// Trust & Security Report

    Sourcegraph, Inc. logo

    Sourcegraph, Inc.

    Cody is Sourcegraph's AI coding assistant (chat, autocomplete, edits, prompts) now sold as part of the Sourcegraph Enterprise platform alongside Code Search, Batch Changes and Code Insights. Deployment sub-products: Enterprise Cloud (multi-tenant), Enterprise Starter, and Enterprise Self-Hosted; a free individual tier (Cody Free/Cody on Sourcegraph.com) also exists for non-enterprise users.

    Certifications held

    4

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    This certification affirms that Sourcegraph has implemented a comprehensive, independently audited security program... joins Sourcegraph's existing SOC 2 Type II attestation and compliance with GDPR and CCPA.

    Verify on sourcegraph.com
    ISO/IEC 27001:2022
    HELD

    Sourcegraph is now ISO 27001:2022 certified... Certification Date: April 9, 2025. Scope covers Enterprise Self-Hosted, Enterprise Cloud, and Enterprise Starter, including Cody (Chat, Autocomplete, Prompt Library) and Code Search.

    Verify on sourcegraph.com
    GDPR (compliance posture)
    HELD

    When Sourcegraph transfers personal data of EEA, Swiss, and UK residents outside of those regions, it does so via Standard Contractual Clauses approved by the European Commission... a Data Processing Agreement (DPA) aligned with GDPR is provided.

    Verify on sourcegraph.com
    CCPA (compliance posture)
    HELD

    compliance with GDPR and CCPA

    Verify on sourcegraph.com
    > Show 7 unconfirmed / not-held certifications
    SOC 2 Type I
    NOT CONFIRMED

    No public evidence on a Sourcegraph-owned domain confirms a standalone SOC 2 Type I report; only SOC 2 Type II is referenced on the vendor blog and trust center. Third-party aggregator sites (not vendor-owned) mention Type I but this could not be verified on sourcegraph.com.

    source: sourcegraph.com
    HIPAA
    NOT CONFIRMED

    We do not intentionally collect government-issued identification numbers, health information, or other sensitive personal data. No public evidence of a signed BAA program, HIPAA attestation, or HIPAA badge on the trust center; Services are not represented as designed to store PHI.

    source: sourcegraph.com
    PCI DSS
    NOT CONFIRMED

    No public evidence of PCI DSS certification on sourcegraph.com or the trust center (security.sourcegraph.com); the product does not process cardholder payment data directly.

    source: security.sourcegraph.com
    ISO 27017 / ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27017 or ISO 27018 certification on the vendor trust center; only ISO/IEC 27001:2022 is displayed.

    source: security.sourcegraph.com
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    The trust center displays an 'EU AI Act' compliance badge but no ISO/IEC 42001 certification badge or attestation; no public evidence of ISO 42001 certification.

    source: security.sourcegraph.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of a CSA STAR registry entry or self-assessment referenced on the vendor trust center.

    source: security.sourcegraph.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization; a separate 'Terms of Service for U.S. Federal Government Users' page exists but does not claim FedRAMP status.

    source: sourcegraph.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Sourcegraph states 'our servers and operations are located in the United States,' with international transfers for EEA/UK/Swiss users covered by Standard Contractual Clauses. Enterprise Self-Hosted deployments let the customer choose their own hosting region/infrastructure.

    Enterprise/Pro: 'Sourcegraph and Sourcegraph Partner LLMs do not use code from Cody Enterprise or Cody Pro teams to train models,' and third-party LLM providers operate under a Zero Retention commitment for input/output including embeddings. Free/individual tier on Sourcegraph.com: 'Cody does not train on your code unless you provide permission'; prompts/responses may be used to improve the user experience but 'none of it will be used to train any generally available models.' Enterprise customers who bring their own LLM key for a self-hosted deployment get no Sourcegraph access to prompts/responses at all. Note: the Zero Retention commitment explicitly does not apply if the customer brings their own LLM relationship, which is a tier-dependent carve-out worth flagging to buyers.

    // Security controls

    Encryption at rest and in transit

    All storage volumes are encrypted at rest, and data is encrypted during transport from code host to cloud environment. For self-hosted deployments, encryption at-rest and in-transit are configurable and highly recommended (not enforced by default).

    sourcegraph.com

    Third-party penetration testing

    3rd party penetration tests are conducted annually; internal audits of code and systems are run regularly.

    sourcegraph.com

    Environment isolation (Cloud)

    Customer instances are provisioned in fully segregated GCP environments per the trust center summary.

    security.sourcegraph.com

    // Products & data scope

    Cody Enterprise (Cloud / Starter)AI coding assistant, managed

    data: Reads customer code context via Sourcegraph Search API; prompts/responses collected solely to provide the service, not for product improvement; not used for model training.

    Covered by the ISO 27001:2022 and SOC 2 Type II scope per the vendor's certification blog post.

    Cody Enterprise Self-HostedAI coding assistant, self-hosted

    data: Deployed in customer's own infrastructure/region; if customer brings their own LLM API key, Sourcegraph has no access to prompts or responses at all.

    Also within the ISO 27001:2022 certification scope. Best option for buyers needing data residency control or a HIPAA/PHI-adjacent posture, though Sourcegraph itself does not claim HIPAA compliance.

    Cody Free / Pro (individual, non-enterprise)AI coding assistant, individual/prosumer

    data: Usage on Sourcegraph.com; prompts/responses may be used to improve UX but not to train generally available models.

    Lower assurance tier than Enterprise; not explicitly confirmed to be inside the ISO 27001/SOC 2 audit scope, which the vendor describes only in terms of Enterprise Self-Hosted, Enterprise Cloud, and Enterprise Starter.

    // What to watch

    • SOC 2 Type I is referenced only by third-party (non-vendor-domain) aggregator sites, not confirmed on any sourcegraph.com or security.sourcegraph.com page; graded held=false to avoid over-claiming, but SOC 2 Type II is solidly confirmed.
    • The vendor's ISO 27001:2022 and SOC 2 Type II scope statement explicitly names Enterprise Self-Hosted, Enterprise Cloud, and Enterprise Starter; it is not clear the free/individual Cody tier is inside that audit scope, so listings should not imply the free tier carries the same certifications.
    • The Zero Retention / no-training commitment for third-party LLM partners explicitly does not apply when a customer brings their own LLM relationship (BYO-LLM) — a meaningful tier-dependent carve-out buyers should be told about.
    • No HIPAA, PCI DSS, ISO 27017/27018, ISO/IEC 42001, CSA STAR, or FedRAMP evidence found on any vendor-owned domain; the trust center shows an 'EU AI Act' posture badge but no ISO 42001 AI-management certification.
    • The full Sourcegraph Security Trust Portal (security.sourcegraph.com, SafeBase-hosted) likely gates some documents (SOC 2 report, pentest report) behind an access request/NDA; only publicly visible badges and blog claims could be directly verified.

    // At a glance

    Pricing model

    Enterprise: custom/contract pricing starting around $16K, credit-based AI usage scaling with team size (contact sales); a free individual tier exists for non-enterprise use of Cody.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sourcegraph, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    security.sourcegraph.com

    > Browse all vendor trust reports