// Trust & Security Report

    Sweep AI, Inc. logo

    Sweep AI, Inc.

    AI coding assistant plugin (agent + "Tab" next-edit autocomplete + AI code review) for JetBrains IDEs, with additional VS Code and Zed editor support per vendor docs; originated as an open-source GitHub-issue-to-PR bot (github.com/sweepai/sweep) which still exists as a self-hostable/enterprise deployment path alongside the current hosted JetBrains-focused product.

    Certifications held

    2

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    "Sweep is SOC 2 Type 2 compliant. We encrypt all data at rest and in transit." (docs.sweep.dev/privacy). Corroborated on the marketing home page: "SOC 2 Compliant / Privacy-first — Enterprise-ready with SOC 2 compliance and zero data retention."

    Verify on docs.sweep.dev
    GDPR (posture)
    HELD

    "When our processing is subject to international laws, including but not limited to the General Data Protection Regulation ('GDPR') that governs individuals located in the European Economic Area ('EEA'), we collect and process your Personal Data using one or more of the following legal bases..." plus explicit EEA/UK/Switzerland transfer safeguards: "we will use available safeguards and legal mechanisms to help ensure your rights and protections, including using Standard Contractual Clauses."

    Verify on sweep.dev
    > Show 6 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence on sweep.dev or docs.sweep.dev. Note: some third-party aggregator/search summaries mention ISO/IEC 27001 in connection with the name "Sweep," but that traces to a DIFFERENT company (trust.sweep.net / security.sweep.io, an unrelated enterprise-systems/RevOps metadata platform) and does not apply to sweep.dev.

    source: docs.sweep.dev
    HIPAA
    NOT CONFIRMED

    No public evidence. No mention of HIPAA, BAAs, or healthcare-data handling anywhere on sweep.dev, docs.sweep.dev, or the privacy/terms PDFs checked.

    source: sweep.dev
    PCI DSS
    NOT CONFIRMED

    No PCI DSS statement published. Privacy policy indicates card data is handled by a third-party payment processor rather than Sweep itself: "Sweep does not directly process or store your entire credit card number, but we do direct that information to our third-party payment processors for processing." PCI scope, if any, sits with that processor, not confirmed as Sweep's own certification.

    source: sweep.dev
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on the vendor domain.

    source: sweep.dev
    CSA STAR
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on the vendor domain.

    source: sweep.dev
    FedRAMP
    NOT CONFIRMED

    No public evidence. Not referenced anywhere on the vendor domain.

    source: sweep.dev

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Not offered

    Data region

    United States: "Our Services are hosted in the United States and information we collect will be stored and processed on our servers in the United States." For EEA/UK/Switzerland users, Sweep states it uses Standard Contractual Clauses or consent as transfer safeguards.

    Training posture is conditional on a user-toggled "Privacy Mode" documented at docs.sweep.dev/privacy: with Privacy Mode enabled, "Zero data retention will be enabled for our model providers and none of your code will ever be trained on by us or any third-party" (user inputs, codebase contents, and AI outputs all show "Zero data retention" / "No training"). With Privacy Mode disabled, Sweep states it "may use and store data to improve Sweep including codebase data, prompts, and code snippets." The default state of this toggle for free vs. paid/enterprise tiers was not confirmed on any vendor page checked, hence trains_on_customer_data is recorded as null (conditional, not a fixed answer).

