// Trust & Security Report
Amazon Web Services, Inc. (a subsidiary of Amazon.com, Inc.)
Amazon CodeWhisperer was AWS's standalone AI coding assistant; it was fully retired and merged into Amazon Q Developer on April 30, 2024. Amazon Q Developer is now the single product: an agentic AI assistant for the software development lifecycle (inline code suggestions, chat, vulnerability scanning, code transformation/upgrades), available via IDE plugins (VS Code, JetBrains, Visual Studio, Eclipse), CLI, the AWS Management Console, GitHub, and GitLab Duo. Two tiers: Free Tier (individual, AWS Builder ID) and Pro Tier (organizational, AWS IAM Identity Center).
Certifications held
7
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on aws.amazon.com“Amazon Q Developer is included in the latest SOC 1/2/3 reports. Customers can download these reports in the AWS management console via AWS Artifact.”
Verify on aws.amazon.com“These are the four additional services: Amazon Q Developer... [added to the] 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019, ISO 9001:2015, ISO 20000-1:2018, ISO 22301:2019, and CSA STAR CCM v4.0.”
Verify on aws.amazon.com“Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019...”
Verify on aws.amazon.com“Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019...”
Verify on aws.amazon.com“Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ISO 27001:2022, ISO 27017:2015, ISO 27018:2019, ISO 27701:2019...”
Verify on aws.amazon.com“Amazon Q Developer... added to the audit scope for the 2025 ISO and CSA STAR certifications reissued on February 19, 2025, covering standards including ... and CSA STAR CCM v4.0.”
Verify on aws.amazon.com“AWS customers can use all AWS services to process personal data (as defined in the GDPR) that is uploaded to the AWS services under their AWS accounts (customer data) in compliance with the GDPR. The AWS Service Terms include the SCCs adopted by the European Commission (EC) in June 2021, and the AWS DPA confirms that the SCCs will apply automatically whenever an AWS customer uses AWS services to transfer customer data to countries outside of the European Economic Area.”
> Show 4 unconfirmed / not-held certifications
source: aws.amazon.comAWS's ISO/IEC 42001 accredited certification for AI services covers Amazon Bedrock, Amazon Q Business, Amazon Textract, and Amazon Transcribe. Amazon Q Developer is not named among the services in scope of this certification as of the most recent published scope.
source: aws.amazon.comWhile Amazon Q Business is HIPAA eligible, Amazon Q Developer is not designed to transmit, store, or process ePHI.
source: aws.amazon.comAmazon Q Developer is not confirmed in AWS's published services-in-scope table for PCI DSS. AWS documentation directs customers to check the live AWS Services in Scope by Compliance Program page for the current PCI list; Amazon Q Developer was not identifiable there at time of review. No public evidence that Amazon Q Developer specifically (as opposed to AWS's general infrastructure) is PCI DSS in-scope.
source: docs.aws.amazon.comAWS's Compliance validation guidance for Amazon Q Developer directs customers to the general AWS Services in Scope by Compliance Program page rather than confirming FedRAMP scope directly; Amazon Q Developer was not identifiable in the published FedRAMP services-in-scope list at time of review. No public evidence found confirming Amazon Q Developer is FedRAMP authorized.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
AWS's global Region infrastructure; Amazon Q Developer supports cross-region processing for certain features (documented separately by AWS). Customers can generally select the AWS Region for their account/resources, but Q Developer model inference may route across regions per AWS's published cross-region processing documentation. No single fixed data region.
Tier-dependent, and this is the single most important buyer-facing distinction for this vendor. Pro Tier (paid, org-managed via IAM Identity Center): 'your content is not used for service improvement, or to train any underlying foundation models (FMs)' - privacy by default. Free Tier (individual, AWS Builder ID): 'Unless explicitly opted out, content from Amazon Q Developer Free Tier might also be used to enhance and improve the quality of FMs' - includes code snippets, suggestions, and chat conversations, unless the user opts out in IDE settings or via an AWS Organizations AI services opt-out policy. Legacy CodeWhisperer 'Professional' tier had the same no-training guarantee as today's Pro Tier; no contradiction found between legacy and current docs, but this vendor should be listed with 'trains_on_customer_data: depends on tier' rather than a single boolean, since our schema forces one value.
