredding: After a key is revoked and no longer available to the service, ciphertext for content encrypted under that key cannot be decrypted, which provides a strong form of data destruction for that encrypted content.

Authentication & Access

We provide robust authentication and access control features:

  • Multi-factor authentication (MFA): Available for all accounts to add an extra layer of security
  • Session management: Secure, server-side session handling with automatic expiration
  • Role-based access control: Granular permissions (owner, admin, member) to control who can access and modify resources
  • API key management: Scoped API keys with read-only or read-write permissions, revocable at any time
  • SSO integration: Support for Single Sign-On for organizations that require centralized identity management

Infrastructure Security

Our infrastructure is designed for security and reliability:

  • Hosted on enterprise-grade cloud infrastructure with SOC 2 and ISO 27001 certifications
  • Network isolation and firewall rules to restrict unauthorized access
  • Regular security patches and updates applied to all systems
  • Distributed denial-of-service (DDoS) protection
  • Geographic redundancy to ensure high availability

Application Security

We follow security best practices in our application development:

  • Parameterized database queries to prevent SQL injection
  • CSRF protection on all state-changing operations
  • Content Security Policy (CSP) headers to mitigate cross-site scripting
  • Input validation and sanitization on all user inputs
  • Regular security code reviews and automated vulnerability scanning
  • Rate limiting on authentication endpoints and APIs to prevent brute-force attacks

Data Backup & Recovery

We maintain comprehensive backup and disaster recovery procedures:

  • Automated daily database backups with point-in-time recovery capability
  • Backups are encrypted and stored in geographically separate locations
  • Regular backup restoration testing to verify data integrity
  • Documented disaster recovery procedures with defined recovery time objectives

Monitoring & Incident Response

We continuously monitor our systems for security threats:

  • Real-time monitoring of application and infrastructure health
  • Automated alerting for anomalous activity and potential security incidents
  • Audit logging of administrative actions and security events
  • Documented incident response plan with defined escalation procedures
  • Post-incident reviews to identify root causes and prevent recurrence

In the event of a security incident that affects your data, we will notify affected users promptly in accordance with applicable laws and regulations.

Compliance

We are committed to meeting the data protection requirements of our users:

  • GDPR: We provide data processing agreements, support data subject rights, and implement appropriate technical and organizational measures
  • CCPA/CPRA: We honor California consumer privacy rights and do not sell personal information
  • We regularly review and update our practices to align with evolving privacy regulations

Vendor Security

We carefully evaluate the security practices of all third-party vendors and service providers before integrating them into our platform. Our vendor assessment includes:

  • Review of security certifications and compliance reports
  • Evaluation of data handling and privacy practices
  • Contractual obligations for data protection and breach notification
  • Ongoing monitoring of vendor security posture

Responsible Disclosure

We value the work of security researchers and welcome reports of potential vulnerabilities. If you discover a security issue, please report it to us responsibly:

  • Email your findings to security@codecontext.app
  • Provide sufficient detail for us to reproduce and verify the issue
  • Allow us reasonable time to investigate and address the vulnerability before any public disclosure
  • Do not access or modify other users' data during your research

We are committed to working with researchers in good faith and will not pursue legal action against those who report vulnerabilities responsibly.

Contact

For security-related inquiries or to report a vulnerability: