// Trust & Security Report

    Codiga (now owned by Datadog, Inc.) logo

    Codiga (now owned by Datadog, Inc.)

    Static Code Analysis (SAST), IDE plugins (VS Code, JetBrains, Visual Studio), code snippets platform, and coding assistant. Codiga was acquired by Datadog on April 4, 2023, with standalone products shut down May 4, 2023.

    Certifications held

    1

    Maturity

    Startup

    Trains on your data

    No

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type I
    HELD

    Codiga blog (March 1, 2022) states it 'has achieved SOC 2 Type I compliance in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations also known as SSAE 18' and 'was audited by Prescient Assurance.' An 'unqualified opinion on a SOC 2 Type I audit report' is claimed.

    Verify on codiga.io
    > Show 8 unconfirmed / not-held certifications
    SOC 2 Type II
    NOT CONFIRMED

    No public evidence found; only SOC 2 Type I documented.

    ISO 27001
    NOT CONFIRMED

    No public evidence found in Codiga's security or trust documentation. ISO 27001 is held by parent company Datadog, not Codiga independently.

    ISO 27017
    NOT CONFIRMED

    No public evidence found for Codiga. ISO 27017 compliance is held by Datadog, not Codiga independently.

    ISO 27018
    NOT CONFIRMED

    No public evidence found for Codiga. ISO 27018 compliance is held by Datadog, not Codiga independently.

    ISO 27701
    NOT CONFIRMED

    No public evidence found for Codiga. ISO 27701 Processor certification is held by Datadog, not Codiga independently.

    HIPAA
    NOT CONFIRMED

    No public evidence found for Codiga. Datadog offers HIPAA compliance with BAA, but Codiga does not explicitly advertise HIPAA compliance.

    GDPR Compliance Statement
    NOT CONFIRMED

    GDPR is not explicitly mentioned in Codiga's privacy policy. Policy notes international data transfers with employee/contractor consent but lacks formal GDPR compliance language.

    source: codiga.io
    PCI DSS
    NOT CONFIRMED

    Codiga does not hold PCI DSS; payment processing is handled by Stripe, which is PCI DSS Level 1 certified. This is Stripe's cert, not Codiga's.

    source: codiga.io

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Not offered

    Data region

    AWS US (implied; no explicit region specified)

    Explicit statement in Code Privacy policy: 'We NEVER keep your code in our infrastructure, nor use end user code to train our system.' Source: https://www.codiga.io/code-privacy/

    // Security controls

    Encryption in Transit

    HTTPS/TLS 1.2

    codiga.io

    Encryption at Rest

    Credentials stored encrypted; no plaintext credential storage

    codiga.io

    Source Code Storage

    Code collected for analysis only; deleted immediately after analysis completion. Never stored in Codiga infrastructure.

    codiga.io

    Code Retrieval

    Retrieved directly from GitHub, GitLab, or Bitbucket at time of analysis; never persisted in Codiga systems

    codiga.io

    Payment Processing

    Stripe (PCI DSS Level 1 certified). Codiga does not store credit card information.

    codiga.io

    Hosting

    Amazon Web Services (AWS)

    codiga.io

    // Products & data scope

    Static Code Analysis (SAST)Code Analysis

    data: Source code analyzed in real-time; deleted after analysis. Code not stored.

    Supports Python, JavaScript, TypeScript, and other languages. Checks for OWASP 10, MITRE CWE, Sans/CWE Top 25 violations. Real-time analysis in IDE and CI/CD.

    IDE PluginsDeveloper Tools

    data: Code analyzed locally and via IDE integrations. Not persisted in Codiga systems.

    Available for VS Code, JetBrains (IntelliJ, PyCharm, etc.), and Visual Studio. Plugins still appear available on marketplaces despite May 2023 product shutdown.

    Code Snippets PlatformKnowledge Management

    data: User-contributed snippets. Not training source.

    Platform at code-snippets.dev for sharing and searching code snippets.

    Automated Code ReviewsCode Review Automation

    data: Review comments generated from analysis; not stored.

    Integrated into GitHub, GitLab, Bitbucket workflows. Autofix capability for vulnerabilities.

    Coding Assistant (Rosie)AI Coding Assistant

    data: Analyzed via IDE; not persisted. Note: Status unclear post-acquisition.

    AI-powered coding suggestions. Originally named 'Rosie'. Fate under Datadog integration unknown.

    // What to watch

    • Codiga acquired by Datadog on April 4, 2023; product status post-acquisition ambiguous
    • Standalone Codiga products officially shut down May 4, 2023; codiga.io website remains live with 'has joined Datadog' banner
    • SOC 2 Type I certification dated March 1, 2022 (pre-acquisition); unclear if cert validity extends post-integration or if Datadog certs now apply
    • Security documentation last updated June 21, 2021 (before acquisition announcement)
    • No Data Processing Agreement (DPA) publicly available despite Privacy Policy existing; GDPR compliance posture unclear
    • Potential over-claim risk: Website advertises code analysis tools, but standalone products are shut down; integration into Datadog SAST may have different data handling than standalone Codiga
    • Identity note: Codiga is now a subsidiary/product of Datadog, Inc. (public company, NASDAQ: DDOG). Certifications may need to reference parent company.
    • AI training posture contradicts some competitor practices (e.g., GitHub Copilot, Atlassian); Codiga is explicit no-training commitment

    // At a glance

    Pricing model

    Freemium subscription (specific pricing not found; free IDE plugins, paid services mentioned but rates not disclosed)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Codiga (now owned by Datadog, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    codiga.io

    > Browse all vendor trust reports