Published on

Codeium is SOC 2 Type 2 Compliant

Written by
Codeium Team
SOC 2 Type II Received

tl;dr We have received our SOC 2 Type II report, certifying that a third party auditor has confirmed over an extended period of observation that we back our security and privacy stance, complete with vulnerability scans and penetration tests. We have always taken user data security seriously, from end-to-end encryption to never training our generative autocomplete model on user code.

What is SOC 2 and Why is it Important?

SOC 2 is a third party audit that verifies that a company meets their stated standards across security, availability, confidentiality, processing integrity, and privacy, especially surrounding customer data. It is important as it is the only unbiased way to prove policies are being followed. These criteria comprehensively establish protection against unauthorized access, availability of the service in terms of both performance and disaster/incident recovery, availability of information on only a need-to-know basis internally, monitoring and assurance, and protection of personal information.

There are two SOC 2 attestations possible - Type I and Type II. The difference between these comes down to the period of observation. A Type I attestation is granted if all controls and procedures are being followed at a point of time of audit, and we received this many months ago. A Type II attestation is a much stronger vote of confidence, where the auditor has observed the practices of the company over an extended period of time, often many months, to verify that secure practices are ingrained into the day-to-day of the company’s operations and products. So while Type I is great to know that a vendor has their policies together, Type II is really what most companies want to see from a vendor to make sure that the policies are being effectively followed. Using a vendor without SOC 2 attestation is equivalent to taking the vendor on their word, and any gaps in their policies are often only discoverable once a major breach or issue happens, which is too little too late.

Codeium is SOC 2 Type II Compliant

SOC 2 mainly applies to our Codeium-hosted deployment, and we are proud to announce that we have successfully passed the third-party audit performed by Prescient Assurance. The Codeium-hosted deployment is what underlies both our free individual plan and our Teams tier, a SaaS solution for enterprises. Since we are processing user data, we knew that it was crucial for a third party auditor to verify our security and privacy posture.

However, if you want more peace of mind, our second deployment option for enterprises is done fully within an enterprise’s tenant, which means all processing and data never leaves externally, even to Codeium. This is great for companies with strict self-hosting requirements. So while this deployment method does not necessarily require SOC 2 compliance (no data or processing happens on Codeium’s end for us to have a SOC 2 attestation over, and an enterprise can verify that no data leaves their firewall), this SOC 2 compliance should further increase confidence in this system and the company behind the product.

At Codeium, we have always had a very strong stance on security & privacy. We never train our proprietary generative autocomplete model on user data, encrypt all data in transit and rest, provide opt-outs from code snippet telemetry, and more. Now, Codeium is SOC 2 Type II compliant, proving that we do indeed practice this daily.

Compliance in Generative AI Tools for Software Development

Codeium, just like with legal compliance, is a leader in the space when it comes to security compliance.

On the other hand, tools such as GitHub Copilot and Amazon CodeWhisperer do not have any third-party compliance or audit performed.

For example, while GitHub Copilot does claim zero data retention and other security features, it has NOT been audited by a third party to verify and test these claims. So while GitHub’s core product is SOC 2 compliant (among others), GitHub Copilot explicitly is not. GitHub Copilot will NOT have this compliance for a while according to their own trust center FAQ, and that too, just for SOC 2 Type I:

Audits and Certifications: GitHub Copilot is not currently included in GitHub’s existing audits and certifications, including SOC 2, ISO 27001, and FedRAMP Tailored. Compliance at GitHub begins with good security, so our first focus is fully onboarding Copilot to GitHub security programs and tooling. GitHub is engaging with a third-party audit firm to perform a gap assessment of Copilot as part of readiness activities for SOC 2 Type 1 (security criteria) and ISO 27001, with a goal of having the full audits completed by May 2024.

Looking Forwards on Compliance

We will be looking into getting even stronger compliance audits. We will remain the most secure and compliant generative AI platform for software developers, whether managed by Codeium or self-hosted within an enterprise’s environment.

Use a code assistant that you can trust:

Explore more

Jun 11, 2024enterprise7 min

A deeper dive into recent enterprise readiness capabilities: indexing access controls, subteam analy...

Apr 30, 2024enterprise1 min

WWT uses Codeium to accelerate their developers.

Apr 18, 2024company1 min

Codeium is the only AI code assistant in the 2024 Forbes AI 50 List.

Stay up to date on the latest Codeium & AI dev tool news

Please enter a valid email address