QODRYX is an AI-powered DevOps platform that provides comprehensive security scanning, automated testing, one-click deployment, and real-time performance monitoring. It's designed to help development teams ship secure, tested code faster.

How does QODRYX secure AI-generated code?

QODRYX uses multiple security scanning tools including SAST (Static Application Security Testing), secret detection, dependency scanning, and AI-specific vulnerability patterns to identify security issues in AI-generated code before it reaches production.

What deployment platforms does QODRYX support?

QODRYX supports deployment to Vercel, Railway, Docker containers, and any VPS via SSH. It provides one-click deployment with automatic rollback capabilities.

Does QODRYX offer a free plan?

Yes, QODRYX offers a free plan that includes 50 security scans per month, 1 AI provider integration, and 3 deployments per month. Perfect for individual developers and small projects.

How does QODRYX compare to other DevOps tools?

Unlike single-purpose tools, QODRYX provides an all-in-one solution covering security, testing, deployment, and monitoring. It's specifically designed for AI-assisted development workflows and includes features like AI code review, cost tracking, and compliance automation.

Security Policy

How we protect your code and data

Our Security Commitment

At QODRYX, security is not an afterthought—it's foundational to everything we build. As a DevOps security platform, we hold ourselves to the highest security standards. This document outlines our security practices, compliance certifications, and how we protect your data.

Security-First Architecture

QODRYX is built with security-first principles. We practice what we preach—all 8 of our security features are implemented in our own platform.

Infrastructure Security

Cloud Infrastructure

Multi-Cloud Architecture: Distributed across AWS, GCP, and Azure
Data Centers: SOC 2 Type II certified facilities
Geographic Distribution: EU, US, and Asia-Pacific regions
Network Isolation: VPC isolation with strict firewall rules
DDoS Protection: Enterprise-grade protection at all layers

Server Security

Hardened OS images with minimal attack surface
Automated security patching within 24 hours of critical CVEs
Host-based intrusion detection (HIDS)
No public SSH access—all management via secure bastion
Immutable infrastructure with automated rebuilds

Data Protection

Encryption

Encryption at Rest

AES-256 encryption for all stored data, including databases, backups, and logs

Encryption in Transit

TLS 1.3 for all connections, with HSTS and certificate pinning

Key Management

AWS KMS / GCP Cloud KMS with automatic key rotation

Secrets Management

HashiCorp Vault for secrets with zero plaintext storage

Data Isolation

Tenant Isolation: Complete logical separation between customers
Database Segregation: Separate schemas per organization
Code Processing: Ephemeral containers destroyed after each scan
No Code Storage: Your code is never permanently stored on our servers

Data Retention

Data Type	Retention Period	Notes
Source Code	Not retained	Processed in memory, never stored
Scan Results	1 year	Configurable per plan
Workflow Logs	90 days - 1 year	Varies by plan
Audit Logs	1-7 years	Per compliance requirements
Account Data	Until deletion	14-day grace period after deletion

Application Security

Secure Development

Code Review: All changes require peer review
SAST/DAST: Automated security scanning on every commit
Dependency Scanning: Continuous monitoring for vulnerable packages
Secret Scanning: Pre-commit hooks prevent secret exposure
Penetration Testing: Annual third-party assessments

Authentication & Authorization

Password Requirements: Minimum 12 characters, complexity enforced
2FA/MFA: Available for all accounts, required for Enterprise
SSO/SAML: Enterprise SSO with major providers
Session Management: Configurable timeouts, secure tokens
RBAC: Fine-grained role-based access control

API Security

OAuth 2.0 and API key authentication
Rate limiting to prevent abuse
Request signing and validation
Audit logging of all API calls
IP whitelisting (Enterprise)

Compliance & Certifications

SOC 2 Type II

Certified

GDPR

Compliant

ISO 27001

In Progress

HIPAA

Available

PCI DSS

Compliant

CCPA

Compliant

GDPR Compliance

EU data residency option (Frankfurt, Ireland)
Data Processing Agreement (DPA) available
Right to access, rectify, and delete your data
Data portability in standard formats
Privacy by design principles

Incident Response

Our Process

Detection: 24/7 monitoring with automated alerting
Triage: Security team assesses severity within 15 minutes
Containment: Immediate action to limit impact
Investigation: Root cause analysis and forensics
Recovery: Restore services and implement fixes
Communication: Notify affected customers per SLA
Post-Mortem: Document lessons learned and improvements

Notification Timeline

Severity	Initial Notification	Updates
Critical	Within 1 hour	Every 2 hours
High	Within 4 hours	Every 6 hours
Medium	Within 24 hours	Daily

Vulnerability Disclosure

We maintain a responsible disclosure program for security researchers:

Reporting a Vulnerability

Email security@qodryx.com with details
Include steps to reproduce the issue
Do not publicly disclose until we've addressed it
We'll acknowledge within 24 hours
We target fixes within 90 days for critical issues

Bug Bounty Program

We offer rewards for responsibly disclosed vulnerabilities:

Critical: $1,000 - $5,000
High: $500 - $1,000
Medium: $100 - $500
Low: Recognition and swag

Employee Security

Background Checks: All employees undergo thorough screening
Security Training: Mandatory annual security awareness training
Access Control: Least-privilege access with regular reviews
Device Security: Encrypted laptops, MDM, endpoint protection
Clean Desk Policy: No sensitive data on physical media

Physical Security

We don't operate our own data centers
Cloud providers handle physical security
AWS, GCP, and Azure facilities are SOC 2 certified
24/7 security, biometric access, video surveillance

Business Continuity

Availability

SLA: 99.9% uptime guarantee (Enterprise: 99.99%)
Redundancy: Multi-region deployment with automatic failover
Backups: Continuous with point-in-time recovery
DR Testing: Quarterly disaster recovery drills

Status & Communication

Monitor service status at status.qodryx.com. Subscribe for real-time incident notifications.

Security Best Practices for Users

Recommendations

Enable two-factor authentication on your account
Use unique, strong passwords or a password manager
Review connected applications regularly
Rotate API keys periodically (every 90 days)
Use scoped API keys with minimum required permissions
Monitor your audit logs for suspicious activity

Contact Security Team

For security questions, concerns, or to report vulnerabilities:

Email: security@qodryx.com
PGP Key: Available at /security.txt
Response Time: Within 24 hours for security inquiries

Next Steps

← Account Settings

Manage your account security

Troubleshooting →

Common issues and solutions