SOC 2 Type II certified. AES-256 encryption at rest. TLS 1.3 in transit. Quarterly penetration testing. Enterprise on-premise deployment for regulated industries.
Security at the Core
Codex was designed from the first commit with the assumption that the platform would handle some of the most sensitive intellectual property in the world — production source code. Every subsystem, from the context engine to the inference pipeline, incorporates security controls at the architectural level rather than as a bolt-on compliance checklist.
Codex encrypts all customer data with AES-256 at rest and TLS 1.3 in transit, with key material managed through hardware security modules.
The Codex platform operates on a zero-trust architecture model. Every service authenticates to every other service using short-lived X.509 certificates issued by an internal certificate authority. No service-to-service communication occurs without mutual TLS authentication. The inference engine, which processes code context and generates suggestions, runs in an isolated compute environment with no outbound internet access — it communicates exclusively through an internal API gateway that enforces rate limiting, input validation, and request authentication.
Customer code traverses three distinct security boundaries within the platform. First, the transport layer encrypts all data between the developer's environment and Codex edge servers using TLS 1.3 with a strict cipher suite (no legacy algorithms permitted). Second, the processing layer decrypts data within an ephemeral container that is destroyed after each session — no code or context persists beyond the processing window. Third, the storage layer encrypts configuration metadata, team settings, and authentication tokens at rest using AES-256-GCM, with keys stored in a FIPS 140-2 Level 3 hardware security module.
The platform's security posture is informed by the NIST Cybersecurity Framework, specifically the Identify, Protect, Detect, Respond, and Recover functions. Codex maintains a formal risk register reviewed quarterly by the security engineering team, with all risks assigned an owner, remediation timeline, and verification procedure.
Codex holds SOC 2 Type II certification with annual audits covering security, availability, and confidentiality trust service criteria.
The SOC 2 Type II audit evaluates not just the design of Codex's security controls but their operational effectiveness over a six-month observation period. An independent CPA firm tests a sample of control activities — access reviews, change management approvals, incident response drills, backup restoration procedures — and verifies that each control operated as designed throughout the audit window. The most recent audit report is available to enterprise customers under NDA through the security compliance center.
For organizations subject to GDPR, Codex provides a Data Processing Agreement (DPA) that outlines the platform's role as a data processor, the categories of personal data processed (limited to account metadata and usage telemetry), and the technical measures in place. Codex processes all EU customer data within EU-hosted infrastructure, with no cross-border transfers to regions without an adequacy decision. Standard Contractual Clauses are available for customers who require them.
Codex does not use customer code, prompts, or generated outputs for model training — your intellectual property remains yours, period.
The platform distinguishes between three categories of data: code content (source files, prompts, generated outputs), account metadata (email, team name, billing information), and usage telemetry (feature adoption, latency metrics, error rates). Code content is processed ephemerally — it exists in memory only for the duration of the inference request and is never written to persistent storage. Account metadata is stored in an isolated database with column-level encryption for personally identifiable fields. Usage telemetry is anonymized and aggregated before it enters the analytics pipeline.
Data retention policies follow a strict lifecycle. Code content is not retained beyond the processing window. Account metadata is retained for the life of the account plus 30 days after deletion, at which point all records are purged from both primary and backup storage. Usage telemetry is retained for 13 months in aggregate form to support year-over-year trend analysis. Customers can request a data export or deletion at any time through the account settings page or by contacting the support team.
Independent security firms conduct quarterly penetration tests against the Codex platform, with all critical vulnerabilities resolved within 72 hours of confirmation.
Codex engages two separate security firms on a rotating schedule — no single firm tests the platform two quarters in a row, ensuring fresh eyes on each assessment. Testing scope includes the web application, API endpoints, CLI client, IDE plugins, and the underlying infrastructure. Testers are provided with standard user accounts (not administrative access) and are instructed to attempt privilege escalation, data exfiltration, and lateral movement within the environment. All findings are triaged within 24 hours and assigned a severity rating based on CVSS 3.1 scoring.
The internal vulnerability management program operates continuously alongside the quarterly external tests. Codex runs automated dependency scanning on every build, container image scanning in the CI pipeline, and dynamic application security testing against staging environments. A responsible disclosure policy invites external researchers to report vulnerabilities through a dedicated security contact channel, with acknowledgment within 48 hours and a publicly maintained hall of fame for verified reports.
The following table summarizes Codex's security certifications, the standards each aligns with, and the verification cadence.
| Certification / Standard | Scope | Status | Verification Cadence |
|---|---|---|---|
| SOC 2 Type II | Security, Availability, Confidentiality | Certified | Annual audit by independent CPA firm |
| TLS 1.3 | All data in transit (web, API, CLI, IDE) | Enforced | Continuous monitoring; quarterly cipher review |
| AES-256-GCM | All data at rest (storage, backups, logs) | Enforced | Continuous; key rotation every 90 days |
| FIPS 140-2 Level 3 | Encryption key management (HSM) | Compliant | Annual HSM audit |
| GDPR | EU customer data processing | Compliant | Annual DPA review; EU-hosted infrastructure |
| NIST CSF | Overall security program framework | Aligned | Quarterly risk register review |
| Penetration Testing | Full platform (web, API, CLI, IDE, infra) | Active | Quarterly by rotating independent firms |
| SAML / OIDC / SCIM | Enterprise identity provider integration | Supported | Continuous; tested against major IdP versions |
We operate in healthcare AI, so data security is non-negotiable. Codex's on-premise deployment and SOC 2 certification were the two factors that got our compliance team to sign off. The platform passed our security review faster than any vendor we have evaluated in the past three years.— Amara O. Bello, CTO at Vertex Health AI, Chicago
Yes, Codex holds SOC 2 Type II certification. An independent auditor verifies our security, availability, and confidentiality controls annually.
