Security

How we protect your code and data

Overview

At Capy, security isn't an afterthought — it's foundational to how we build. We understand that you're trusting us with your most valuable asset: your code. Here's how we protect it.

SOC 2 Compliance

Capy is SOC 2 Type II compliant. Our security controls are independently audited to ensure we meet the highest standards for data security, availability, and confidentiality.

Zero Data Retention

Your code is never stored on our servers beyond the duration of an active session. We maintain a strict zero data retention policy:

  • Code is processed in isolated, ephemeral environments
  • No code is used for model training or improvement
  • Sessions are fully purged upon completion
  • We contractually guarantee zero retention with our AI providers

Infrastructure Security

  • Encryption: All data is encrypted in transit (TLS 1.3) and at rest (AES-256)
  • Isolation: Each workspace runs in an isolated container with no shared state
  • Access Control: Role-based access with SSO/SAML support for enterprise
  • Network: VPC-isolated infrastructure hosted on AWS with SOC 2 certified data centers

AI Provider Security

We partner with leading AI providers who share our commitment to security:

  • Zero retention agreements with all model providers (Anthropic, OpenAI, Google)
  • No customer code is used for training by any provider
  • Enterprise customers can use their own API keys (BYOK) for additional control

Data Handling

  • Storage: Minimal metadata stored for billing and analytics only
  • Retention: Code and session data purged immediately after session ends
  • Location: All data processed in US-based data centers
  • Backups: Account metadata backed up with encryption; no code in backups

Vulnerability Reporting

If you discover a security vulnerability, please report it to security@capy.ai. We take all reports seriously and will respond within 24 hours.

Enterprise Security

For organizations with additional security requirements, our Enterprise plan includes:

  • Dedicated infrastructure options
  • Custom data residency
  • Advanced audit logging
  • SSO with SAML/OIDC
  • Dedicated security review and BAA if needed

Contact our sales team to discuss your security requirements.