Trust · Security · Compliance

Built for code your team can't afford to lose control of.

Codira treats your codebase like the most sensitive thing in your company — because for most teams, it is. This page lists exactly what we've built today, what's in progress, and what we'll never claim until it's real.

Today
Encryption at rest

User data (sessions, plans, audit logs, billing references) lives in MongoDB Atlas with envelope encryption (AES-256). Stripe handles all card data — Codira never sees or stores PANs.

Encryption in transit

All client ↔ gateway traffic is TLS 1.3 (HTTPS-only, HSTS enforced). Self-hosted deployments inherit your VPC's TLS posture; we never speak plaintext on the wire.

Authentication

Sessions use signed JWTs (jose, 7-day rotation). Enterprise + Team customers can require SAML 2.0 or OIDC SSO with replay protection. JIT user provisioning lands new SSO users directly into the right org.

Audit logging

Every privileged action — member changes, billing changes, SSO config edits, shared-doc activity — appends to an immutable per-org audit log. Team tier sees 90 days, Enterprise sees full history with CSV export.

Self-hosted deployment

Enterprise customers can run Codira's gateway entirely inside their VPC. Customer code never leaves the network; only license validation (HMAC-signed token, 24h refresh) speaks to codira.com.

Least-privilege access

Staff access to production is restricted to a named engineering on-call rotation, gated behind hardware-key MFA, and recorded. No customer code is ever read by Codira staff in normal operation.

Compliance status
SOC 2 Type I
In progress
Gap analysis complete · controls implementation underway · audit firm selected · target report Q4 2026.
SOC 2 Type II
Planned
Begins after Type I report lands · ~6 month observation window · target report H2 2027.
GDPR / DPA
Available on request
Data Processing Agreements available to Team and Enterprise customers on request. Standard contractual clauses included.
HIPAA / BAA
Available on request
Business Associate Agreements available to Enterprise customers on request. Required before processing PHI.
ISO 27001
Planned
On the roadmap after SOC 2 Type II — Enterprise customer demand will drive timing.

Need a signed DPA, BAA, or SOC 2 progress letter for your procurement team? Team and Enterprise customers can request these from Settings → Legal — or email security@codira.com.

Self-hosted

Run Codira inside your VPC.

Enterprise customers can deploy the Codira gateway entirely inside their own network. Your code never crosses the boundary — the gateway speaks directly to ai providers from your infrastructure, using your own keys. Only an HMAC-signed license check phones home every 24 hours to confirm seat counts and entitlements.

Self-hosting setup guide →Talk to sales
Reporting a vulnerability

Found something we should know about?

Send a clear write-up to security@codira.com. We acknowledge within one business day, target remediation timelines based on severity, and credit researchers who request it in the changelog. Coordinated disclosure preferred — please give us a window to fix before publishing.