// Trust & Security Report
JetBrains s.r.o.
JetBrains AI (AI Assistant, Junie, AI Enterprise, Mellum, Koog)
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on blog.jetbrains.com“A SOC 2 Type II report evaluates the design and suitability of these controls. The SOC2 report, along with other supporting documents, such as penetration testing reports, are available at our Trust Center.”
Verify on youtrack.jetbrains.com“JetBrains publishes a knowledge-base article addressing the ISO/IEC 27001 question for AI Assistant, but the article and Trust Center are NDA-gated; no public confirmation of a current ISO 27001 certificate was found.”
Verify on jetbrains.com“JetBrains has prepared a Data Processing Addendum that includes Standard contractual clauses for the transfer of personal data to third countries to ensure GDPR compliance.”
Verify on jetbrains.com“No public HIPAA attestation or BAA offering for JetBrains AI was found on JetBrains' own domain.”
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
JetBrains AI servers are located in the EU. However, certain downstream LLM sub-processors (e.g. OpenAI) operate U.S. data centers, so for cloud routing the prompt may leave the EU depending on the selected provider. List of providers: JetBrains AI Service Providers.
JetBrains explicitly does not train AI models on customer code/data by default. Marketing: 'Your code and data remain entirely yours - we never use them to train AI models.' AI Terms: 'We will not use Your Inputs, Data, and Outputs for training JetBrains AI unless You agree to it' and the same restriction is contractually imposed on third-party AI Service Providers. Detailed data collection (used only for product-quality improvement) is opt-in: 'JetBrains does not persist customer data unless users explicitly opt in to detailed data collection.' Proprietary models (Mellum) are 'trained solely on public, permissively licensed code.'
// Security controls
Vulnerability disclosure / bug bounty
HackerOne Vulnerability Disclosure Program (VDP) plus a Coordinated Disclosure Policy on JetBrains' own domain. Not a formal always-on paid bounty; rewards are discretionary based on CVSS score (cash, swag, licenses, Security Bulletin credit).
hackerone.comPenetration testing
Yes. Penetration testing reports are available alongside the SOC 2 report in the Trust Center (NDA-gated).
blog.jetbrains.comCoordinated Disclosure Policy
Documented responsible-disclosure process; reports via issue tracker ('Security Problem' type) or PGP-encrypted email. Security Bulletin subscription available.
jetbrains.comData retention default
Customer data is not persisted unless the user opts in to detailed data collection; no data retained by third-party providers per JetBrains.
jetbrains.comOn-premises / data control
AI Enterprise offers on-premises deployment for 'complete control over your data and model management' to meet company security/compliance standards.
jetbrains.com// Products & data scope
data: Cloud-routed prompts to JetBrains AI (EU servers) and selectable third-party LLM providers (OpenAI/US, Google Vertex, Anthropic). Not used for training by default; detailed data collection is opt-in.
Subscription add-on on top of IDE licensing; supports multiple model providers without vendor lock-in.
data: Same JetBrains AI data-handling and no-training commitments; plans, writes, refines and tests code within the IDE.
Higher-autonomy agent; user stays in control of execution.
data: Adds management, governance, visibility over team AI usage; on-premises option for full data and model control.
Target scope for buyers needing data residency and policy governance; broadest compliance controls.
data: Trained solely on public, permissively licensed code; no customer data used.
Powers low-latency code completion; open-source.
data: Developer-built agents; data scope determined by the developer's own integration.
Kotlin/Java framework for building AI agents; not a hosted data path itself.
// What to watch
- Trust Center and detailed security/SOC 2/ISO knowledge-base articles are NDA-gated, so SOC 2 report contents and any ISO 27001 status cannot be independently read without requesting access.
- 2023 SOC 2 audit scope explicitly named 9 products (IDEs, .NET tools, YouTrack, TeamCity, Space, Datalore, Remote Development, Code With Me, Fleet); JetBrains AI is not separately listed in that scope, though it runs on JetBrains infrastructure - confirm AI-specific coverage for procurement.
- ISO 27001 could not be confirmed held or not held from public sources - marked unknown, not invented.
- Cloud routing to third-party US-based LLM providers (e.g. OpenAI) creates cross-border transfer surface despite EU-based JetBrains AI servers.
// At a glance
Pricing model
Paid subscription add-on layered on JetBrains IDE licensing; AI quota/credit usage applies. Enterprise tier (AI Enterprise) priced separately.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on JetBrains s.r.o.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust-center.jetbrains.com