Security
Last updated: May 1, 2024
1. Our Commitment
At Codmir, security is foundational. We are committed to protecting your data, your code, and the integrity of your development workflows. This page outlines our security practices and how to report vulnerabilities.
2. Infrastructure Security
Our infrastructure is built with defense in depth:
- All data in transit is encrypted via TLS 1.2+
- Data at rest is encrypted using AES-256
- Services are deployed on isolated, managed infrastructure with automatic patching
- Network access is restricted via firewalls and private networking
- All deployments go through automated CI/CD with security checks
3. Authentication & Access Control
- Authentication is handled via secure session tokens — API keys and secrets are never exposed to the client
- OAuth 2.0 integration for third-party sign-in (GitHub, Google)
- Role-based access control (RBAC) for organization and project permissions
- CLI authentication uses opaque tokens with server-side validation
- All WebSocket connections are authenticated on handshake
4. AI & Agent Security
Codmir's AI workstation is designed with strict security boundaries:
- AI provider API keys are stored server-side only — never on the client or desktop app
- Agent tool calls classified as dangerous require explicit user approval before execution
- Agent execution is bounded (iteration limits, rate limits, cost caps)
- All AI interactions are metered and auditable
- MCP server processes run in isolated contexts with health monitoring
5. Data Privacy
- We do not sell or share your data with third parties for advertising
- Code and project data are scoped to your organization — no cross-tenant access
- AI providers receive only the data necessary for the requested operation
- You can delete your data at any time via account settings
- See our Privacy Policy for full details
6. Webhook & Integration Security
- GitHub webhooks are verified via HMAC signature (
x-hub-signature-256) - Integration tokens are encrypted at rest and scoped to minimal required permissions
- Third-party integration data flows are validated against typed schemas
7. Vulnerability Disclosure
If you discover a security vulnerability in Codmir, we appreciate your help in disclosing it responsibly.
Please report vulnerabilities to: [email protected]
We ask that you:
- Provide enough detail for us to reproduce the issue
- Give us reasonable time to respond before public disclosure
- Do not access or modify other users' data during testing
- Do not perform denial-of-service testing
We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities promptly.
8. Compliance
We follow industry-standard security practices and are working toward formal compliance certifications. Our platform is designed to support teams with data residency and regulatory requirements.
9. Contact
For security concerns, contact us at [email protected].
For general inquiries, visit our Support page.
By using Codmir, you acknowledge that you have read and understood our security practices. For terms governing your use of the platform, see our Terms of Use and EULA.