// Trust & Security Report

    CodeRabbit, Inc. logo

    CodeRabbit, Inc.

    AI code review (PR reviews, IDE, CLI, self-hosted Enterprise)

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II certified. Enterprise-grade security validated annually through independent SOC2 Type II audits.

    Verify on coderabbit.ai
    SOC 2 Type 2 (Trust Center report available)
    HELD

    Compliance: SOC 2 TYPE 2 ... SOC 2 Type 2 Report

    Verify on trust.coderabbit.ai
    ISO 27001:2022
    HELD

    Compliance: SOC 2 TYPE 2, ISO 27001:2022, GDPR ... ISO 27001:2022 [report]

    Verify on trust.coderabbit.ai
    GDPR
    HELD

    Compliance: ... GDPR ... GDPR_Audit Report - Code Rabbit.pdf

    Verify on trust.coderabbit.ai

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    USA. All listed subprocessors (Anthropic, OpenAI, Google Cloud Platform, Datadog, and others) are US-based per the Trust Center subprocessor list; one documentation subprocessor (LanguageTool) is in Germany.

    Vendor states code is never used to train models. Docs FAQ: 'CodeRabbit never uses customer code for model training. This remains true whether data retention is enabled or disabled' and 'Neither CodeRabbit nor OpenAI or Anthropic uses your code to train our models.' CodeRabbit holds zero-data-retention agreements with its LLM providers (OpenAI ZDR amendment is published in the Trust Center); LLM queries are ephemeral. Reviews run in isolated/ephemeral environments that are disposed of after the review, so no code traces persist on CodeRabbit servers post-review. Note: optional features (encrypted code caching, vector code indexing) store derived/encrypted representations for faster reviews and can be configured.

    // Security controls

    Encryption in transit

    SSL/TLS encrypted data; end-to-end encryption during reviews

    coderabbit.ai

    Zero data retention (post-review)

    End-to-end encryption protects your code during reviews with zero data retention post-review; ephemeral LLM queries with no LLM-side storage/logging

    coderabbit.ai

    Data isolation

    Reviews run in an isolated environment that is disposed of after the review; 'Complete Data Isolation' for proprietary code

    trust.coderabbit.ai

    Vulnerability disclosure

    Public Vulnerability Disclosure program (site footer). No HackerOne/Bugcrowd-branded bug bounty platform confirmed.

    coderabbit.ai

    Penetration testing

    unknown / likely (implied by annual SOC 2 Type II + ISO 27001:2022 controls, but no direct vendor quote found naming a pen test)

    trust.coderabbit.ai

    Security controls inventory

    Trust Center publishes infrastructure, organizational, product, internal-procedure, and data/privacy control sets (DR plans tested, anti-malware, encrypted transmission, unique production DB auth, etc.)

    trust.coderabbit.ai

    // Products & data scope

    Pull Request Reviews (Git platform app)AI code review

    data: Reads PR diffs and repo context from connected Git provider; code shared with OpenAI/Anthropic for review only, under ZDR; ephemeral review environment.

    Core product; '2-click install'. Most-installed AI app per vendor.

    IDE ReviewsAI code review (editor)

    data: Reviews code locally within the IDE before commit; same no-training / ZDR posture.

    Brings review to the developer's editor.

    CLI ReviewsAI code review (command line)

    data: Reviews from the command line; same no-training / ZDR posture.

    Also available in the Claude Marketplace per vendor.

    Enterprise (self-hosted)AI code review - enterprise

    data: Can run as a fully self-hosted instance, keeping code inside the customer network. Optional code caching/indexing configurable.

    Reported for large deployments (500+ seats). Verify exact seat threshold with sales.

    OSS / Startup ProgramFree tier

    data: Free reviews for open-source / qualifying startups; same processing pipeline.

    Listed under Plans (OSS) and Startup Program.

    // What to watch

    • Penetration testing not directly confirmed by a vendor quote (only implied by SOC 2 / ISO 27001).
    • Bug bounty exists only as a Vulnerability Disclosure program; no HackerOne/Bugcrowd platform confirmed.
    • Optional encrypted code caching and vector code indexing features store derived representations; default-off vs default-on behavior should be confirmed for high-sensitivity buyers.
    • Self-hosted seat threshold (reported 500+) is from third-party sources, not a direct vendor quote.

    // At a glance

    Pricing model

    Freemium SaaS with paid per-seat tiers; free for OSS and startup program; Enterprise (incl. self-hosted) plans

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on CodeRabbit, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.coderabbit.ai

    > Browse all vendor trust reports