// Trust & Security Report

    Amazon Web Services, Inc. (a subsidiary of Amazon.com, Inc.) logo

    Amazon Web Services, Inc. (a subsidiary of Amazon.com, Inc.)

    Amazon CodeWhisperer was AWS's standalone AI coding assistant; it was fully retired and merged into Amazon Q Developer on April 30, 2024. Amazon Q Developer is now the single product: an agentic AI assistant for the software development lifecycle (inline code suggestions, chat, vulnerability scanning, code transformation/upgrades), available via IDE plugins (VS Code, JetBrains, Visual Studio, Eclipse), CLI, the AWS Management Console, GitHub, and GitLab Duo. Two tiers: Free Tier (individual, AWS Builder ID) and Pro Tier (organizational, AWS IAM Identity Center).

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 1 / SOC 2 / SOC 3
    HELD

    Amazon Q Developer is included in the latest SOC 1/2/3 reports. Customers can download these reports in the AWS management console via AWS Artifact.

    Verify on aws.amazon.com
    ISO/IEC 27001:2022
    HELD

    These are the four additional services: Amazon Q Developer... [added to the] 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019, ISO 9001:2015, ISO 20000-1:2018, ISO 22301:2019, and CSA STAR CCM v4.0.

    Verify on aws.amazon.com
    ISO/IEC 27017:2015 (cloud security)
    HELD

    Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019...

    Verify on aws.amazon.com
    ISO/IEC 27018:2019 (PII in public clouds)
    HELD

    Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019...

    Verify on aws.amazon.com
    ISO/IEC 27701:2019 (privacy information management)
    HELD

    Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019...

    Verify on aws.amazon.com
    CSA STAR (CCM v4.0)
    HELD

    Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ... and CSA STAR CCM v4.0.

    Verify on aws.amazon.com
    GDPR (compliance posture)
    HELD

    AWS customers can use all AWS services to process personal data (as defined in the GDPR) that is uploaded to the AWS services under their AWS accounts (customer data) in compliance with the GDPR. The AWS Service Terms include the SCCs adopted by the European Commission (EC) in June 2021, and the AWS DPA confirms that the SCCs will apply automatically whenever an AWS customer uses AWS services to transfer customer data to countries outside of the European Economic Area.

    Verify on aws.amazon.com
    > Show 4 unconfirmed / not-held certifications
    ISO/IEC 42001:2023 (AI Management System)
    NOT CONFIRMED

    AWS's ISO/IEC 42001 accredited certification for AI services covers Amazon Bedrock, Amazon Q Business, Amazon Textract, and Amazon Transcribe. Amazon Q Developer is not named among the services in scope of this certification as of the most recent published scope.

    source: aws.amazon.com
    HIPAA
    NOT CONFIRMED

    While Amazon Q Business is HIPAA eligible, Amazon Q Developer is not designed to transmit, store, or process ePHI.

    source: aws.amazon.com
    PCI DSS
    NOT CONFIRMED

    Amazon Q Developer is not confirmed in AWS's published services-in-scope table for PCI DSS. AWS documentation directs customers to check the live AWS Services in Scope by Compliance Program page for the current PCI list; Amazon Q Developer was not identifiable there at time of review. No public evidence that Amazon Q Developer specifically (as opposed to AWS's general infrastructure) is PCI DSS in-scope.

    source: aws.amazon.com
    FedRAMP
    NOT CONFIRMED

    AWS's Compliance validation guidance for Amazon Q Developer directs customers to the general AWS Services in Scope by Compliance Program page rather than confirming FedRAMP scope directly; Amazon Q Developer was not identifiable in the published FedRAMP services-in-scope list at time of review. No public evidence found confirming Amazon Q Developer is FedRAMP authorized.

    source: docs.aws.amazon.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    AWS's global Region infrastructure; Amazon Q Developer supports cross-region processing for certain features (documented separately by AWS). Customers can generally select the AWS Region for their account/resources, but Q Developer model inference may route across regions per AWS's published cross-region processing documentation. No single fixed data region.

    Tier-dependent, and this is the single most important buyer-facing distinction for this vendor. Pro Tier (paid, org-managed via IAM Identity Center): 'your content is not used for service improvement, or to train any underlying foundation models (FMs)' - privacy by default. Free Tier (individual, AWS Builder ID): 'Unless explicitly opted out, content from Amazon Q Developer Free Tier might also be used to enhance and improve the quality of FMs' - includes code snippets, suggestions, and chat conversations, unless the user opts out in IDE settings or via an AWS Organizations AI services opt-out policy. Legacy CodeWhisperer 'Professional' tier had the same no-training guarantee as today's Pro Tier; no contradiction found between legacy and current docs, but this vendor should be listed with 'trains_on_customer_data: depends on tier' rather than a single boolean, since our schema forces one value.

