// Trust & Security Report

    JetBrains s.r.o. logo

    JetBrains s.r.o.

    JetBrains AI (AI Assistant, Junie, AI Enterprise, Mellum, Koog)

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    A SOC 2 Type II report evaluates the design and suitability of these controls. The SOC2 report, along with other supporting documents, such as penetration testing reports, are available at our Trust Center.

    Verify on blog.jetbrains.com
    ISO/IEC 27001
    HELD

    JetBrains publishes a knowledge-base article addressing the ISO/IEC 27001 question for AI Assistant, but the article and Trust Center are NDA-gated; no public confirmation of a current ISO 27001 certificate was found.

    Verify on youtrack.jetbrains.com
    GDPR (DPA + SCCs)
    HELD

    JetBrains has prepared a Data Processing Addendum that includes Standard contractual clauses for the transfer of personal data to third countries to ensure GDPR compliance.

    Verify on jetbrains.com
    HIPAA
    HELD

    No public HIPAA attestation or BAA offering for JetBrains AI was found on JetBrains' own domain.

    Verify on jetbrains.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    JetBrains AI servers are located in the EU. However, certain downstream LLM sub-processors (e.g. OpenAI) operate U.S. data centers, so for cloud routing the prompt may leave the EU depending on the selected provider. List of providers: JetBrains AI Service Providers.

    JetBrains explicitly does not train AI models on customer code/data by default. Marketing: 'Your code and data remain entirely yours - we never use them to train AI models.' AI Terms: 'We will not use Your Inputs, Data, and Outputs for training JetBrains AI unless You agree to it' and the same restriction is contractually imposed on third-party AI Service Providers. Detailed data collection (used only for product-quality improvement) is opt-in: 'JetBrains does not persist customer data unless users explicitly opt in to detailed data collection.' Proprietary models (Mellum) are 'trained solely on public, permissively licensed code.'

    // Security controls

    Vulnerability disclosure / bug bounty

    HackerOne Vulnerability Disclosure Program (VDP) plus a Coordinated Disclosure Policy on JetBrains' own domain. Not a formal always-on paid bounty; rewards are discretionary based on CVSS score (cash, swag, licenses, Security Bulletin credit).

    hackerone.com

    Penetration testing

    Yes. Penetration testing reports are available alongside the SOC 2 report in the Trust Center (NDA-gated).

    blog.jetbrains.com

    Coordinated Disclosure Policy

    Documented responsible-disclosure process; reports via issue tracker ('Security Problem' type) or PGP-encrypted email. Security Bulletin subscription available.

    jetbrains.com

    Data retention default

    Customer data is not persisted unless the user opts in to detailed data collection; no data retained by third-party providers per JetBrains.

    jetbrains.com

    On-premises / data control

    AI Enterprise offers on-premises deployment for 'complete control over your data and model management' to meet company security/compliance standards.

    jetbrains.com

    // Products & data scope

    AI Assistant (in JetBrains IDEs)AI coding assistant (IDE plugin)

    data: Cloud-routed prompts to JetBrains AI (EU servers) and selectable third-party LLM providers (OpenAI/US, Google Vertex, Anthropic). Not used for training by default; detailed data collection is opt-in.

    Subscription add-on on top of IDE licensing; supports multiple model providers without vendor lock-in.

    JunieAutonomous coding agent (pair programming)

    data: Same JetBrains AI data-handling and no-training commitments; plans, writes, refines and tests code within the IDE.

    Higher-autonomy agent; user stays in control of execution.

    JetBrains AI EnterpriseTeam/enterprise AI governance

    data: Adds management, governance, visibility over team AI usage; on-premises option for full data and model control.

    Target scope for buyers needing data residency and policy governance; broadest compliance controls.

    MellumProprietary open-source LLM

    data: Trained solely on public, permissively licensed code; no customer data used.

    Powers low-latency code completion; open-source.

    KoogOpen-source JVM agent framework

    data: Developer-built agents; data scope determined by the developer's own integration.

    Kotlin/Java framework for building AI agents; not a hosted data path itself.

    // What to watch

    • Trust Center and detailed security/SOC 2/ISO knowledge-base articles are NDA-gated, so SOC 2 report contents and any ISO 27001 status cannot be independently read without requesting access.
    • 2023 SOC 2 audit scope explicitly named 9 products (IDEs, .NET tools, YouTrack, TeamCity, Space, Datalore, Remote Development, Code With Me, Fleet); JetBrains AI is not separately listed in that scope, though it runs on JetBrains infrastructure - confirm AI-specific coverage for procurement.
    • ISO 27001 could not be confirmed held or not held from public sources - marked unknown, not invented.
    • Cloud routing to third-party US-based LLM providers (e.g. OpenAI) creates cross-border transfer surface despite EU-based JetBrains AI servers.

    // At a glance

    Pricing model

    Paid subscription add-on layered on JetBrains IDE licensing; AI quota/credit usage applies. Enterprise tier (AI Enterprise) priced separately.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on JetBrains s.r.o.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust-center.jetbrains.com

    > Browse all vendor trust reports