// Security controls
Encryption in transit
Your content is transmitted using the TLS protocol to ensure secure communication between your IDE and the Amazon Q Developer service.
aws.amazon.comEncryption at rest
We store this content in a secured manner with encryption at rest and strict access controls.
aws.amazon.comShared responsibility model
AWS is responsible for protecting the global infrastructure that runs all of the AWS Cloud. You are responsible for maintaining control over your content that is hosted on this infrastructure and for the security configuration and management tasks for the AWS services that you use.
docs.aws.amazon.comAccess controls
Amazon Q provides familiar security and access controls and can understand and respect your existing AWS IAM Identity Center governance identities, roles, and permissions to personalize its interactions.
aws.amazon.comThird-party audit reports
SOC 1/2/3 reports, plus applicable ISO and CSA STAR certificates covering Amazon Q Developer, are downloadable by customers through AWS Artifact in the AWS Management Console.
aws.amazon.comCode ownership
Just like with your IDE, you own the code that you write, including any code suggestions provided by Amazon Q Developer.
aws.amazon.com// Products & data scope
data: Code context, chat conversations, and generated suggestions from the user's IDE/CLI session; may be used for FM training/service improvement unless the user opts out
Successor to the free tier of Amazon CodeWhisperer. Signed in via AWS Builder ID, no AWS account required. 50 agentic chat interactions/month and up to 1,000 lines of code transformation/month on the perpetual free tier.
data: Same inputs as Free Tier, but content is explicitly excluded from service improvement and FM training by default
Managed centrally through AWS IAM Identity Center; adds enterprise-grade access controls, admin governance, and the 'no data used for training' privacy guarantee. This is the tier AIFOXX should recommend for any organization with data-sensitivity requirements.
data: N/A - service retired
Fully discontinued and merged into Amazon Q Developer on April 30, 2024. Legacy CodeWhisperer documentation and data-protection pages remain published by AWS for historical reference but the product is no longer separately available.
// What to watch
- Evidence-capture gap: the raw scrape for this vendor returned no usable trust/security page - it captured the general Amazon Q Developer marketing page, the amazon.com retail homepage, and two internal AWS employee SSO login redirects (midway-auth.amazon.com), none of which contain compliance content.
- Identity/branding complexity: 'Amazon CodeWhisperer' (the AIFOXX listing's name) was fully retired on April 30, 2024 and merged into 'Amazon Q Developer.' AIFOXX's listing should be renamed or clearly relabeled as Amazon Q Developer (formerly CodeWhisperer) to avoid listing a discontinued product as current.
- AI-training posture is tier-dependent, not a single yes/no: Free Tier content may be used for FM training/service improvement unless the user opts out; Pro Tier explicitly excludes all content from training and service improvement. The schema's single trains_on_customer_data boolean is set to false here because that is the Pro Tier (recommended/enterprise) posture, but AIFOXX's listing copy must surface the Free Tier caveat prominently since many individual developers will be on Free Tier by default.
- ISO/IEC 42001 (AI governance) over-claim risk: AWS holds ISO 42001 for Amazon Bedrock, Amazon Q Business, Amazon Textract, and Amazon Transcribe, but Amazon Q Developer was not found in the published scope. Do not list ISO 42001 for this product without further confirmation; a generic 'AWS holds ISO 42001' claim would conflate the AI-governance certification of a sibling product (Q Business) with this one (Q Developer).
- HIPAA is explicitly NOT applicable: AWS's own healthcare compliance blog states Amazon Q Developer 'is not designed to transmit, store, or process ePHI,' distinguishing it from the HIPAA-eligible Amazon Q Business. List HIPAA as not applicable/not held for this product specifically.
- PCI DSS and FedRAMP scope for Amazon Q Developer specifically could not be confirmed from AWS's live services-in-scope tables (these are JS-rendered and did not yield a service-level list via automated fetch). AWS holds these programs broadly at the platform level, but per-service scope should be treated as unconfirmed for Q Developer until verified directly against AWS Artifact or AWS sales.
- Host-vs-vendor distinction does not apply in the usual sense here: AWS itself is both the cloud host and the vendor of this product, since Amazon Q Developer is an AWS-native service. This is a legitimate case where the platform-level AWS certifications transfer directly to the product, unlike a third-party SaaS vendor merely hosted on AWS.
// At a glance
Pricing model
Freemium (Free Tier with usage caps) plus paid Pro Tier billed per user/month through AWS; part of the broader AWS Free Tier and AWS billing ecosystem.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Amazon Web Services, Inc. (a subsidiary of Amazon.com, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
aws.amazon.com