Data Encryption at Rest
How CodeDD protects your source code during audit processing
Data Encryption at Rest
Source code is intellectual property. CodeDD encrypts files at rest throughout audit processing and deletes them securely when the audit completes.
Protection layers
In transit — all client and API traffic over HTTPS with modern TLS.
At rest — files encrypted in the audit cache immediately after indexing using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256). Authenticated tokens prevent tampering.
In memory — plaintext exists only transiently during analysis and is cleared afterward.
Key management
Encryption uses an installation-wide key with rotation support:
ENCRYPTION_KEY — active key (required)
PREVIOUS_ENCRYPTION_KEYS — prior keys for rotation (comma-separated)
During rotation, older files decrypt with previous keys and re-encrypt with the active key on next access.
Timeline
Clone / scope confirm
→ File discovered and metrics calculated
→ File encrypted in audit cache
→ Plaintext purged from memory
→ Decrypted in memory only during analysis
→ Securely wiped after audit completion
Credential storage
- Git OAuth tokens and PATs — encrypted at rest
- CLI tokens — OS credential manager (Windows Credential Locker, macOS Keychain, Linux Secret Service)
- LLM API keys — keychain only (CLI); never in config files
Database and metadata
Findings, scores, file paths, and LOC metrics are stored in the database. No source file content is persisted.
Hosting
Primary processing infrastructure is hosted in IONOS data centers in Germany. See Compliance & Certifications.
Compliance alignment
Encryption controls align with GDPR, SOC 2, and ISO 27001 requirements. Certification attestations are in progress.

