// Trust & Security Report
Sourcegraph, Inc.
Cody is Sourcegraph's AI coding assistant (chat, autocomplete, edits, prompts) now sold as part of the Sourcegraph Enterprise platform alongside Code Search, Batch Changes and Code Insights. Deployment sub-products: Enterprise Cloud (multi-tenant), Enterprise Starter, and Enterprise Self-Hosted; a free individual tier (Cody Free/Cody on Sourcegraph.com) also exists for non-enterprise users.
Certifications held
4
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on sourcegraph.com“This certification affirms that Sourcegraph has implemented a comprehensive, independently audited security program... joins Sourcegraph's existing SOC 2 Type II attestation and compliance with GDPR and CCPA.”
Verify on sourcegraph.com“Sourcegraph is now ISO 27001:2022 certified... Certification Date: April 9, 2025. Scope covers Enterprise Self-Hosted, Enterprise Cloud, and Enterprise Starter, including Cody (Chat, Autocomplete, Prompt Library) and Code Search.”
Verify on sourcegraph.com“When Sourcegraph transfers personal data of EEA, Swiss, and UK residents outside of those regions, it does so via Standard Contractual Clauses approved by the European Commission... a Data Processing Agreement (DPA) aligned with GDPR is provided.”
> Show 7 unconfirmed / not-held certifications
source: sourcegraph.comNo public evidence on a Sourcegraph-owned domain confirms a standalone SOC 2 Type I report; only SOC 2 Type II is referenced on the vendor blog and trust center. Third-party aggregator sites (not vendor-owned) mention Type I but this could not be verified on sourcegraph.com.
source: sourcegraph.comWe do not intentionally collect government-issued identification numbers, health information, or other sensitive personal data. No public evidence of a signed BAA program, HIPAA attestation, or HIPAA badge on the trust center; Services are not represented as designed to store PHI.
source: security.sourcegraph.comNo public evidence of PCI DSS certification on sourcegraph.com or the trust center (security.sourcegraph.com); the product does not process cardholder payment data directly.
source: security.sourcegraph.comNo public evidence of ISO 27017 or ISO 27018 certification on the vendor trust center; only ISO/IEC 27001:2022 is displayed.
source: security.sourcegraph.comThe trust center displays an 'EU AI Act' compliance badge but no ISO/IEC 42001 certification badge or attestation; no public evidence of ISO 42001 certification.
source: security.sourcegraph.comNo public evidence of a CSA STAR registry entry or self-assessment referenced on the vendor trust center.
source: sourcegraph.comNo public evidence of FedRAMP authorization; a separate 'Terms of Service for U.S. Federal Government Users' page exists but does not claim FedRAMP status.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Sourcegraph states 'our servers and operations are located in the United States,' with international transfers for EEA/UK/Swiss users covered by Standard Contractual Clauses. Enterprise Self-Hosted deployments let the customer choose their own hosting region/infrastructure.
Enterprise/Pro: 'Sourcegraph and Sourcegraph Partner LLMs do not use code from Cody Enterprise or Cody Pro teams to train models,' and third-party LLM providers operate under a Zero Retention commitment for input/output including embeddings. Free/individual tier on Sourcegraph.com: 'Cody does not train on your code unless you provide permission'; prompts/responses may be used to improve the user experience but 'none of it will be used to train any generally available models.' Enterprise customers who bring their own LLM key for a self-hosted deployment get no Sourcegraph access to prompts/responses at all. Note: the Zero Retention commitment explicitly does not apply if the customer brings their own LLM relationship, which is a tier-dependent carve-out worth flagging to buyers.
// Security controls
Encryption at rest and in transit
All storage volumes are encrypted at rest, and data is encrypted during transport from code host to cloud environment. For self-hosted deployments, encryption at-rest and in-transit are configurable and highly recommended (not enforced by default).
sourcegraph.comThird-party penetration testing
3rd party penetration tests are conducted annually; internal audits of code and systems are run regularly.
sourcegraph.comEnvironment isolation (Cloud)
Customer instances are provisioned in fully segregated GCP environments per the trust center summary.
security.sourcegraph.com// Products & data scope
data: Reads customer code context via Sourcegraph Search API; prompts/responses collected solely to provide the service, not for product improvement; not used for model training.
Covered by the ISO 27001:2022 and SOC 2 Type II scope per the vendor's certification blog post.
data: Deployed in customer's own infrastructure/region; if customer brings their own LLM API key, Sourcegraph has no access to prompts or responses at all.
Also within the ISO 27001:2022 certification scope. Best option for buyers needing data residency control or a HIPAA/PHI-adjacent posture, though Sourcegraph itself does not claim HIPAA compliance.
data: Usage on Sourcegraph.com; prompts/responses may be used to improve UX but not to train generally available models.
Lower assurance tier than Enterprise; not explicitly confirmed to be inside the ISO 27001/SOC 2 audit scope, which the vendor describes only in terms of Enterprise Self-Hosted, Enterprise Cloud, and Enterprise Starter.
// What to watch
- SOC 2 Type I is referenced only by third-party (non-vendor-domain) aggregator sites, not confirmed on any sourcegraph.com or security.sourcegraph.com page; graded held=false to avoid over-claiming, but SOC 2 Type II is solidly confirmed.
- The vendor's ISO 27001:2022 and SOC 2 Type II scope statement explicitly names Enterprise Self-Hosted, Enterprise Cloud, and Enterprise Starter; it is not clear the free/individual Cody tier is inside that audit scope, so listings should not imply the free tier carries the same certifications.
- The Zero Retention / no-training commitment for third-party LLM partners explicitly does not apply when a customer brings their own LLM relationship (BYO-LLM) — a meaningful tier-dependent carve-out buyers should be told about.
- No HIPAA, PCI DSS, ISO 27017/27018, ISO/IEC 42001, CSA STAR, or FedRAMP evidence found on any vendor-owned domain; the trust center shows an 'EU AI Act' posture badge but no ISO 42001 AI-management certification.
- The full Sourcegraph Security Trust Portal (security.sourcegraph.com, SafeBase-hosted) likely gates some documents (SOC 2 report, pentest report) behind an access request/NDA; only publicly visible badges and blog claims could be directly verified.
// At a glance
Pricing model
Enterprise: custom/contract pricing starting around $16K, credit-based AI usage scaling with team size (contact sales); a free individual tier exists for non-enterprise use of Cody.
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sourcegraph, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
security.sourcegraph.com