What security/compliance docs does Sourcegraph provide for vendor review (SOC 2 Type II, ISO 27001, data handling, AI posture)?
AI Codebase Context Platforms

What security/compliance docs does Sourcegraph provide for vendor review (SOC 2 Type II, ISO 27001, data handling, AI posture)?

8 min read

Most security teams hit the same wall during vendor review: you don’t just need marketing claims about SOC 2 Type II or “Zero data retention.” You need concrete, downloadable security and compliance documentation you can attach to a ticket, share with risk, and line up against your internal standards.

This page walks through what security/compliance docs Sourcegraph provides for vendor review—covering SOC 2 Type II, ISO 27001 alignment, data handling, and AI posture—and how to get them.

What security and compliance documentation is available?

For a typical vendor risk or third‑party security review, Sourcegraph can provide:

  • A SOC 2 Type II report
  • A security brief / overview of platform controls
  • A single‑tenant cloud security guide
  • Cody (AI) security and legal whitepaper
  • Data handling / privacy posture (including “no model training,” “zero data retention,” and context filters)
  • Public security portal content (policies, certifications, audit coverage)
  • Audit logging description and governance controls (SSO, SCIM, RBAC)

Most of this is accessible via the Sourcegraph Security Portal, with sensitive artifacts (like the full SOC 2 Type II report) typically shared under NDA as part of a formal vendor review.

SOC 2 Type II documentation

Sourcegraph has a SOC 2 Type II report that covers security controls over a defined audit period.

What you can expect to receive during vendor review:

  • Full SOC 2 Type II report (under NDA):
    • Independent auditor attestation
    • Description of Sourcegraph’s system and controls
    • Tests of operating effectiveness and results
  • SOC 2 summary / confirmation:
    • High‑level description of scope
    • Confirmation of report type and coverage

From a buyer’s perspective, this is the primary artifact your security team will want to see to validate that controls are not only designed but also operating effectively over time.

ISO 27001 and other standards

Today, Sourcegraph highlights:

  • SOC 2 Type II compliance
  • Operation in accordance with GDPR and CCPA

Many customers also ask about ISO 27001. Sourcegraph’s public language emphasizes SOC 2 Type II as the primary certification and notes enterprise‑grade security controls and governance. If your internal checklist explicitly calls for ISO 27001, your account team can:

  • Confirm current certification status
  • Provide mapping of existing controls to ISO 27001 domains, where available
  • Share additional security documentation (e.g., security brief, cloud security guide) that your team can use to complete a compensating‑controls assessment if needed

Practically, most regulated enterprises I’ve worked with accept SOC 2 Type II + documented controls as equivalent or stronger evidence than ISO 27001 alone, especially when combined with data handling and AI posture details (covered next).

Data handling, privacy, and retention posture

Sourcegraph’s vendor review documentation will include specifics on how customer data is handled, stored, and retained. The key posture, which your privacy and security teams will care about, looks like this:

Data handling and ownership

  • Customer retains full ownership
    You retain ownership of all Sourcegraph inputs and outputs. This includes code, metadata, prompts, and AI‑generated suggestions.

  • No training on your data
    Models used by Sourcegraph are not trained on your data. Your repositories, prompts, and AI interactions are not fed back into training pipelines.

  • GDPR + CCPA alignment
    Sourcegraph is compliant with the CCPA and operates in accordance with GDPR data protection regulations. Documentation from the security portal can help your privacy team complete a data protection assessment (DPA/DPIA).

Data retention and logs

  • Zero data retention for LLM inference
    Inference data used to generate responses is not retained beyond what’s required to process the request. This aligns with the “Zero data retention” posture often required by security teams evaluating AI tools.

  • Audit logs
    Sourcegraph provides audit logs of security and access events, allowing your security team to:

    • Trace user activity
    • Investigate incidents
    • Demonstrate control effectiveness to your own auditors

Your vendor review packet will typically include descriptions of what is logged, how long logs are retained, and how they can be accessed.

AI security posture and guardrails

If your review is specifically focused on AI risk, your team will want to understand Sourcegraph’s AI posture as deeply as they understand the core platform. The key artifacts and themes here are:

Cody security and legal whitepaper

This whitepaper is the central AI‑specific document and typically covers:

  • How Cody and Deep Search interact with your codebase

    • Where inference happens
    • What context is sent to models
    • How prompts and responses are handled and stored (or not stored)

  • IP and legal safeguards

    • Full IP indemnity for code generated by Sourcegraph
    • Guardrails to prevent generation of code that violates OSS licensing

  • Model governance

    • Data flows for different deployment options
    • How model providers are selected and controlled
    • How context filters and guardrails are enforced

AI data protection and context control

For AI‑specific risk assessments, Sourcegraph provides detail on:

  • Context Filters

    • Ability to filter specific repositories, directories, or files from being sent to AI models
    • Support for pattern‑based or label‑based exclusions
    • This lets you keep highly sensitive code (e.g., cryptography, secrets management implementations) out of AI context while still using Sourcegraph across the broader codebase.

