Enterprise Security & Compliance

Bank-grade security architecture for enterprises and regulated industries

Enterprise SaaS - Private Infrastructure Deployment

Code Comprehend is Enterprise SaaS software with flexible deployment options. This model ensures complete data sovereignty for organizations with strict security and compliance requirements.

Security Through Infrastructure Isolation

Unlike traditional cloud SaaS where data resides in vendor infrastructure, Code Comprehend operates entirely within private security perimeters. We provide the software; organizations provide the infrastructure. Source code, analysis results, and metadata remain under organizational control.

Deployment Options:

  • On-Premises: Physical datacenter installation with optional air-gapped configuration
  • Private Cloud: Dedicated deployment in private AWS/Azure/GCP VPC environments
  • Air-Gapped: Fully disconnected deployment for classified or highly sensitive environments

Result: Source code never traverses external networks. Code Comprehend has no access to protected data.

Data Protection & Encryption

Encryption in Transit

All data transmitted between your systems and Code Comprehend is encrypted using TLS 1.3, the latest industry standard for secure communication.

Encryption at Rest

All stored data, including source code and analysis results, is encrypted using AES-256 encryption. Customer-managed encryption keys (CMEK) available for Enterprise plans.

Data Isolation

Multi-tenant architecture with logical data separation. Enterprise customers can opt for dedicated single-tenant deployments with physical isolation.

Data Residency

Choose where your data is stored and processed. We support data residency requirements for US, EU, and other regions based on your compliance needs.

Access Control & Authentication

  • Multi-Factor Authentication (MFA): Required for all user accounts, supporting TOTP, SMS, and hardware tokens
  • Single Sign-On (SSO): SAML 2.0 and OAuth 2.0 support for enterprise identity providers (Okta, Azure AD, Google Workspace)
  • Role-Based Access Control (RBAC): Granular permissions to control who can view, analyze, or manage projects
  • API Key Management: Secure API authentication with key rotation, expiration policies, and IP whitelisting
  • Session Management: Automatic session timeout, secure cookie handling, and device tracking

Infrastructure Security

  • Cloud Infrastructure: Hosted on SOC 2 Type II certified cloud providers (AWS/Azure/GCP) with multi-region redundancy
  • Network Security: Firewalls, intrusion detection/prevention systems (IDS/IPS), and DDoS protection
  • Private Hosting: Enterprise customers can deploy Code Comprehend in their own private cloud or on-premises environment
  • Container Security: Isolated execution environments with automated vulnerability scanning of all container images
  • Backup & Recovery: Automated daily backups with 30-day retention, tested disaster recovery procedures

Application Security

Secure Development

  • • Code reviews
  • • Static analysis (SAST)
  • • Dependency scanning
  • • Security training

Vulnerability Management

  • • Continuous scanning
  • • Patch management
  • • Penetration testing
  • • Bug bounty program

Application Hardening

  • • Input validation
  • • SQL injection prevention
  • • XSS protection
  • • CSRF tokens

Audit & Monitoring

  • Comprehensive Audit Logs: All user actions, API calls, and system events are logged with timestamps, user IDs, and IP addresses
  • Real-Time Monitoring: 24/7 security operations center (SOC) monitoring for anomalous activity and security threats
  • Alerting: Automated alerts for suspicious activity, failed login attempts, and policy violations
  • Log Retention: Audit logs retained for 1 year (configurable for Enterprise customers)
  • Customer Access: Enterprise customers can export audit logs for their own compliance and forensic analysis

Compliance & Certifications

Current Compliance

  • SOC 2 Type II: Annual audits of security, availability, and confidentiality controls
  • GDPR: Full compliance with EU data protection regulations
  • CCPA: California Consumer Privacy Act compliance
  • ISO 27001: Information security management system (in progress)

Industry-Specific Support

  • HIPAA: Business Associate Agreements (BAA) available for healthcare customers
  • PCI DSS: Payment Card Industry compliance for financial institutions
  • FedRAMP: Roadmap for US federal government customers
  • SOX: Controls to support Sarbanes-Oxley compliance

Incident Response

We maintain a comprehensive incident response plan to quickly detect, contain, and remediate security incidents:

  • 1.Detection: Automated monitoring and alerting systems identify potential security incidents
  • 2.Response: Dedicated security team investigates and contains the incident within 1 hour of detection
  • 3.Notification: Affected customers notified within 24 hours of confirmed data breach
  • 4.Remediation: Root cause analysis, security patches, and preventive measures implemented
  • 5.Post-Mortem: Detailed incident report shared with affected customers

Employee Security

  • Background checks for all employees with access to customer data
  • Mandatory security awareness training and annual refresher courses
  • Confidentiality and non-disclosure agreements signed by all personnel
  • Principle of least privilege: employees only access data necessary for their role
  • Immediate access revocation upon termination

Third-Party Security

We carefully vet all third-party vendors and service providers:

  • Security assessments and compliance verification before engagement
  • Data processing agreements (DPA) with all vendors handling customer data
  • Annual security reviews of critical vendors
  • Vendor list available to Enterprise customers upon request

AI Models and Local Processing

AI Processing Within Private Infrastructure

AI models deploy and execute entirely within private infrastructure. All code analysis occurs locally without external dependencies:

  • Local AI Execution: Pre-trained models deploy with the software package and execute within private infrastructure
  • No External API Calls: Analysis completes without internet connectivity or cloud service dependencies
  • Bring Your Own Model (BYOM): Support for organization-provided or fine-tuned models operating locally
  • Air-Gapped Compatible: Full functionality in disconnected environments without internet access
  • No Model Training on Private Code: Source code is not used for model training by design—Code Comprehend has no access to private data

Reporting Security Issues

If you discover a security vulnerability in Code Comprehend, please report it responsibly:

Email: security@codecomprehend.ai

Response Time: We acknowledge reports within 24 hours and provide status updates every 72 hours

Bug Bounty: We operate a private bug bounty program. Contact us for details.

Please do not publicly disclose vulnerabilities until we have had a chance to address them.

Questions or Concerns?

Code Comprehend LLC

Security & Compliance Team

Email: security@codecomprehend.ai

General Inquiries: info@codecomprehend.ai

Phone: 770-380-7755

Atlanta, GA 30097, United States

This Security page was last updated on November 18, 2025. We continuously improve our security posture and update our practices to address emerging threats.