// Trust & Security Report

    SonarSource Sàrl logo

    SonarSource Sàrl

    Code verification / static analysis (SAST, SCA, secrets detection) platform sold under the Sonar brand. Sub-products: SonarQube Server (self-hosted), SonarQube Cloud (formerly SonarCloud, SaaS), SonarQube for IDE, Advanced Security add-on, AI CodeFix, Gitar (acquired AI code review), and an MCP Server for agentic coding tools.

    Certifications held

    6

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Sonar has received our 2025-2026 SOC 2 Type II report. It has been placed on the Trust Center. Reporting Period Assessed: Nov 1, 2024 through October 31, 2025. Trust Service Criteria: Security, Confidentiality, Availability. Scope: Sonar Operations and commercial products and services (SonarQube Cloud, SonarQube Server, SonarQube for IDE, and supporting services, including AI CodeFix, SonarQube Advanced Security, and others).

    Verify on trust.sonarsource.com
    ISO/IEC 27001:2022
    HELD

    Compliance: SOC 2, ISO 27001:2022, ISO 27018:2019, CSA STAR Level I. Resources include 'ISO 27001:2022 Certificate' and 'ISO 27001 SoA'.

    Verify on trust.sonarsource.com
    ISO/IEC 27018:2019 (PII protection in public cloud)
    HELD

    Sonar is excited to announce that we have achieved ISO 27018 certification for Privacy for all SonarSource products, information, information processing facilities, and personnel related to our the delivery of SonarQube Cloud. ISO 27018 is the gold standard Code of Practice for the protection of Personally Identifiable Information (PII) in public cloud computing environments.

    Verify on trust.sonarsource.com
    CSA STAR (Level 1, self-assessment)
    HELD

    Compliance: SOC 2, ISO 27001:2022, ISO 27018:2019, CSA STAR Level I. Resources: 'CSA STAR Level 1 Registry - SonarQube Cloud', 'SonarQube Cloud 2025 CAIQ-Lite v4.0.3'.

    Verify on trust.sonarsource.com
    PCI DSS (SAQ-A self-assessment)
    HELD

    Resources list: 'Sonar PCI-DSS SAQ-A' under Self Assessments. This is a self-assessment questionnaire (SAQ-A), not a full Level 1 PCI DSS certification, and applies to payment-page scope rather than the core product.

    Verify on trust.sonarsource.com
    GDPR (compliance posture, not a certification)
    HELD

    SonarSource's Data Processing Addendum forms part of the SonarQube Cloud Terms of Service and SonarQube Server Terms and Conditions... Sonar offers Standard Contractual Clauses as the transfer mechanism to facilitate the transfer of personal data. For those located in the EEA, UK, or Switzerland, SonarSource processes personal data in line with applicable data protection laws, including the General Data Protection Regulation.

    Verify on sonarsource.com
    > Show 3 unconfirmed / not-held certifications
    ISO/IEC 42001:2023 (AI Management System)
    NOT CONFIRMED

    No public evidence: ISO 42001 is not listed among the Trust Center's Compliance items (SOC 2, ISO 27001:2022, ISO 27018:2019, CSA STAR Level I) or in its Certifications and Attestations resource list. Independent web search for 'Sonar ISO 42001' returned no vendor-side confirmation as of verification date.

    source: trust.sonarsource.com
    HIPAA
    NOT CONFIRMED

    No public evidence of a HIPAA attestation or offered Business Associate Agreement (BAA). Sonar's marketing pages describe how SonarQube helps customers meet their own HIPAA code-compliance obligations (audit trails, reporting), which is a product feature, not a HIPAA compliance claim by SonarSource itself. HIPAA does not appear on the Trust Center compliance or resources list.

    source: trust.sonarsource.com
    FedRAMP
    NOT CONFIRMED

    No public evidence. FedRAMP is not listed on the Trust Center compliance list or resources.

    source: trust.sonarsource.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    SonarSource Sàrl is a Swiss entity (Geneva); DPA references processing under EU, UK, Switzerland, Singapore, and US region-specific terms with EU Standard Contractual Clauses governing transfers outside Europe. Privacy notice states data 'may be stored and processed in these jurisdictions and in other countries where SonarSource Sàrl, its affiliates, or authorized processors or subprocessors maintain operations' -- no fixed customer-selectable data residency documented for SonarQube Cloud beyond this.

