Security
Security is foundational to CodeContext. Here's how we protect your coding standards and data.
Infrastructure
- Hosted on Vercel with automatic TLS/SSL encryption
- Database hosted on Neon (PostgreSQL) with encryption at rest
- All data transmitted over HTTPS with TLS 1.3
- Edge network with DDoS protection
Customer-Managed Encryption
- All data encrypted at rest and in transit on every plan
- Enterprise customers can manage their own encryption keys (BYOK)
- AES-256-GCM application-level encryption for standards and API specs
- Per-organization encryption keys with rotation and revocation
- Crypto-shredding: revoke your key to make data permanently unreadable
Authentication & Access
- Server-side session management (no JWT tokens in browsers)
- Multi-factor authentication (MFA/TOTP) for all accounts
- SAML SSO for Team and Enterprise plans
- Role-based access control with owner, admin, and member roles
- CSRF protection on all state-changing operations
Data Protection
- Parameterized SQL queries prevent injection attacks
- Rate limiting on all API endpoints
- Bot detection via Cloudflare Turnstile
- Soft-delete architecture preserves data integrity
- No secrets exposed in client-side environment variables
Compliance & Practices
- Regular dependency audits and updates
- Input validation and sanitization on all endpoints
- Structured error logging without sensitive data exposure
- Webhook signature verification for Stripe integrations
Vulnerability Reporting
If you discover a security vulnerability, please report it responsibly to security@codecontext.app. We take all reports seriously and will respond within 48 hours.