Data Management
Logs and analysis data are retained for 90 days. All data is deleted within 30 days of contract termination. Shorter retention periods are available on request.
All data is securely deleted within 30 days of contract termination. A Data Deletion Certificate is available upon request.
Source code is used only in memory during AI processing and is never persisted to disk. Infrastructure runs on AWS (us-east-1 / ap-northeast-1).
No. Codens uses the Anthropic Claude API. Per Anthropic's API terms, data submitted via API is not used to train foundation models.
Daily automated snapshots are retained for 35 days. AWS Aurora Point-in-Time Recovery (PITR) is enabled for fine-grained restore.
Security Technology
All traffic is encrypted with TLS 1.2 or higher. HTTP is automatically redirected to HTTPS. Certificates are managed via AWS Certificate Manager.
All databases (AWS Aurora) and object storage (S3) are encrypted with AES-256. Encryption keys are managed by AWS KMS.
OAuth 2.0 / OIDC with GitHub and Google SSO. TOTP-based MFA is available for all accounts.
RBAC with three roles: Owner, Admin, and Member. Tenants are fully isolated at the organization level — no cross-tenant data access is possible.
Codens uses the GitHub App model — no Personal Access Tokens are stored. Only the minimum required scopes are requested. Secrets are stored in AWS Secrets Manager.
All API requests are logged to AWS CloudWatch for 90 days, enabling full audit trails of who accessed what and when.
Operations & Incidents
Affected customers are notified by email within 72 hours of a confirmed security incident, including scope, status, and remediation steps.
Admins can immediately revoke access from the dashboard. With SSO, disabling the user in your IdP automatically invalidates all active Codens sessions.
Target RTO: 4 hours, RPO: 1 hour. Multi-AZ AWS deployment provides automatic failover with minimal downtime.
AWS Shield Standard is always active. CloudFront and AWS WAF provide additional rate-limiting and layer-7 protection.
CVSS 9.0+ are patched within 24 hours; CVSS 7.0+ within 7 days. Dependencies are continuously monitored via Dependabot.
Compliance
Key sub-processors: AWS (infrastructure), Anthropic (AI processing), GitHub (code integration). A complete and up-to-date list is available upon request.
External penetration tests are conducted at least annually. Results can be shared under NDA.
SOC2 Type II is targeted for completion by end of 2026. ISO 27001 certification is planned for 2027.
Yes. A GDPR- and APPI-compliant DPA is available.
Contact security@codens.ai to request one.
Yes, we carry cyber liability insurance. Policy details are available under NDA upon request.
Plain Text Version (for email / RFP responses)
=== Codens Security FAQ (2026-04-20) ===
[Data Management]
Q1. How long is data retained?
A. Logs and analysis data retained for 90 days. Deleted within 30 days of contract end.
Q2. Is data deleted when a contract ends?
A. All data securely deleted within 30 days. Data Deletion Certificate available on request.
Q3. Where is source code stored?
A. Used in memory during AI processing only — never persisted. AWS (us-east-1 / ap-northeast-1).
Q4. Is customer data used to train AI models?
A. No. Anthropic API data is not used for model training (per Anthropic API terms).
Q5. How are backups handled?
A. Daily snapshots retained 35 days. AWS Aurora Point-in-Time Recovery enabled.
[Security Technology]
Q6. Is data encrypted in transit?
A. All traffic TLS 1.2+. HTTP auto-redirects to HTTPS. Certs via AWS Certificate Manager.
Q7. Is data encrypted at rest?
A. Aurora DB + S3 encrypted with AES-256. Keys managed by AWS KMS.
Q8. What authentication methods are supported?
A. OAuth 2.0 / OIDC. GitHub & Google SSO. TOTP MFA available for all accounts.
Q9. What is the permission model?
A. RBAC: Owner / Admin / Member. Full tenant isolation at org level.
Q10. How are GitHub tokens managed?
A. GitHub App model — no PATs stored. Minimum required scopes only. Secrets in AWS Secrets Manager.
Q11. Are access logs maintained?
A. All API requests logged to AWS CloudWatch for 90 days. Full audit trail available.
[Operations & Incidents]
Q12. How are security incidents communicated?
A. Email notification within 72 hours, including scope, status, and remediation.
Q13. Can access be revoked immediately for departed employees?
A. Admins can revoke instantly. SSO: disabling in IdP invalidates all Codens sessions.
Q14. What are the DR targets?
A. RTO: 4 hours, RPO: 1 hour. Multi-AZ auto-failover on AWS.
Q15. What DDoS protection is in place?
A. AWS Shield Standard always active. CloudFront + AWS WAF for additional protection.
Q16. How are vulnerabilities handled?
A. CVSS 9.0+: patched within 24 hours. CVSS 7.0+: patched within 7 days. Dependabot for deps.
[Compliance]
Q17. Who are your sub-processors?
A. AWS (infrastructure), Anthropic (AI), GitHub (code integration). Full list available on request.
Q18. Do you conduct penetration testing?
A. External pentest at least annually. Results shareable under NDA.
Q19. Do you plan to obtain SOC2 / ISO 27001?
A. SOC2 Type II targeted by end of 2026. ISO 27001 planned for 2027.
Q20. Can you provide a DPA?
A. Yes. GDPR- and APPI-compliant DPA available. Contact security@codens.ai.
Q21. Do you carry cyber liability insurance?
A. Yes. Policy details available under NDA.
---
Full Security Whitepaper coming July 2026.
Questions: security@codens.ai