Skip to main content
Trust Center

Security, privacy, and compliance you can verify

Codaiq protects your data with industry-grade encryption, audited infrastructure, and clear contractual safeguards. Here's exactly how.

Four pillars

Data security

Encrypted in transit and at rest, by default.

  • AES-256 at rest (MongoDB Atlas)
  • TLS 1.2+ in transit, HSTS preload
  • bcrypt-hashed passwords with per-user salt
  • AES-256-GCM-encrypted 2FA secrets
  • Daily encrypted backups, point-in-time restore

Access control

Strong authentication, least-privilege by design.

  • SSO via Google, Apple, Microsoft, and GitHub
  • TOTP 2FA and WebAuthn passkeys
  • Role-based access (RBAC) for team workspaces
  • Per-action audit log with IP and device
  • Session revocation and device review

Infrastructure

Built on vetted, audited providers.

  • Vercel — frontend edge runtime
  • Railway — backend services
  • MongoDB Atlas — primary datastore
  • Cloudflare R2 — asset storage
  • Sentry — error and performance monitoring
  • All providers SOC 2 Type II or ISO 27001 certified

Compliance

Privacy-first, GDPR-aligned, contracts on request.

  • UK GDPR and EU GDPR via Marktortprinzip
  • CCPA-ready for California residents
  • Data Processing Agreement available
  • Public subprocessor list, updated on change
  • 72-hour breach notification commitment

What's next

Our compliance roadmap. We publish progress as audits complete.

Q4 2026

SOC 2 Type II

External audit and report covering security, availability, and confidentiality.

2027

ISO 27001

Information security management system certification.

2027

HIPAA-ready

Optional BAA and controls for healthcare deployments.

Vulnerability disclosure

Responsible disclosure, with safe-harbor protection.

Found a security issue? Please report it to security@codaiq.com. We acknowledge every valid report and work fixes promptly.

Acknowledge

Within 48 hours

Critical fix

Within 7 days

PGP key

On request

Safe harbor

Good-faith security research is welcome. If you act in good faith, comply with this policy, and do not access more data than necessary to demonstrate the issue, we will not pursue legal action and will work with you on disclosure.

Documents and policies

DPA

Contractual safeguards for processing personal data.

Subprocessors

Public list of third parties processing customer data.

Privacy Policy

What we collect, why, and how it's protected.

GDPR

Your rights under the UK and EU GDPR.

DMCA

Copyright takedown procedure for hosted sites.

Last updated · 18 May 2026

Command Palette

Search for a page or run an action.