CodeTitanLegal/Compliance
§ LEGALCompliance

Compliance

Effective·2026-06-12

Our current compliance posture — what we do today, what has not started, and what we will scope with Enterprise customers.

GDPRSelf-assessed

EU residents have the right to access, correct, export, and delete their data via email. We rely on the GDPR-compliance posture of our sub-processors (Vercel, Supabase, Stripe, Resend, PostHog, Sentry) — we do not yet maintain our own master DPA.

CCPACompliant

California residents have the right to know what data we collect, request deletion, and opt out of any data sales (we don't sell data).

SOC 2 Type IINot started

Not yet started. We will begin a SOC 2 Type II observation when a design partner has it as a procurement requirement. Until then, we will not present SOC 2 controls as if certified, and bridge letters are not available.

HIPAANot offered

Not yet offered. We can discuss BAA paths with healthcare teams once we have design partners in regulated environments. The analysis engine itself can be configured to flag PII/PHI patterns.

GDPR

CodeTitan is designed to comply with GDPR from the ground up. The analysis engine runs on your own machine or CI runner — your source code is not transmitted to our servers. If you opt into a cloud feature we receive only a findings report, never your repository. Personal data in account records is processed lawfully under contract (Article 6(1)(b)) or legitimate interest.

  • Data Subject Rights: Email privacy@codetitan.dev to access, correct, export, or delete your data. Self-service from Settings is on the roadmap.
  • Data Processing Addendum: We do not yet publish a standard DPA. We will produce one when a design partner needs it for procurement.
  • Sub-processors: Listed below.

Sub-processors

We use a small number of third-party providers to operate the service:

  • Vercel — Web hosting and edge runtime
  • Supabase — Database and authentication
  • Stripe — Payment processing
  • Resend — Transactional email
  • PostHog — Product analytics (EU region; cookieless configuration, IP collection disabled)
  • Sentry — Error monitoring

Each sub-processor publishes its own DPA and GDPR-compliance posture. We rely on their published terms; we do not yet maintain our own master DPA.

SOC 2 Type II

We have not yet begun a SOC 2 Type II observation period. We will start one when a design partner has it as a procurement requirement and we can pair with a real auditor. Until then, we will not present SOC 2 controls as if certified, and bridge letters are not available.

If SOC 2 is a procurement requirement for your organization, contact enterprise@codetitan.dev and we will be honest about the timeline.

HIPAA

We do not yet offer Business Associate Agreements. The analysis engine itself can be configured to flag potential PII/PHI patterns, but offering a BAA requires controls we have not yet implemented or audited. Healthcare teams should treat CodeTitan as not-yet-HIPAA-eligible.

CCPA

We do not sell California residents' personal information. California residents can request a summary of the personal data we hold and request deletion at any time by contacting privacy@codetitan.dev.

Questions or requests

For compliance documentation, DPA requests, or enterprise security reviews, email enterprise@codetitan.dev.

Questions?·legal@codetitan.dev