Security is Core to Everything We Do

We know that your source code is one of your most valuable and sensitive assets. For most development teams, it's a literal representation of your most important work product.

Access to your Source Tree

CodeStream servers do not require access to your source code. To establish links between discussion threads and blocks of code, we use commit IDs and line number offsets, which are captured by the IDE when the thread is created. This approach allows us to build the service without our servers requiring access to the source tree itself.

Data Storage

• CodeStream offers both a cloud solution, and for those customers whose code discussions cannot leave their network, and on-premises installation option.
• For customers who use the Slack or Microsoft Teams back-end, CodeStream stores the meta-data needed to display codemarks in the IDE.  This is limited to line number offsets, commit IDs and the selected code block.
  
• For customers using CodeStream messaging, we additionally store the conversations, user profile and team information.
  

Access Controls

• Access to all internal systems is protected by a VPN, and is regularly reviewed and revoked upon termination or when no longer needed.
  
• Within the network, access is further restricted by employee responsibility or roles using ssh and IP range based network packet filters.
  
• Application and server logs are maintained on Loggly, a log aggregation and querying solution.
  
• Company policy prevents customer data from being downloaded to portable devices, such as laptops.
  
• Servers are monitored using New Relic.
  

Network Security

• The cloud version of CodeStream is hosted on AWS (https://aws.amazon.com/security/), where all storage volumes are encrypted at rest. CodeStream on-prem runs in a docker container in your company's infrastructure.
  
• All external network communication between production services occur over HTTPS / TLS.
  
• Systems are protected using network and server packet filters which limit all outside access to only those public services we provide.
  
• Our dedicated security team at CodeStream handles all security escalations, and is available 24/7.
  
• Customer data can be deleted from all primary and backup systems within 7 days of request.
  

Site Security

• All data from codestream.com is transmitted over HTTPS.
  
• Monitoring services alert our 24/7 support team of potential attacks.
  

General Data Protection Regulation (GDPR)

CodeStream is committed to helping our users understand the rights and obligations under the General Data Protection Regulation (GDPR), which took effect on May 25, 2018. We have introduced tools and processes to ensure our compliance with requirements imposed by the GDPR and to help our customers comply as well.

Bug Reports

If you think you have found a security issue, please email us at security@codestream.com. Please do not publicly disclose the issue or any related information until we have had a chance to review it and respond to you.

CodeStream provides monetary rewards, up to $5000, for properly reported security issues. The reward is determined by the severity of the issue, the percentage of users impacted, and the likelihood of encountering the vulnerability under normal use of our service.