    SonarQube documentation states service agreements with Sonar's LLM providers prevent code sent to AI CodeFix from being used to train those models: 'Service agreements with Sonar's LLMs prevent your code from being used to train those models.' Customers using AI CodeFix send affected code snippets to the selected LLM (Sonar-hosted or customer-connected, including self-hosted/on-prem options). The core static-analysis engine (non-AI SonarQube rules) does not send code to third-party LLMs at all. No opt-out is needed for AI training since Sonar states it does not occur via these contracts, but customers should independently confirm current AI CodeFix terms before enabling the feature on sensitive codebases.

    // Security controls

    Deployment models

    SonarQube Server (self-hosted, on-prem or private cloud) and SonarQube Cloud (multi-tenant SaaS, formerly SonarCloud); code can stay entirely on customer infrastructure with Server.

    sonarsource.com

    Encryption

    Trust Center product security controls list 'Data encryption utilized' and 'Data transmission encrypted' as attested controls.

    trust.sonarsource.com

    Penetration testing

    Separate pentest executive summaries published per product and cadence: SonarQube Server (Aug 2025, Dec 2025), SonarQube Cloud (May 2026), SonarQube IDE (June 2025), plus 2 more listed.

    trust.sonarsource.com

    Business continuity

    Trust Center lists a Business Continuity & Disaster Recovery Summary and a 2026 Q1 BC/DR test report; controls include 'Continuity and Disaster Recovery plans established' and 'tested'.

    trust.sonarsource.com

    Incident disclosure

    Sonar publicly disclosed a third-party Salesloft/Salesforce supply-chain compromise (Aug 2025) that exposed limited sales-support email conversations; stated customer source code and the product itself were not affected, and no passwords or financial data were accessed.

    trust.sonarsource.com

    // Products & data scope

    SonarQube ServerSelf-hosted static analysis (SAST/SCA/code quality)

    data: Source code stays within customer-controlled infrastructure; no code leaves the customer's environment unless AI CodeFix is enabled.

    Primary on-prem/private-cloud offering; Advanced Security add-on available for SCA, secrets detection, malware detection.

    SonarQube CloudSaaS static analysis (SAST/SCA/code quality)

    data: Source code and metadata processed on Sonar-hosted multi-tenant cloud infrastructure.

    Formerly branded SonarCloud. Team plan now includes Advanced Security (SCA, malware detection, dependency analysis) per the Trust Center updates.

    SonarQube for IDEIDE plugin / developer-side static analysis

    data: Local analysis in the developer's IDE, connectable to Server or Cloud for shared rulesets.

    Covered under the same SOC 2 Type II scope as Server and Cloud.

    AI CodeFixAI-assisted automated remediation

    data: Sends the specific flagged code snippet to a selected LLM (Sonar-hosted or customer-bring-your-own, including self-hosted/on-prem models).

    Contractually excluded from being used to train underlying LLMs, per Sonar documentation; customers can restrict to self-hosted LLMs for stricter data control.

    MCP Server / GitarAgentic-coding integrations (Claude Code, Cursor, Copilot, etc.) and AI code review

    data: Exposes SonarQube findings to AI coding agents via Model Context Protocol; Gitar (acquired) adds AI code review on top of the verification platform.

    Newer product surface (2026); same underlying platform, not separately certified apart from the company-wide SOC 2/ISO scope.

    // What to watch

    • PCI DSS entry on the Trust Center is a self-assessment (SAQ-A), not a third-party-audited Level 1 certification -- list it as 'self-attested PCI DSS SAQ-A', not unqualified 'PCI DSS compliant', to avoid an over-claim.
    • HIPAA is not held: Sonar markets SonarQube as a tool that helps customers meet their own HIPAA code-compliance obligations, which could be misread as a HIPAA claim by SonarSource itself. No BAA or HIPAA attestation found on the Trust Center; healthcare buyers should request a BAA directly if needed.
    • CSA STAR is Level 1 (self-assessment) per the Trust Center; do not upgrade this to Level 2 (third-party-audited) in listing copy.
    • AI CodeFix training exclusion is documented in product docs rather than the Trust Center or core privacy policy; recommend noting the source as SonarQube's own technical documentation rather than a legal/compliance page.
    • No fixed, customer-selectable data residency region is publicly documented for SonarQube Cloud; the DPA offers jurisdiction-specific terms (EU/UK/Switzerland/Singapore/US) rather than a pick-your-region guarantee.

    // At a glance

    Pricing model

    Free/open-source Community edition self-hosted; paid tiers (Developer, Enterprise, Data Center) for Server; subscription SaaS tiers (Free, Team, Enterprise) for Cloud. Contact-sales for enterprise pricing.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on SonarSource Sàrl's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.sonarsource.com

    > Browse all vendor trust reports