Skip to main content
CodeAlive

What we actually do for security

We don't have SOC 2 yet. Here's what's in the product today instead of badges.

Controls in the product today

Tenant Isolation

  • Every query auto-filtered by organization ID at the repository layer
  • Cross-tenant access throws WrongTenantAccessException, enforced in code, not policy
  • Sandboxed indexing containers per repo with no DB or gateway access
  • Covered by integration tests that run on every build

Access Control

  • Role-based access control (RBAC) via the Mandate model (Administrator / Manager / User / ReadOnly / Guest)
  • Organization-level workspaces and per-repository scoping
  • API keys bound to a single org and storable as SHA-256 hashes
  • SSO / SAML: on the roadmap; available today only for Enterprise via custom deployment

Data Protection

  • Source code is not permanently stored. Repos are pulled into a sandbox during indexing and deleted after
  • Code symbols stored encrypted: AES-256-GCM with envelope encryption
  • Per-org KEK binding: even with the master key, decrypting another org's data fails cryptographically
  • TLS 1.3 in transit; key material zeroed after use; KEKs versioned for zero-downtime rotation

Audit & Observability

  • Structured logging via OpenTelemetry (traces, logs, metrics)
  • Query traces include user and org context; consumable from your existing log backend (Grafana / Loki / Datadog / Splunk)
  • GDPR-aware consent logging for cookie and preference events
  • SIEM-ready JSON format; no native SIEM connectors yet

Network Security

  • Runs entirely within your VPC or network for self-hosted
  • Default-deny network policies between services
  • Operator access via VPN; no public Kubernetes API
  • Secrets injected via External Secrets Operator, never in images or env files

Vulnerability Management

  • Container image signing
  • Regular security patches via versioned image releases
  • CVE monitoring on dependencies
  • SBOM available on request

Available on request

  • NDA tailored to your requirements
  • Security overview document (PDF)
  • Pen-test engagement window for Enterprise customers
  • Data processing agreement (DPA)

Need deeper detail?

Reach security@codealive.ai for the full overview, an NDA, or a review call with engineering.

Email security@codealive.aiRequest DPA