Compliance & Certifications
CodeDD's adherence to industry standards and regulatory requirements
Compliance & Certifications
Overview
CodeDD is built to meet the strictest security and privacy standards. Whether you're subject to GDPR, require SOC 2 compliance, or need to meet ISO 27001 standards, CodeDD's architecture and processes are designed for compliance from the ground up.
Security Certifications
SOC 2 Type II
What It Is:
- Service Organization Control 2
- Independent audit of security practices
- Focuses on: Security, Availability, Processing Integrity, Confidentiality, Privacy
- Annual attestation by certified auditors
CodeDD's SOC 2 Coverage:
Security:
- β Access controls and authentication
- β Encryption at rest and in transit
- β Secure development practices
- β Incident response procedures
- β Vendor management
Confidentiality:
- β Data classification
- β Encryption implementation
- β Access restrictions
- β Non-disclosure agreements
- β Secure deletion practices
Availability:
- β Uptime monitoring (99.9% SLA)
- β Disaster recovery
- β Redundant infrastructure
- β Regular backups (excluding source code)
- β Business continuity planning
Report Availability:
- Annual SOC 2 Type II reports available to enterprise customers
- NDA required for report access
- Covers 12-month audit period
ISO 27001
Information Security Management System (ISMS)
What It Is:
- International standard for information security
- Comprehensive security framework
- Risk-based approach
- Continuous improvement cycle
CodeDD's ISO 27001 Implementation:
A.8 Asset Management:
- β Information asset inventory
- β Acceptable use policies
- β Return of assets procedures
- β Classification of information
A.9 Access Control:
- β Access control policy
- β User access management
- β User responsibility documentation
- β System access control
A.10 Cryptography:
- β Cryptographic controls policy
- β Key management procedures
- β AES-256 encryption standard
- β TLS 1.3 for transmission
A.12 Operations Security:
- β Documented operating procedures
- β Change management
- β Capacity management
- β Protection against malware
- β Logging and monitoring
A.13 Communications Security:
- β Network security controls
- β Network segregation
- β Secure information transfer
- β Non-disclosure agreements
A.14 System Acquisition:
- β Security requirements analysis
- β Secure development lifecycle
- β Test data protection
- β Change control procedures
A.18 Compliance:
- β Legal and contractual requirements
- β Intellectual property rights
- β Privacy and PII protection
- β Audit compliance
Data Privacy Regulations
GDPR (EU General Data Protection Regulation)
Applicability:
- EU-based customers
- Processing EU citizen data
- Global best practice
GDPR Principles Met:
1. Lawfulness, Fairness, and Transparency:
- β Clear privacy policy
- β Explicit consent for processing
- β Transparent processing activities
- β Documented legal basis
2. Purpose Limitation:
- β Code analyzed only for audit purposes
- β No secondary use of data
- β Clear purpose documentation
3. Data Minimization:
- β Only necessary data processed
- β Source code not permanently stored
- β Metadata minimization
- β No PII collection from code
4. Accuracy:
- β Accurate audit results
- β User can request corrections
- β Version control for results
5. Storage Limitation:
- β Zero retention of source code
- β Audit results retained per contract
- β Deletion upon request
- β Automated retention policies
6. Integrity and Confidentiality:
- β AES-256 encryption
- β Access controls
- β Secure deletion
- β Audit trails
7. Accountability:
- β Data Protection Officer appointed
- β Privacy Impact Assessments conducted
- β Processor agreements in place
- β Regular compliance audits
GDPR Rights Supported:
Right to Access:
- Users can request all data CodeDD holds
- Provided within 30 days
- Machine-readable format available
Right to Rectification:
- Incorrect audit results can be corrected
- Updated within 72 hours of request
Right to Erasure ("Right to be Forgotten"):
- Complete deletion of all data
- Includes backups and archives
- Confirmation provided within 30 days
- Verification of deletion
Right to Data Portability:
- Export audit results in JSON/CSV format
- Machine-readable
- Transfer to third parties supported
Right to Object:
- Users can object to processing
- Processing stopped immediately
- Data deleted upon request
Data Breach Notification:
- Breach detected: <24 hours
- Regulators notified: <72 hours
- Users notified: <72 hours
- Incident report provided
CCPA (California Consumer Privacy Act)
California-Specific Requirements:
Right to Know:
- β What personal information collected
- β Sources of information
- β Business purpose for collection
- β Third parties receiving data
Right to Delete:
- β Delete personal information upon request
- β Deletion confirmation
- β Service provider deletion included
Right to Opt-Out:
- β Opt-out of data "sale" (N/A - we don't sell data)
- β Clear opt-out mechanisms
Non-Discrimination:
- β No different pricing for privacy requests
- β Equal service quality
Industry-Specific Compliance
Financial Services (GLBA, PCI-DSS)
For FinTech Audits:
GLBA (Gramm-Leach-Bliley Act):
- β Safeguarding financial information
- β Encryption of sensitive data
- β Access controls
- β Incident response plans
PCI-DSS (If Payment Code Analyzed):
- β Secure network transmission (TLS 1.3)
- β Encryption of cardholder data
- β Access control measures
- β Regular security testing
- β Maintain security policy
Note: CodeDD flags payment card data found in code and recommends removal
Healthcare (HIPAA)
For HealthTech Audits:
HIPAA Compliance:
- β Business Associate Agreement (BAA) available
- β Encryption of PHI (if found in code)
- β Access controls and audit logs
- β Breach notification procedures
