// Trust & Security Report

    Qodo (formerly CodiumAI / Codium Ltd.) logo

    Qodo (formerly CodiumAI / Codium Ltd.)

    Qodo AI code review and quality platform (Qodo Gen IDE plugins, Qodo Merge PR agent, Qodo Command/CLI, code governance)

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II certified — Independently audited security controls, not just a self-attestation. (Homepage Security & Compliance section). Trust Center lists certification 'SOC 2' and a document 'SOC 2 Type II — Request access'. Blog: 'our security measures include SOC2 Type II certification'.

    Verify on trust.qodo.ai
    Penetration Test (third-party report)
    HELD

    Trust Center Documents section lists: 'PDF Penetration Test — Request access'. This confirms a pentest report exists and is shared under NDA, though it is not a certification.

    Verify on trust.qodo.ai
    GDPR (regulatory posture, not a certification)
    HELD

    Privacy Policy describes GDPR-style legal bases ('Processing is necessary for our legitimate interests...', 'Consent (with regards to marketing communications)') and data-subject rights (access, erasure, objection, restriction, portability). Vendor is EU-facing and Israel-based, but no formal GDPR/adequacy certification is asserted.

    Verify on qodo.ai
    > Show 2 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No mention of ISO 27001 on the Qodo Trust Center, homepage, security blog, or privacy policy. Only SOC 2 is listed as a certification.

    source: trust.qodo.ai
    HIPAA
    NOT CONFIRMED

    No HIPAA reference found on any Qodo-owned page reviewed (developer-tooling vendor; no healthcare data processing claimed).

    source: trust.qodo.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    unknown

    Tier-dependent. FREE-tier users' data IS used to train/improve Qodo's AI models by default ('We use data from our free-tier users to improve our AI models'), with an explicit opt-out and account-deletion option. PAID Teams/Enterprise and trial data is NEVER used for training ('Data of our paid subscribers (or within the trial periods) will never ever be used to train our AI models'), is deleted from storage within 48 hours (zero-retention available on request), and OpenAI sub-processor is bound to zero data retention for paid users. Homepage advertises 'Zero data retention — Your code is analyzed and discarded. Nothing stored, logged, or used to train models' for the enterprise offering. This is a material consumer-vs-enterprise difference.

    // Security controls

    Encryption

    2-way encryption and secrets obfuscation. Vendor cites TLS/SSL specifically for secure payment; code is described as securely transmitted to the Qodo backend (no explicit general data-in-transit TLS statement on owned pages).

    qodo.ai

    Zero data retention (enterprise)

    Code analyzed and discarded; nothing stored, logged, or used to train models. Paid data deleted within 48h (immediate zero-retention on request).

    qodo.ai

    Deployment isolation

    On-premises deployment and single-tenant dedicated instance available for enterprise (no shared infrastructure).

    qodo.ai

    Responsible disclosure / bug bounty

    Trust Center App Security controls list 'Responsible Disclosure'. Qodo has run a self-managed Bug Bounty Program (terms page; not on a managed HackerOne/Bugcrowd platform that could be confirmed). No HackerOne/Bugcrowd program verified.

    trust.qodo.ai

    Trust Center controls

    Access monitoring, data backups, data erasure, credential management, code analysis, audit logging, anti-DDoS, BC/DR, status monitoring, password security. Powered by SecurityPal AI.

    trust.qodo.ai

    Penetration testing

    Third-party penetration test report available under NDA via Trust Center document request.

    trust.qodo.ai

    // Products & data scope

    Qodo Gen (IDE plugins)AI test generation / code suggestions in IDE

    data: Analyzes selected code-under-test plus ~800 lines of dependency-graph context; sent to Qodo backend; inference via Qodo proprietary models or OpenAI APIs (OpenAI bound to delete and not train).

    Free for individual developers. Free-tier data may be used to improve models (opt-out available).

    Qodo Merge (PR agent, formerly PR-Agent)AI pull-request review and PR automation

    data: Active only on invocation (no passive collection); extracts only data relevant to the executed command/PR. Self-hosted with your own OpenAI key = data flow is between you and OpenAI. Qodo-hosted Merge Pro stores no code/PR data and does not train on it (zero-retention OpenAI account).

    Free self-hosted (open-source lineage) and paid Qodo-hosted Pro variants exist with distinct data scopes.

    Qodo Teams / Enterprise platformCode review governance, standards, audit, cross-repo context

    data: Zero data retention, paid data never used for training, deleted within 48h; on-prem and single-tenant options; SOC 2 Type II scope.

    Commercial tier; strongest compliance and isolation posture. NVIDIA cited as customer.

    // What to watch

    • Tier-dependent training: free-tier user data is used to train Qodo's models by default (opt-out exists); paid/enterprise data is never used and is deleted within 48h. Teams must use paid tiers for true no-train guarantees.
    • Vendor is Codium Ltd., based in Tel Aviv, Israel; global data transfers apply. No explicit data-residency region published.
    • Only SOC 2 Type II is held; no ISO 27001 or HIPAA. Pentest report is request-only (NDA).
    • Bug bounty is self-managed (no confirmed HackerOne/Bugcrowd); the public bug-bounty terms URL returned 404 at verification time. Trust Center confirms a 'Responsible Disclosure' control.
    • Brand/slug note: directory slug 'codium-ai' now maps to 'Qodo' (rebranded from CodiumAI in 2024). Legacy trust.codium.ai (SafeBase) still exists; current Trust Center is trust.qodo.ai (SecurityPal).

    // At a glance

    Pricing model

    Freemium — free for individual developers (Qodo Gen, self-hosted Qodo Merge); paid Teams and Enterprise plans for hosting, governance, and compliance features.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Qodo (formerly CodiumAI / Codium Ltd.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.qodo.ai

    > Browse all vendor trust reports