Security & Compliance

Security is not a feature — it is the foundation. Here is exactly how we protect your code, your team, and your data.

SOC 2 Type II

Annually audited by an independent third party. Report available under NDA.

GDPR Compliant

Data subjects can request export or deletion at any time. DPA available.

TLS 1.3

All traffic encrypted in transit with TLS 1.3. HSTS enforced.

AES-256 at rest

All stored data encrypted with AES-256-GCM. Keys rotated quarterly.

Security practices

Penetration testing

We commission an independent external penetration test annually. Critical findings are remediated within 48 hours; high within 7 days.

Dependency scanning

Every pull request is scanned by Snyk and Dependabot. CVEs in direct dependencies are patched within 24 hours of disclosure.

Code execution sandbox

User code runs in isolated child_process instances with no network access, 8-second hard timeout, 50KB output cap, and a dedicated restricted OS user. No shared memory with other tenants.

JWT authentication

Tokens are signed with HS256, expire after 7 days, and are validated on every WebSocket handshake. No long-lived API keys without explicit TTL.

Input validation

All API endpoints validate and sanitise input server-side. SQL injection, XSS, and SSRF defences are tested in every release.

Secret management

Secrets are stored in environment variables managed by the deployment platform, never committed to source control. Rotation is automated.

Data residency

All primary data (room content, user accounts, snapshots) is stored in the EU (Frankfurt, AWS eu-central-1). Enterprise customers can request US-only or custom residency.

WebSocket connections are served from the nearest edge node. Real-time sync messages are transient and not persisted outside the active session.

Responsible disclosure

We operate a coordinated disclosure policy. If you discover a security vulnerability, please report it to security@collabcode.dev with a detailed description. We commit to:

  • Acknowledge your report within 24 hours
  • Provide a status update within 5 business days
  • Notify you when the vulnerability is resolved
  • Credit you in our security hall of fame (with permission)
  • Not pursue legal action for good-faith research

Sub-processors

ProviderPurposeRegion
AnthropicAI code review & generationUSA
RedisReal-time Pub/Sub & cachingEU / USA
VercelNext.js hosting & edge functionsGlobal
WisePayment processingUK
ResendTransactional emailUSA

Questions about security?

For Enterprise security reviews, SOC 2 reports, or DPA requests:

security@collabcode.dev