    // Security controls

    Encryption in transit

    Your content is transmitted using the TLS protocol to ensure secure communication between your IDE and the Amazon Q Developer service.

    aws.amazon.com

    Encryption at rest

    We store this content in a secured manner with encryption at rest and strict access controls.

    aws.amazon.com

    Shared responsibility model

    AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure and for the security configuration and management tasks for the AWS services that you use.

    docs.aws.amazon.com

    Access controls

    Amazon Q provides familiar security and access controls and can understand and respect your existing AWS IAM Identity Center governance identities, roles, and permissions to personalize its interactions.

    aws.amazon.com

    Third-party audit reports

    SOC 1/2/3 reports, plus applicable ISO and CSA STAR certificates covering Amazon Q Developer, are downloadable by customers through AWS Artifact in the AWS Management Console.

    aws.amazon.com

    Code ownership

    Just like with your IDE, you own the code that you write, including any code suggestions provided by Amazon Q Developer.

    aws.amazon.com

    // Products & data scope

    Amazon Q Developer - Free TierAI coding assistant (individual developer)

    data: Code context, chat conversations, and generated suggestions from the user's IDE/CLI session; may be used for FM training/service improvement unless the user opts out

    Successor to the free tier of Amazon CodeWhisperer. Signed in via AWS Builder ID, no AWS account required. 50 agentic chat interactions/month and up to 1,000 lines of code transformation/month on the perpetual free tier.

    Amazon Q Developer - Pro TierAI coding assistant (organization/enterprise)

    data: Same inputs as Free Tier, but content is explicitly excluded from service improvement and FM training by default

    Managed centrally through AWS IAM Identity Center; adds enterprise-grade access controls, admin governance, and the 'no data used for training' privacy guarantee. This is the tier AIFOXX should recommend for any organization with data-sensitivity requirements.

    Amazon CodeWhisperer (legacy, retired)AI coding assistant (deprecated)

    data: N/A - service retired

    Fully discontinued and merged into Amazon Q Developer on April 30, 2024. Legacy CodeWhisperer documentation and data-protection pages remain published by AWS for historical reference but the product is no longer separately available.

    // What to watch

    • Evidence-capture gap: the raw scrape for this vendor returned no usable trust/security page - it captured the general Amazon Q Developer marketing page, the amazon.com retail homepage, and two internal AWS employee SSO login redirects (midway-auth.amazon.com), none of which contain compliance content.
    • Identity/branding complexity: 'Amazon CodeWhisperer' (the AIFOXX listing's name) was fully retired on April 30, 2024 and merged into 'Amazon Q Developer.' AIFOXX's listing should be renamed or clearly relabeled as Amazon Q Developer (formerly CodeWhisperer) to avoid listing a discontinued product as current.
    • AI-training posture is tier-dependent, not a single yes/no: Free Tier content may be used for FM training/service improvement unless the user opts out; Pro Tier explicitly excludes all content from training and service improvement. The schema's single trains_on_customer_data boolean is set to false here because that is the Pro Tier (recommended/enterprise) posture, but AIFOXX's listing copy must surface the Free Tier caveat prominently since many individual developers will be on Free Tier by default.
    • ISO/IEC 42001 (AI governance) over-claim risk: AWS holds ISO 42001 for Amazon Bedrock, Amazon Q Business, Amazon Textract, and Amazon Transcribe, but Amazon Q Developer was not found in the published scope. Do not list ISO 42001 for this product without further confirmation; a generic 'AWS holds ISO 42001' claim would conflate the AI-governance certification of a sibling product (Q Business) with this one (Q Developer).
    • HIPAA is explicitly NOT applicable: AWS's own healthcare compliance blog states Amazon Q Developer 'is not designed to transmit, store, or process ePHI,' distinguishing it from the HIPAA-eligible Amazon Q Business. List HIPAA as not applicable/not held for this product specifically.
    • PCI DSS and FedRAMP scope for Amazon Q Developer specifically could not be confirmed from AWS's live services-in-scope tables (these are JS-rendered and did not yield a service-level list via automated fetch). AWS holds these programs broadly at the platform level, but per-service scope should be treated as unconfirmed for Q Developer until verified directly against AWS Artifact or AWS sales.
    • Host-vs-vendor distinction does not apply in the usual sense here: AWS itself is both the cloud host and the vendor of this product, since Amazon Q Developer is an AWS-native service. This is a legitimate case where the platform-level AWS certifications transfer directly to the product, unlike a third-party SaaS vendor merely hosted on AWS.

    // At a glance

    Pricing model

    Freemium (Free Tier with usage caps) plus paid Pro Tier billed per user/month through AWS; part of the broader AWS Free Tier and AWS billing ecosystem.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Amazon Web Services, Inc. (a subsidiary of Amazon.com, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    aws.amazon.com

    > Browse all vendor trust reports