// Trust & Security Report
Codiga (now owned by Datadog, Inc.)
Static Code Analysis (SAST), IDE plugins (VS Code, JetBrains, Visual Studio), code snippets platform, and coding assistant. Codiga was acquired by Datadog on April 4, 2023, with standalone products shut down May 4, 2023.
Certifications held
1
Maturity
Startup
Trains on your data
No
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on codiga.io“Codiga blog (March 1, 2022) states it 'has achieved SOC 2 Type I compliance in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations also known as SSAE 18' and 'was audited by Prescient Assurance.' An 'unqualified opinion on a SOC 2 Type I audit report' is claimed.”
> Show 8 unconfirmed / not-held certifications
No public evidence found; only SOC 2 Type I documented.
No public evidence found in Codiga's security or trust documentation. ISO 27001 is held by parent company Datadog, not Codiga independently.
No public evidence found for Codiga. ISO 27017 compliance is held by Datadog, not Codiga independently.
No public evidence found for Codiga. ISO 27018 compliance is held by Datadog, not Codiga independently.
No public evidence found for Codiga. ISO 27701 Processor certification is held by Datadog, not Codiga independently.
No public evidence found for Codiga. Datadog offers HIPAA compliance with BAA, but Codiga does not explicitly advertise HIPAA compliance.
source: codiga.ioGDPR is not explicitly mentioned in Codiga's privacy policy. Policy notes international data transfers with employee/contractor consent but lacks formal GDPR compliance language.
source: codiga.ioCodiga does not hold PCI DSS; payment processing is handled by Stripe, which is PCI DSS Level 1 certified. This is Stripe's cert, not Codiga's.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Not offered
Data region
AWS US (implied; no explicit region specified)
Explicit statement in Code Privacy policy: 'We NEVER keep your code in our infrastructure, nor use end user code to train our system.' Source: https://www.codiga.io/code-privacy/
// Security controls
Source Code Storage
Code collected for analysis only; deleted immediately after analysis completion. Never stored in Codiga infrastructure.
codiga.ioCode Retrieval
Retrieved directly from GitHub, GitLab, or Bitbucket at time of analysis; never persisted in Codiga systems
codiga.ioPayment Processing
Stripe (PCI DSS Level 1 certified). Codiga does not store credit card information.
codiga.io// Products & data scope
data: Source code analyzed in real-time; deleted after analysis. Code not stored.
Supports Python, JavaScript, TypeScript, and other languages. Checks for OWASP 10, MITRE CWE, Sans/CWE Top 25 violations. Real-time analysis in IDE and CI/CD.
data: Code analyzed locally and via IDE integrations. Not persisted in Codiga systems.
Available for VS Code, JetBrains (IntelliJ, PyCharm, etc.), and Visual Studio. Plugins still appear available on marketplaces despite May 2023 product shutdown.
data: User-contributed snippets. Not training source.
Platform at code-snippets.dev for sharing and searching code snippets.
data: Review comments generated from analysis; not stored.
Integrated into GitHub, GitLab, Bitbucket workflows. Autofix capability for vulnerabilities.
data: Analyzed via IDE; not persisted. Note: Status unclear post-acquisition.
AI-powered coding suggestions. Originally named 'Rosie'. Fate under Datadog integration unknown.
// What to watch
- Codiga acquired by Datadog on April 4, 2023; product status post-acquisition ambiguous
- Standalone Codiga products officially shut down May 4, 2023; codiga.io website remains live with 'has joined Datadog' banner
- SOC 2 Type I certification dated March 1, 2022 (pre-acquisition); unclear if cert validity extends post-integration or if Datadog certs now apply
- Security documentation last updated June 21, 2021 (before acquisition announcement)
- No Data Processing Agreement (DPA) publicly available despite Privacy Policy existing; GDPR compliance posture unclear
- Potential over-claim risk: Website advertises code analysis tools, but standalone products are shut down; integration into Datadog SAST may have different data handling than standalone Codiga
- Identity note: Codiga is now a subsidiary/product of Datadog, Inc. (public company, NASDAQ: DDOG). Certifications may need to reference parent company.
- AI training posture contradicts some competitor practices (e.g., GitHub Copilot, Atlassian); Codiga is explicit no-training commitment
// At a glance
Pricing model
Freemium subscription (specific pricing not found; free IDE plugins, paid services mentioned but rates not disclosed)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Codiga (now owned by Datadog, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
codiga.io