QODRYX

Security Policy

Security is at the core of everything we build. Learn how we protect your code and data.

Last Updated: December 27, 2025

256-bit Encryption

TLS 1.3

EU Data Centers

GDPR Compliant

2FA Support

TOTP & WebAuthn

Regular Audits

Quarterly Reviews

Security Overview

QODRYX is built with security-first principles. As a platform that handles source code and sensitive development data, we understand the critical importance of protecting your intellectual property and maintaining the confidentiality of your projects.

Infrastructure Security

Hosting & Data Centers

  • Hosted on Vercel's enterprise infrastructure with SOC 2 Type II certification
  • Data stored in EU data centers (GDPR compliant)
  • Automatic failover and redundancy across multiple availability zones
  • DDoS protection and Web Application Firewall (WAF)

Network Security

  • All traffic encrypted with TLS 1.3
  • HSTS (HTTP Strict Transport Security) enforced
  • Regular security headers audit (CSP, X-Frame-Options, etc.)

Data Security

Encryption

  • In Transit: TLS 1.3 for all data transmission
  • At Rest: AES-256 encryption for stored data
  • Passwords: bcrypt with cost factor 12
  • API Keys: Encrypted with unique per-key secrets

Code Handling

  • Your code is processed in memory - not stored permanently on our servers
  • Only analysis results and metadata are stored
  • GitHub OAuth tokens are encrypted and scoped to minimum required permissions
  • Repository access can be revoked at any time

Access Control

  • Two-Factor Authentication: TOTP and WebAuthn/passkeys supported
  • Role-Based Access Control: Granular permissions for team members
  • Session Management: Secure, HttpOnly, SameSite cookies
  • Audit Logging: All access and changes are logged
  • API Key Scoping: Keys can be limited to specific operations

Application Security

Security Testing

  • Continuous SAST scanning on our own codebase
  • Regular dependency vulnerability scanning
  • Automated security testing in CI/CD pipeline
  • Quarterly third-party security assessments

OWASP Top 10 Protection

We protect against all OWASP Top 10 vulnerabilities:

✓ Injection attacks (SQL, NoSQL, Command)✓ Broken Authentication✓ Sensitive Data Exposure✓ XML External Entities (XXE)✓ Broken Access Control✓ Security Misconfiguration✓ Cross-Site Scripting (XSS)✓ Insecure Deserialization✓ Using Components with Known Vulnerabilities✓ Insufficient Logging & Monitoring

Vulnerability Disclosure

Responsible Disclosure Program

We welcome security researchers to report vulnerabilities responsibly. If you discover a security issue:

  1. Email us at security@qodryx.com
  2. Include detailed steps to reproduce the vulnerability
  3. Allow us reasonable time (90 days) to fix the issue
  4. Do not access or modify user data during testing

We will acknowledge your report within 48 hours and keep you informed of our progress.

Incident Response

In the event of a security incident, we follow a structured response plan:

1

Detection & Assessment (0-1 hour)

Identify scope and severity of the incident

2

Containment (1-4 hours)

Stop the incident and prevent further damage

3

Notification (Within 72 hours)

Notify affected users and authorities (GDPR requirement)

4

Recovery & Review

Restore services and implement preventive measures

Compliance

GDPR

Full compliance with EU General Data Protection Regulation including data minimization, purpose limitation, and user rights.

EU AI Act

Transparent AI usage documentation and risk assessments for AI-powered features.

SOC 2 (Planned)

Working towards SOC 2 Type II certification for enterprise customers.

ISO 27001 (Planned)

Information security management system certification planned for 2026.

Security Contact

For security-related inquiries or to report vulnerabilities:

Security Team: security@qodryx.com

General: hello@qodryx.com