// Trust & Security Report
CodeRabbit, Inc.
AI code review (PR reviews, IDE, CLI, self-hosted Enterprise)
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on coderabbit.ai“SOC 2 Type II certified. Enterprise-grade security validated annually through independent SOC2 Type II audits.”
Verify on trust.coderabbit.ai“Compliance: SOC 2 TYPE 2 ... SOC 2 Type 2 Report”
Verify on trust.coderabbit.ai“Compliance: SOC 2 TYPE 2, ISO 27001:2022, GDPR ... ISO 27001:2022 [report]”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
USA. All listed subprocessors (Anthropic, OpenAI, Google Cloud Platform, Datadog, and others) are US-based per the Trust Center subprocessor list; one documentation subprocessor (LanguageTool) is in Germany.
Vendor states code is never used to train models. Docs FAQ: 'CodeRabbit never uses customer code for model training. This remains true whether data retention is enabled or disabled' and 'Neither CodeRabbit nor OpenAI or Anthropic uses your code to train our models.' CodeRabbit holds zero-data-retention agreements with its LLM providers (OpenAI ZDR amendment is published in the Trust Center); LLM queries are ephemeral. Reviews run in isolated/ephemeral environments that are disposed of after the review, so no code traces persist on CodeRabbit servers post-review. Note: optional features (encrypted code caching, vector code indexing) store derived/encrypted representations for faster reviews and can be configured.
// Security controls
Zero data retention (post-review)
End-to-end encryption protects your code during reviews with zero data retention post-review; ephemeral LLM queries with no LLM-side storage/logging
coderabbit.aiData isolation
Reviews run in an isolated environment that is disposed of after the review; 'Complete Data Isolation' for proprietary code
trust.coderabbit.aiVulnerability disclosure
Public Vulnerability Disclosure program (site footer). No HackerOne/Bugcrowd-branded bug bounty platform confirmed.
coderabbit.aiPenetration testing
unknown / likely (implied by annual SOC 2 Type II + ISO 27001:2022 controls, but no direct vendor quote found naming a pen test)
trust.coderabbit.aiSecurity controls inventory
Trust Center publishes infrastructure, organizational, product, internal-procedure, and data/privacy control sets (DR plans tested, anti-malware, encrypted transmission, unique production DB auth, etc.)
trust.coderabbit.ai// Products & data scope
data: Reads PR diffs and repo context from connected Git provider; code shared with OpenAI/Anthropic for review only, under ZDR; ephemeral review environment.
Core product; '2-click install'. Most-installed AI app per vendor.
data: Reviews code locally within the IDE before commit; same no-training / ZDR posture.
Brings review to the developer's editor.
data: Reviews from the command line; same no-training / ZDR posture.
Also available in the Claude Marketplace per vendor.
data: Can run as a fully self-hosted instance, keeping code inside the customer network. Optional code caching/indexing configurable.
Reported for large deployments (500+ seats). Verify exact seat threshold with sales.
data: Free reviews for open-source / qualifying startups; same processing pipeline.
Listed under Plans (OSS) and Startup Program.
// What to watch
- Penetration testing not directly confirmed by a vendor quote (only implied by SOC 2 / ISO 27001).
- Bug bounty exists only as a Vulnerability Disclosure program; no HackerOne/Bugcrowd platform confirmed.
- Optional encrypted code caching and vector code indexing features store derived representations; default-off vs default-on behavior should be confirmed for high-sensitivity buyers.
- Self-hosted seat threshold (reported 500+) is from third-party sources, not a direct vendor quote.
// At a glance
Pricing model
Freemium SaaS with paid per-seat tiers; free for OSS and startup program; Enterprise (incl. self-hosted) plans
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on CodeRabbit, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.coderabbit.ai