Compliance
We’re in the process of getting our SOC 2 Type II certification, the observation period should be completed by the end of October 2025.What we’re already doing
While our SOC 2 Type II audit is in progress, we already follow security best practices to keep your data safe:- All data is encrypted at rest and in transit using industry-standard protocols
- Encrypted backups with restricted access and automated rotation
- Minimal data collection: we only store what’s strictly necessary to generate reports
- CI-only data processing: we don’t store source code nor large benchmark inputs
- Mandatory 2FA for all CodSpeed team members
- Least privilege access across services and cloud resources
- Role-based access control (RBAC) for teams and organizations
- Scoped API tokens with fine-grained access controls
- Audit logs for key actions and permission changes
- Infrastructure as code with peer-reviewed changes via pull requests
- Dependency and container scanning built into our CI