DocumentationSecurity & PrivacyData Encryption at Rest

Data Encryption at Rest

How CodeDD protects your source code during audit processing

Data Encryption at Rest

Source code is intellectual property. CodeDD encrypts files at rest throughout audit processing and deletes them securely when the audit completes.

Protection layers

In transit — all client and API traffic over HTTPS with modern TLS.

At rest — files encrypted in the audit cache immediately after indexing using Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256). Authenticated tokens prevent tampering.

In memory — plaintext exists only transiently during analysis and is cleared afterward.

Key management

Encryption uses an installation-wide key with rotation support:

ENCRYPTION_KEY           — active key (required)
PREVIOUS_ENCRYPTION_KEYS — prior keys for rotation (comma-separated)

During rotation, older files decrypt with previous keys and re-encrypt with the active key on next access.

Timeline

Clone / scope confirm
  → File discovered and metrics calculated
  → File encrypted in audit cache
  → Plaintext purged from memory
  → Decrypted in memory only during analysis
  → Securely wiped after audit completion

Credential storage

  • Git OAuth tokens and PATs — encrypted at rest
  • CLI tokens — OS credential manager (Windows Credential Locker, macOS Keychain, Linux Secret Service)
  • LLM API keys — keychain only (CLI); never in config files

Database and metadata

Findings, scores, file paths, and LOC metrics are stored in the database. No source file content is persisted.

Hosting

Primary processing infrastructure is hosted in IONOS data centers in Germany. See Compliance & Certifications.

Compliance alignment

Encryption controls align with GDPR, SOC 2, and ISO 27001 requirements. Certification attestations are in progress.

Next steps