// Trust & Security Report
Qodo (formerly CodiumAI / Codium Ltd.)
Qodo AI code review and quality platform (Qodo Gen IDE plugins, Qodo Merge PR agent, Qodo Command/CLI, code governance)
Certifications held
3
Maturity
Growth
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.qodo.ai“SOC 2 Type II certified — Independently audited security controls, not just a self-attestation. (Homepage Security & Compliance section). Trust Center lists certification 'SOC 2' and a document 'SOC 2 Type II — Request access'. Blog: 'our security measures include SOC2 Type II certification'.”
Verify on trust.qodo.ai“Trust Center Documents section lists: 'PDF Penetration Test — Request access'. This confirms a pentest report exists and is shared under NDA, though it is not a certification.”
Verify on qodo.ai“Privacy Policy describes GDPR-style legal bases ('Processing is necessary for our legitimate interests...', 'Consent (with regards to marketing communications)') and data-subject rights (access, erasure, objection, restriction, portability). Vendor is EU-facing and Israel-based, but no formal GDPR/adequacy certification is asserted.”
> Show 2 unconfirmed / not-held certifications
source: trust.qodo.aiNo mention of ISO 27001 on the Qodo Trust Center, homepage, security blog, or privacy policy. Only SOC 2 is listed as a certification.
source: trust.qodo.aiNo HIPAA reference found on any Qodo-owned page reviewed (developer-tooling vendor; no healthcare data processing claimed).
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
unknown
Tier-dependent. FREE-tier users' data IS used to train/improve Qodo's AI models by default ('We use data from our free-tier users to improve our AI models'), with an explicit opt-out and account-deletion option. PAID Teams/Enterprise and trial data is NEVER used for training ('Data of our paid subscribers (or within the trial periods) will never ever be used to train our AI models'), is deleted from storage within 48 hours (zero-retention available on request), and OpenAI sub-processor is bound to zero data retention for paid users. Homepage advertises 'Zero data retention — Your code is analyzed and discarded. Nothing stored, logged, or used to train models' for the enterprise offering. This is a material consumer-vs-enterprise difference.
// Security controls
Encryption
2-way encryption and secrets obfuscation. Vendor cites TLS/SSL specifically for secure payment; code is described as securely transmitted to the Qodo backend (no explicit general data-in-transit TLS statement on owned pages).
qodo.aiZero data retention (enterprise)
Code analyzed and discarded; nothing stored, logged, or used to train models. Paid data deleted within 48h (immediate zero-retention on request).
qodo.aiDeployment isolation
On-premises deployment and single-tenant dedicated instance available for enterprise (no shared infrastructure).
qodo.aiResponsible disclosure / bug bounty
Trust Center App Security controls list 'Responsible Disclosure'. Qodo has run a self-managed Bug Bounty Program (terms page; not on a managed HackerOne/Bugcrowd platform that could be confirmed). No HackerOne/Bugcrowd program verified.
trust.qodo.aiTrust Center controls
Access monitoring, data backups, data erasure, credential management, code analysis, audit logging, anti-DDoS, BC/DR, status monitoring, password security. Powered by SecurityPal AI.
trust.qodo.aiPenetration testing
Third-party penetration test report available under NDA via Trust Center document request.
trust.qodo.ai// Products & data scope
data: Analyzes selected code-under-test plus ~800 lines of dependency-graph context; sent to Qodo backend; inference via Qodo proprietary models or OpenAI APIs (OpenAI bound to delete and not train).
Free for individual developers. Free-tier data may be used to improve models (opt-out available).
data: Active only on invocation (no passive collection); extracts only data relevant to the executed command/PR. Self-hosted with your own OpenAI key = data flow is between you and OpenAI. Qodo-hosted Merge Pro stores no code/PR data and does not train on it (zero-retention OpenAI account).
Free self-hosted (open-source lineage) and paid Qodo-hosted Pro variants exist with distinct data scopes.
data: Zero data retention, paid data never used for training, deleted within 48h; on-prem and single-tenant options; SOC 2 Type II scope.
Commercial tier; strongest compliance and isolation posture. NVIDIA cited as customer.
// What to watch
- Tier-dependent training: free-tier user data is used to train Qodo's models by default (opt-out exists); paid/enterprise data is never used and is deleted within 48h. Teams must use paid tiers for true no-train guarantees.
- Vendor is Codium Ltd., based in Tel Aviv, Israel; global data transfers apply. No explicit data-residency region published.
- Only SOC 2 Type II is held; no ISO 27001 or HIPAA. Pentest report is request-only (NDA).
- Bug bounty is self-managed (no confirmed HackerOne/Bugcrowd); the public bug-bounty terms URL returned 404 at verification time. Trust Center confirms a 'Responsible Disclosure' control.
- Brand/slug note: directory slug 'codium-ai' now maps to 'Qodo' (rebranded from CodiumAI in 2024). Legacy trust.codium.ai (SafeBase) still exists; current Trust Center is trust.qodo.ai (SecurityPal).
// At a glance
Pricing model
Freemium — free for individual developers (Qodo Gen, self-hosted Qodo Merge); paid Teams and Enterprise plans for hosting, governance, and compliance features.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Qodo (formerly CodiumAI / Codium Ltd.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.qodo.ai