CodeRadar's threat model assumes the system is processing the most sensitive operational data the portfolio's products produce. Architecture is shaped accordingly: project-scoped row isolation, KMS-protected secrets, OpenTelemetry-native auditability, no third-party trackers.
Subprocessors, security questionnaire responses, SOC 2 evidence (when attested), and the SOC 3 public PDF are available through our trust portal. NDA-gated documents auto-issue once you sign in with a corporate email.
The full list is also mirrored in the trust portal so changes are notified to anyone who has subscribed.
| Subprocessor | Service | Data type | Region |
|---|---|---|---|
| Google Cloud Platform | Compute (Cloud Run), storage (GCS, Cloud SQL Postgres), Secret Manager | error events, replays, project config, secrets ciphertext | us-central1 (US); EU region planned 2026-Q3 |
| ClickHouse Inc. | self-hosted on GCP VM (operated by us), event analytics columnar store | error_events rows | us-central1 (US) |
| Memorystore (GCP) | Redis for dashboard sessions and rate-limit buckets | session JWTs, ephemeral rate-limit counters | us-central1 (US) |
| Stripe | billing PII for hosted-tier customers | customer email, billing address, last-4 card | US / EU per Stripe data residency |
| OpenRouter | LLM relay for the AI fix pipeline (varies by model) | error message + diff context (PII-scrubbed) only when AI fix opted in | varies by model — see openrouter.ai/docs/policies |
| Drata | SOC 2 / compliance evidence collection | read-only Postgres connection to admin metadata; no customer event data | US |
Last updated 2026-05-05. Customers on contracts that require advance notice of subprocessor changes will be notified per their MSA.
Every event, trace, and span row is keyed by project_id. The query layer enforces project access with row-level checks against Postgres-backed access tables. There is no cross-project data flow at the application layer — a member of project A simply cannot query project B unless explicitly added.
The dashboard's project picker is the only way to switch context. Internally that switches the JWT scope and re-queries. Server-side queries always include the project_id filter; this is enforced at the routing layer, not just the UI.
Public DSN keys are write-only and project-scoped. Personal access tokens are scoped to a list of projects and can be revoked per-token. Slack webhooks, email keys, and webhook secrets are stored as ciphertext in Google Secret Manager; the managed plane reads them via a service-account binding and never sees plaintext outside the in-memory request scope.
Self-hosted deployments use the same architecture; the Helm chart binds to AWS KMS, GCP KMS, or HashiCorp Vault for the encryption-at-rest envelope.
Three public endpoints: ingest.coderadar.app, api.coderadar.app, cdn.coderadar.app. All TLS 1.3, all behind Google Cloud Armor (managed plane). The dashboard at app.coderadar.app requires an authenticated session (email/password today; Clerk SSO + RelayOne MSP federation planned).
Outbound traffic from CodeRadar is restricted to your configured channels (Slack, email, webhook) and the model-backend endpoints used by the AI fix pipeline (when opted in). There is no telemetry phone-home.
Within the admin org, CodeRadar is multi-tenant on project boundaries. Cross-tenant data flow at the application layer is prevented by the same row-level checks. The same approach applies to the managed-external tier when it lands.
The audit_log table records every state-changing action: alert rule changes, project member changes, DSN rotation, retention overrides. Audit-log exports are per-project and personal-access-token authenticated. SOC 2 Type I evidence pack is in progress; report expected by end of 2026.
SDKs ship with a default scrub list (auth headers, password fields, common PII patterns). Override per project via beforeSend in the SDK init. Server-side, ingest applies a second-layer scrub for known credential patterns (Slack tokens, OpenAI keys, Stripe live keys) so leaked secrets never land in the events table.
The Apache 2.0 CodeWatch core can be run entirely on your own infrastructure with no outbound dependency on us. Run it air-gapped, run it in a sovereign cloud, run it in a customer's VPC. The protocol does not require the managed plane.
Reports go to [email protected]. PGP key fingerprint and a coordinated-disclosure policy on request. Critical reports get acknowledged within one business day, triaged within three.
In-scope: CodeRadar managed-plane vulnerabilities, SDK vulnerabilities, ingest/query auth bypass, project-isolation breaks, source-map fetch flaws. Out-of-scope: denial-of-service against the marketing site; social engineering of staff; physical attacks. Eligible reports receive a bounty under our coordinated-disclosure program.