April 28, 2026 · 9 min read
We take security seriously. Here's what we actually do (not just what we write in marketing sheets).
If you're on the Enterprise plan, you can turn on E2EE. When it's on, your code gets encrypted in your browser before it leaves your computer. We literally can't see it — not even metadata about which files are in your project.
The encryption key is derived from your password using Argon2id (a slow, memory-hard function that makes brute-forcing painful). We never store your unencrypted password or the derived key. If you forget your password, we can't decrypt your data — that's the trade-off of E2EE.
Even without E2EE: data in transit is TLS 1.3, data at rest is AES-256. Our TLS config uses only modern ciphers (no RC4, no SHA-1). We require perfect forward secrecy (ECDHE) so even if someone records your traffic and later steals our private key, they can't decrypt the past.
At rest, each customer gets a unique encryption key (not a global key — that would be dumb). Keys are rotated every 90 days and stored in an HSM (hardware security module). If the HSM gets compromised, we rotate keys. It's layered defense.
We're SOC 2 Type II certified. What that actually means: an independent auditor spent a week with us, reviewed our security controls, interviewed our engineers, and verified that we're actually doing what we say we're doing. It's not just a PDF we bought — it's an actual audit.
Enterprise customers can request our SOC 2 report under NDA. Email security@codesync.dev and we'll send it. Fair warning: it's dry reading.
We use RBAC (role-based access control) internally. No single employee has "god mode" access to production. Developers can deploy code, but can't access user data without a specific reason (and that access is logged). We follow the OWASP guidelines for secure coding, though "secure" is a process, not a checklist.
All internal access requires 2FA (we use YubiKeys, not just TOTP). If you're an employee and you don't have 2FA, you can't access anything production. That's non-negotiable.
If you find a security vulnerability, email security@codesync.dev. We respond within 48 hours. We have a private bug bounty program (not public yet, but we pay researchers who find real bugs).
What we won't do: sue you for responsibly disclosing a vulnerability. What we ask: don't publicly disclose until we've had a chance to fix it (30 days max).
Questions about security? Email security@codesync.dev. We actually answer (not an auto-reply).