// Trust & Security Report
Sweep AI, Inc.
AI coding assistant plugin (agent + "Tab" next-edit autocomplete + AI code review) for JetBrains IDEs, with additional VS Code and Zed editor support per vendor docs; originated as an open-source GitHub-issue-to-PR bot (github.com/sweepai/sweep) which still exists as a self-hostable/enterprise deployment path alongside the current hosted JetBrains-focused product.
Certifications held
2
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on docs.sweep.dev“"Sweep is SOC 2 Type 2 compliant. We encrypt all data at rest and in transit." (docs.sweep.dev/privacy). Corroborated on the marketing home page: "SOC 2 Compliant / Privacy-first — Enterprise-ready with SOC 2 compliance and zero data retention."”
Verify on sweep.dev“"When our processing is subject to international laws, including but not limited to the General Data Protection Regulation ('GDPR') that governs individuals located in the European Economic Area ('EEA'), we collect and process your Personal Data using one or more of the following legal bases..." plus explicit EEA/UK/Switzerland transfer safeguards: "we will use available safeguards and legal mechanisms to help ensure your rights and protections, including using Standard Contractual Clauses."”
> Show 6 unconfirmed / not-held certifications
source: docs.sweep.devNo public evidence on sweep.dev or docs.sweep.dev. Note: some third-party aggregator/search summaries mention ISO/IEC 27001 in connection with the name "Sweep," but that traces to a DIFFERENT company (trust.sweep.net / security.sweep.io, an unrelated enterprise-systems/RevOps metadata platform) and does not apply to sweep.dev.
source: sweep.devNo public evidence. No mention of HIPAA, BAAs, or healthcare-data handling anywhere on sweep.dev, docs.sweep.dev, or the privacy/terms PDFs checked.
source: sweep.devNo PCI DSS statement published. Privacy policy indicates card data is handled by a third-party payment processor rather than Sweep itself: "Sweep does not directly process or store your entire credit card number, but we do direct that information to our third-party payment processors for processing." PCI scope, if any, sits with that processor, not confirmed as Sweep's own certification.
source: sweep.devNo public evidence. Not referenced anywhere on the vendor domain.
source: sweep.devNo public evidence. Not referenced anywhere on the vendor domain.
source: sweep.devNo public evidence. Not referenced anywhere on the vendor domain.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not offered
Data region
United States: "Our Services are hosted in the United States and information we collect will be stored and processed on our servers in the United States." For EEA/UK/Switzerland users, Sweep states it uses Standard Contractual Clauses or consent as transfer safeguards.
Training posture is conditional on a user-toggled "Privacy Mode" documented at docs.sweep.dev/privacy: with Privacy Mode enabled, "Zero data retention will be enabled for our model providers and none of your code will ever be trained on by us or any third-party" (user inputs, codebase contents, and AI outputs all show "Zero data retention" / "No training"). With Privacy Mode disabled, Sweep states it "may use and store data to improve Sweep including codebase data, prompts, and code snippets." The default state of this toggle for free vs. paid/enterprise tiers was not confirmed on any vendor page checked, hence trains_on_customer_data is recorded as null (conditional, not a fixed answer).
// Security controls
Data retention (toggleable Privacy Mode)
Zero data retention and no model training on code when Privacy Mode is enabled; data may be stored/used to improve the product when Privacy Mode is disabled.
docs.sweep.devSOC 2 auditor / trust-center portal
Not published. The SOC 2 Type 2 claim is a self-attestation on sweep.dev/docs.sweep.dev; no linked auditor report, audit firm name, or third-party trust-center portal (e.g. Vanta/Drata/Secureframe) was found to independently corroborate it.
docs.sweep.devPayment data handling
Card/bank details are routed to a third-party payment processor; Sweep does not directly store full card numbers.
sweep.devData subject rights
Right to access, correct, restrict, delete, and port Personal Data, offered globally regardless of jurisdiction, free of charge (absent manifestly unfounded/excessive requests).
sweep.dev// Products & data scope
data: Indexes the user's codebase for context-aware agent/autocomplete suggestions; code and prompts sent to Sweep's own or configured model providers, subject to the Privacy Mode toggle.
Primary/flagship product per the current sweep.dev marketing site; 4.9 stars, 40k+ installs claimed; free download plus paid tiers.
data: Same data handling as the JetBrains version per docs.sweep.dev editor list.
Listed in Sweep's own documentation navigation alongside JetBrains support; not featured on the current sweep.dev home page, which markets JetBrains specifically.
data: Full repository/codebase access via a GitHub App installation; deployment documented in the open-source github.com/sweepai/sweep repo (Dockerfile/docker-compose present) with an enterprise license key obtained by contacting team@sweep.dev.
Legacy of Sweep's original open-source "AI junior developer" GitHub-issue-to-PR product; enterprise support (fine-tuning, index caching, usage dashboards) is sold separately and not detailed in public security terms.
// What to watch
- Identity conflation risk: multiple unrelated companies use the "Sweep" name. sweep.dev (JetBrains/VS Code/Zed AI coding assistant, evaluated here) is a DIFFERENT company from "Sweep" at sweep.io / trust.sweep.net / security.sweep.io (an unrelated enterprise-systems/RevOps metadata platform, "the agentic layer for your enterprise systems"). General web search summaries blend the two and may attribute trust.sweep.net's SOC 2/ISO 27001 trust-center content to sweep.dev -- that content was excluded from this assessment after direct verification on sweep.io showed it is a distinct entity.
- SOC 2 Type 2 claim is a vendor self-attestation on sweep.dev's own marketing and docs pages; no auditor name, audit report link, or third-party trust-center/compliance-automation portal (e.g. Vanta, Drata) was found on the vendor domain to independently corroborate it.
- No ISO 27001, HIPAA, PCI DSS, ISO/IEC 42001, CSA STAR, or FedRAMP evidence found anywhere on sweep.dev's own domain.
- The published Privacy Policy PDF (sweep.dev/privacy.pdf, last updated March 15, 2024) still uses language from Sweep's earlier open-source GitHub-bot product ("issues", "repositories", "commits", "project contributions") rather than the current JetBrains/VS Code/Zed IDE-plugin product -- a minor drift between legacy policy language and the current product surface, not a contradiction that changes the compliance facts but worth noting for procurement diligence.
- AI-training posture is conditional on a user-toggled "Privacy Mode": zero retention / no training when enabled, but data may be used to improve the product when disabled. The default state of this toggle for free vs. paid/enterprise tiers was not confirmed on any public page.
- No standalone, publicly linked Data Processing Agreement (DPA) was found; the privacy policy only references a DPA in the context of a company's own commercial agreement with Sweep, implying DPAs are available on request for enterprise customers but are not self-serve/public.
// At a glance
Pricing model
Freemium: free plugin download plus paid subscription tiers; separate enterprise licensing/self-hosted deployment available on request (contact team@sweep.dev).
Self-hostable
Yes
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Sweep AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-09. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
sweep.dev