- β Secure disposal of PHI
PHI Detection:
- AI identifies potential PHI in code
- Flags for immediate attention
- Recommends removal/tokenization
- Does not store PHI
Government (FedRAMP, NIST)
For GovTech Audits:
NIST Cybersecurity Framework:
- β Identify: Asset management, risk assessment
- β Protect: Access control, encryption
- β Detect: Continuous monitoring, anomaly detection
- β Respond: Incident response plan
- β Recover: Backup and recovery procedures
NIST SP 800-171:
- β 14 control families implemented
- β CUI (Controlled Unclassified Information) protection
- β Incident reporting
- β Security awareness training
FedRAMP (In Progress):
- Working toward FedRAMP Moderate authorization
- Expected completion: 2026 Q4
- Allows federal agency use
Third-Party Integrations
Sub-Processor Compliance
AI Service Providers:
- β SOC 2 Type II certified
- β Zero data retention policies
- β Data Processing Agreements (DPAs) in place
- β GDPR-compliant
Cloud Infrastructure:
- β AWS (SOC 2, ISO 27001, FedRAMP)
- β Data residency options (EU, US)
- β Encryption at rest and in transit
- β Regular security audits
Database (TypeDB):
- β Self-hosted (not SaaS)
- β Full control over data
- β Encrypted storage
- β Regular backups (excluding code)
Vendor Management
Due Diligence Process:
- Security questionnaire
- Certification verification (SOC 2, ISO)
- DPA/BAA execution
- Annual re-assessment
- Continuous monitoring
Security Practices
Secure Development Lifecycle
OWASP Secure Coding Practices:
- β Input validation
- β Output encoding
- β Authentication and password management
- β Session management
- β Access control
- β Cryptographic practices
- β Error handling and logging
- β Data protection
- β Communication security
DevSecOps:
- β Security automated in CI/CD
- β Dependency vulnerability scanning
- β Static code analysis (SAST)
- β Dynamic analysis (DAST)
- β Container security scanning
- β Infrastructure-as-Code security
Penetration Testing
Annual Penetration Testing:
- External penetration test (annual)
- Internal penetration test (annual)
- Application security assessment (quarterly)
- Conducted by certified third parties
- Findings remediated within SLA
Vulnerability Management
Continuous Scanning:
- Dependency vulnerability scanning (daily)
- Infrastructure scanning (weekly)
- Container image scanning (on build)
- Zero-day vulnerability monitoring
Patch Management:
- Critical vulnerabilities: <24 hours
- High severity: <7 days
- Medium severity: <30 days
- Low severity: <90 days
Audit & Assurance
Independent Audits
Annual Audits:
- SOC 2 Type II (annual)
- ISO 27001 surveillance (annual)
- Penetration testing (annual)
- GDPR compliance (annual)
Quarterly Reviews:
- Access control review
- Encryption key management review
- Incident response testing
- Disaster recovery testing
Continuous Monitoring
Real-Time Security:
- SIEM (Security Information and Event Management)
- Intrusion detection/prevention
- Anomaly detection
- 24/7 security operations center (SOC)
Metrics Tracked:
- Failed authentication attempts
- Unusual data access patterns
- System performance anomalies
- Encryption key access
- Data deletion verification
Customer Responsibilities
Shared Responsibility Model
CodeDD's Responsibilities:
- β Secure infrastructure
- β Encryption implementation
- β Access controls
- β Secure deletion
- β Compliance adherence
Customer's Responsibilities:
- β οΈ Access token management (don't share)
- β οΈ User access control (limit who can audit)
- β οΈ Data classification (tell us sensitivity)
- β οΈ Compliance requirements (notify us of special needs)
- β οΈ Incident reporting (tell us if you suspect breach)
Documentation & Evidence
Compliance Artifacts Available
Upon Request (NDA Required):
- SOC 2 Type II Report
- ISO 27001 Certificate
- Penetration test summaries
- Security policies and procedures
- Data Processing Agreement (DPA)
- Business Associate Agreement (BAA)
- Sub-processor list
Publicly Available:
- Privacy Policy
- Terms of Service
- Security overview (high-level)
- Certification badges
Geographic Considerations
Data Residency
Options:
- US (Default): AWS US-East-1
- EU: AWS EU-West-1 (Ireland) - GDPR-compliant
- Custom: Enterprise customers can specify region
Data Transfer Mechanisms:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions (where applicable)
- Data Processing Agreements (DPAs)
Local Regulations
Compliance Support:
- US: CCPA, GLBA, HIPAA
- EU: GDPR, ePrivacy Directive
- UK: UK GDPR, Data Protection Act 2018
- Canada: PIPEDA
- Australia: Privacy Act 1988
- Custom: Consult for specific jurisdictions
Incident Response
Security Incident Procedures
Detection:
- Automated monitoring alerts
- Manual reporting by team
- Customer reports
- Third-party notifications
Response Timeline:
- Detection: <1 hour (automated)
- Initial assessment: <4 hours
- Containment: <24 hours
- Notification (if required): <72 hours
- Remediation: Varies by severity
- Post-incident review: Within 2 weeks
Customer Communication:
- Immediate: Critical incidents affecting data
- 24 hours: High-severity incidents
- 72 hours: Regulatory notification timeline
- 1 week: Post-incident report
Key Takeaways
For Investors:
- Due Diligence Simplified: CodeDD meets compliance requirements
- Risk Transfer: Compliance burden on CodeDD, not portfolio companies
- Audit Evidence: Comprehensive documentation available
- Regulatory Confidence: Multi-jurisdiction compliance
For CTOs:
- Vendor Risk Management: SOC 2 and ISO 27001 certified
- Compliance Inheritance: Use CodeDD's compliance for your needs
- Audit Support: Documentation for your auditors
- Continuous Improvement: Regular audits and updates
Next Steps
- Review Data Encryption
- Learn about Secure Data Deletion
- Understand Repository Connection Security
- Request compliance documentation: compliance@codedd.ai