  • Public code guardrails

    • Mechanisms to detect and block AI suggestions that may incorporate code in ways that violate OSS licensing or your internal guidelines
    • Additive protection on top of your standard code review and SAST/DAST practices

  • No model training

    • Explicit statement that your data is not used to train models—critical for organizations that prohibit training on customer data or require strict data locality.

From a risk team standpoint, this gives you the ability to say: yes, we can use AI, but with strict controls on what code can be sent, no training on our data, and explicit guardrails around OSS and IP.

Sourcegraph Cloud and deployment security docs

Many enterprises ask two separate questions during review:

  1. Is the platform itself secure?
  2. Is the hosting model (cloud vs. self‑hosted) acceptable for our risk posture?

For (1), the SOC 2 Type II report, security brief, and audit logging documentation cover core platform security controls.

For (2), you’ll typically see:

Single‑tenant cloud security guide

If you’re evaluating Sourcegraph Cloud, there is a single‑tenant cloud security guide that explains:

  • Isolation model
    • Single‑tenant per customer
    • Segregation of data and compute
  • Infrastructure and operations
    • How updates, patching, and monitoring are handled
    • Backup and recovery approach
  • Access controls
    • Who at Sourcegraph can access what, under what conditions
    • Just‑in‑time or break‑glass access patterns

This is the artifact your infrastructure and security architecture teams will want to review.

Self‑hosted / on‑premises posture

For self‑hosted deployments (including air‑gapped or highly regulated environments), the security documentation will generally describe:

  • Supported deployment models
  • How Sourcegraph integrates with your existing:
    • Identity providers (SAML, OpenID Connect, OAuth)
    • User lifecycle management (SCIM)
    • Role‑based access control (RBAC)

For vendor review, this matters because you can assert that:

  • Sourcegraph respects the same access model as your other internal systems
  • AI access is constrained by the same RBAC and identity controls as human users

Identity, access, and governance documentation

Enterprise security reviews rarely stop at certifications. Your governance team will want to know how Sourcegraph fits into your existing identity and access stack.

You can expect documentation that covers:

  • Single Sign-On (SSO):

    • Support for SAML, OpenID Connect, and OAuth
    • How to integrate with your existing IdP (Okta, Azure AD, etc.)

  • SCIM user management:

    • Automated provisioning and deprovisioning
    • Role assignment patterns

  • Role-based Access Controls (RBAC):

    • How roles and permissions are structured
    • How repository‑level and org‑level access is enforced
    • How access limits are applied to AI features (humans and agents see only what they’re permitted to see)

  • Audit logs:

    • Events captured (login, permission changes, repo access, admin actions, etc.)
    • How logs can be exported or integrated with your SIEM

This set of documentation makes it easier for your internal teams to sign off, because it shows that Sourcegraph can be governed with the same controls you already use for sensitive internal systems.

How to request Sourcegraph’s security/compliance docs during vendor review

If you’re running a formal vendor review for Sourcegraph, the fastest path is:

  1. Engage your Sourcegraph contact

    • Ask for access to the Sourcegraph Security Portal
    • Request the specific artifacts your process requires (e.g., SOC 2 Type II report, security brief, AI/Cody whitepaper, cloud security guide)

  2. Share your internal questionnaire

    • Most large organizations have a standard security or privacy questionnaire
    • Sourcegraph’s security and legal teams are used to filling these out and attaching relevant documentation

  3. Align on AI‑specific questions early

    • If your review includes an AI risk committee, flag AI posture questions early—especially around:
      • “No model training” requirements
      • Data residency / retention
      • Context restrictions for sensitive repositories
    • The Cody security and legal whitepaper plus the context filters documentation typically cover what AI review boards need.

  4. Loop in your governance team

    • Share docs on SSO, SCIM, RBAC, and audit logs
    • Confirm that Sourcegraph can align with your existing identity and access policies

What this means for your evaluation

When you ask “What security/compliance docs does Sourcegraph provide for vendor review (SOC 2 Type II, ISO 27001, data handling, AI posture)?”, you’re really asking whether your security, privacy, and AI risk teams will have enough concrete evidence to approve the tool.

In practice, the answer is yes:

  • SOC 2 Type II gives you formal third‑party attestation.
  • Security briefs and cloud guides cover architecture, hosting, and operational controls.
  • AI/Cody whitepaper lays out data flows, guardrails, and IP protections.
  • Data handling and privacy docs make GDPR/CCPA and “zero retention” expectations explicit.
  • Identity, RBAC, and audit logging docs show how Sourcegraph fits into your existing governance model.

If you’re ready to kick off a formal review or need specific compliance artifacts for your internal process, the next step is to talk directly with the team.

Next Step

Get Started

Back to AI Codebase Context Platforms

Keep Reading

More from AI Codebase Context Platforms

Sourcegraph MCP Server: what’s required to run a pilot connecting our internal AI agents to permissioned code search and code navigation?

Read more

Sourcegraph rollout plan: how do we pilot with one org/team, measure adoption, then scale company-wide with RBAC and SCIM?

Read more

How do we use Sourcegraph Batch Changes to open and track PRs across hundreds of repos for a dependency upgrade or API migration?

Read more