Compliance

ROPA

Record of Processing Activities for Codity.ai, including data categories, storage systems, retention windows, and transfer safeguards.

Last updated: March 10, 2026.

Controller / processor role

  • Customer workspace data — Codity generally acts as a processor on behalf of the customer.
  • Marketing and website interactions — Codity acts as a controller for demo requests, cookie preferences, and account inquiries.

Data categories and processing purpose

  • Identity and contact data (email, billing/admin contacts) for account setup, support, and service communications.
  • Repository and review metadata (PR diffs, comments, file metadata) for automated code review and analysis features.
  • Security and audit telemetry (access logs, auth events, review audit trails) for platform security, abuse prevention, and compliance evidence.
  • Billing records (plan, invoices, payment references) for subscription lifecycle and financial reporting obligations.

Data storage systems and locations

  • Primary application data store — Hosted on AWS-managed infrastructure with encryption at rest (AES-256).
  • Primary processing regions — US-East (N. Virginia), EU-West (Frankfurt), AP-Southeast (Singapore), depending on customer deployment and contractual selection.
  • Backups — Encrypted backups retained for 30 days and then automatically purged.
  • Secrets and credentials — Managed with least-privilege controls and routine rotation.

Retention schedule

  • Account and billing records — Retained for the subscription term and legal/finance retention requirements.
  • Security and audit logs — Retained for at least 12 months.
  • Demo request consent evidence — Retained with contact audit context for compliance verification.
  • Repository processing outputs — Retained per workspace settings and deleted on request or at contract termination, except where legal hold applies.

Recipients and subprocessors

  • Access is limited to authorized Codity personnel on a least-privilege basis with MFA and audit logging.
  • Approved subprocessors are contractually bound by data protection terms and assessed through vendor risk review.
  • Customers may request the current subprocessor list and transfer mechanisms through privacy@codity.ai.

International data transfers

Cross-border transfers are protected by contractual and technical safeguards, including Standard Contractual Clauses (SCCs), DPA commitments, encryption in transit (TLS 1.2+), and role-based access restrictions.

Data subject rights workflow

  • Requests are handled through privacy@codity.ai with identity verification and ticketed audit trail.
  • GDPR rights requests are tracked against statutory response windows.
  • Deletion and correction actions are propagated to relevant systems and subprocessors where legally required.
This ROPA is reviewed at least annually and after material product, infrastructure, or regulatory changes.