The SOC 2 Type II audit evaluates operational effectiveness over a sustained period — it is not a point-in-time snapshot. The auditor examines evidence including access logs, change management tickets, incident response records, and backup restoration test results across a six-month observation window. The most recent report covers the security, availability, and confidentiality trust service criteria. Enterprise customers may request the full audit report through their account representative, subject to a standard non-disclosure agreement. Codex has maintained continuous SOC 2 Type II certification since January 2025.
No. Codex never uses customer code for model training. Your source code, prompts, and generated outputs remain your intellectual property and are not retained for training purposes.
This prohibition is contractual and technical. The terms of service explicitly state that Codex will not use customer content to develop or improve its models. Technically, the inference pipeline is architected so that code content exists only in ephemeral memory — it is never written to a training corpus, never stored in a data lake, and never accessible to model fine-tuning infrastructure. This architecture is validated during the annual SOC 2 audit and during each quarterly penetration test. For enterprise customers requiring additional contractual safeguards, a custom data processing addendum is available.
All data in transit is encrypted with TLS 1.3. Data at rest is encrypted using AES-256. Encryption keys are managed via a hardware security module (HSM).
The TLS configuration enforces a strict cipher suite that excludes all algorithms with known weaknesses — only forward-secret ciphers with authenticated encryption are permitted. The AES-256-GCM implementation uses randomly generated initialization vectors for each encryption operation, with ciphertext authentication to detect tampering. The HSM is a FIPS 140-2 Level 3 certified device that performs all cryptographic operations (key generation, encryption, signing) within its tamper-resistant boundary; key material never leaves the HSM in plaintext form. Encryption keys are rotated every 90 days automatically, with the previous key version retained for a 30-day overlap period to support seamless rotation.
Yes. Independent security firms conduct penetration tests on the Codex platform quarterly. All critical findings are resolved before the next testing cycle.
Codex engages two separate security assessment firms that alternate quarters — this rotation ensures each test brings a fresh perspective rather than re-evaluating known surfaces. The scope of each test includes the web application, REST API, GraphQL endpoints, CLI client, VS Code and JetBrains IDE plugins, container images, and the cloud infrastructure configuration. Testers operate with standard user credentials and are challenged to escalate privileges, exfiltrate data, move laterally between services, and bypass authentication controls. Findings are triaged within 24 hours using CVSS 3.1 scoring. Critical findings (CVSS ≥9.0) trigger an immediate remediation sprint with a 72-hour resolution target. A summary of each test, including the number and severity distribution of findings, is published in the security compliance center.
Yes, Codex Enterprise supports on-premise deployment within your VPC or data center, with full data residency controls and air-gapped operation if required.
The Enterprise on-premise deployment packages the full Codex platform — inference engine, context analyzer, review engine, CLI gateway, and administration dashboard — as a set of container images that run entirely within the customer's infrastructure. No data leaves the customer's network boundary: code content, account metadata, and usage telemetry all remain within the designated environment. The deployment supports air-gapped operation (no outbound internet connectivity required after initial image pull) and integrates with the customer's existing identity provider, logging infrastructure, and monitoring systems. Deployment is managed through a Helm chart with configuration templates for common regulatory environments. Codex provides a dedicated deployment engineer for the initial installation and a 72-hour stabilization period with on-call support.
Enterprise-grade security, SOC 2 certification, and on-premise deployment options. Start free and see the platform in action.
Download Codex FreeLearn about our founding story, mission, and engineering philosophy.
Meet Dr. Marcus Chen and the technical vision behind our security-first architecture.
Compare tiers — on-premise deployment is available on Enterprise plans.
Access security-focused documentation and API references.
Request a security review or schedule a compliance walkthrough.
Organizations evaluating Codex security should understand that every component — from the AI code generation engine to the automated review pipeline — operates within a zero-trust architecture with mutual TLS authentication between all services. The Codex CLI and IDE plugins encrypt all communication with the platform using TLS 1.3, while the REST API enforces token-based authentication with configurable expiry policies. Enterprise customers using CI/CD automation can configure service accounts with narrowly scoped permissions that limit access to specific repositories and workflows.
Security documentation is maintained alongside the developer resource hub, with dedicated sections covering encryption specifications, identity provider integration (SSO and 2FA setup), and the on-premise deployment architecture. For a deeper understanding of the platform's design principles, review the Codex platform overview and the lead engineering team's approach to building security into the product from day one. Questions about specific compliance requirements can be directed to the team through the contact page. Pricing information, including Enterprise tier features, is available on the pricing plans page.