    // Security controls

    Encryption in transit

    "We encrypt all data at rest and in transit."

    docs.sweep.dev

    Encryption at rest

    "We encrypt all data at rest and in transit."

    docs.sweep.dev

    Data retention (toggleable Privacy Mode)

    Zero data retention and no model training on code when Privacy Mode is enabled; data may be stored/used to improve the product when Privacy Mode is disabled.

    docs.sweep.dev

    SOC 2 auditor / trust-center portal

    Not published. The SOC 2 Type 2 claim is a self-attestation on sweep.dev/docs.sweep.dev; no linked auditor report, audit firm name, or third-party trust-center portal (e.g. Vanta/Drata/Secureframe) was found to independently corroborate it.

    docs.sweep.dev

    Payment data handling

    Card/bank details are routed to a third-party payment processor; Sweep does not directly store full card numbers.

    sweep.dev

    Data subject rights

    Right to access, correct, restrict, delete, and port Personal Data, offered globally regardless of jurisdiction, free of charge (absent manifestly unfounded/excessive requests).

    sweep.dev

    // Products & data scope

    Sweep for JetBrains IDEsAI coding assistant (IDE plugin: agent + Tab autocomplete + AI code review)

    data: Indexes the user's codebase for context-aware agent/autocomplete suggestions; code and prompts sent to Sweep's own or configured model providers, subject to the Privacy Mode toggle.

    Primary/flagship product per the current sweep.dev marketing site; 4.9 stars, 40k+ installs claimed; free download plus paid tiers.

    Sweep for VS Code / ZedAI coding assistant (IDE plugin)

    data: Same data handling as the JetBrains version per docs.sweep.dev editor list.

    Listed in Sweep's own documentation navigation alongside JetBrains support; not featured on the current sweep.dev home page, which markets JetBrains specifically.

    Sweep self-hosted / enterprise deployment (GitHub App)Self-hosted AI coding agent for GitHub repositories

    data: Full repository/codebase access via a GitHub App installation; deployment documented in the open-source github.com/sweepai/sweep repo (Dockerfile/docker-compose present) with an enterprise license key obtained by contacting team@sweep.dev.

    Legacy of Sweep's original open-source "AI junior developer" GitHub-issue-to-PR product; enterprise support (fine-tuning, index caching, usage dashboards) is sold separately and not detailed in public security terms.

    // What to watch

    • Identity conflation risk: multiple unrelated companies use the "Sweep" name. sweep.dev (JetBrains/VS Code/Zed AI coding assistant, evaluated here) is a DIFFERENT company from "Sweep" at sweep.io / trust.sweep.net / security.sweep.io (an unrelated enterprise-systems/RevOps metadata platform, "the agentic layer for your enterprise systems"). General web search summaries blend the two and may attribute trust.sweep.net's SOC 2/ISO 27001 trust-center content to sweep.dev -- that content was excluded from this assessment after direct verification on sweep.io showed it is a distinct entity.
    • SOC 2 Type 2 claim is a vendor self-attestation on sweep.dev's own marketing and docs pages; no auditor name, audit report link, or third-party trust-center/compliance-automation portal (e.g. Vanta, Drata) was found on the vendor domain to independently corroborate it.
    • No ISO 27001, HIPAA, PCI DSS, ISO/IEC 42001, CSA STAR, or FedRAMP evidence found anywhere on sweep.dev's own domain.
    • The published Privacy Policy PDF (sweep.dev/privacy.pdf, last updated March 15, 2024) still uses language from Sweep's earlier open-source GitHub-bot product ("issues", "repositories", "commits", "project contributions") rather than the current JetBrains/VS Code/Zed IDE-plugin product -- a minor drift between legacy policy language and the current product surface, not a contradiction that changes the compliance facts but worth noting for procurement diligence.
    • AI-training posture is conditional on a user-toggled "Privacy Mode": zero retention / no training when enabled, but data may be used to improve the product when disabled. The default state of this toggle for free vs. paid/enterprise tiers was not confirmed on any public page.
    • No standalone, publicly linked Data Processing Agreement (DPA) was found; the privacy policy only references a DPA in the context of a company's own commercial agreement with Sweep, implying DPAs are available on request for enterprise customers but are not self-serve/public.

    // At a glance

    Pricing model

    Freemium: free plugin download plus paid subscription tiers; separate enterprise licensing/self-hosted deployment available on request (contact team@sweep.dev).

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Sweep AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    sweep.dev

    > Browse all vendor trust reports