Security
How GetCode protects your account, your code, and your data.
Authentication
Email/password with bcrypt hashing (12 rounds). Optional TOTP 2FA on all accounts. OAuth via Google and GitHub. Sessions expire after 8 hours of inactivity. All sessions invalidated on password change.
Data in transit
All connections use TLS 1.3. HTTP Strict Transport Security (HSTS) enabled. Certificate transparency monitoring. All API endpoints served over HTTPS only.
Data at rest
Database hosted on Supabase with AES-256 encryption at rest. Hosted in AWS EU-West-1 (Ireland). Row-Level Security (RLS) policies ensure users can only access their own data. Automated daily backups with 30-day retention.
Rate limiting
IP-based rate limiting on all API endpoints. Generation limits enforced per plan per day and per month. Temporary email addresses blocked at signup. Automated abuse detection and account suspension.
Infrastructure
Hosted on Vercel (edge network) + Supabase (PostgreSQL). No self-managed servers — infrastructure security handled by AWS and Vercel. Automated security patches via Dependabot. Build integrity verified on every deploy.
Compliance
UK GDPR and EU GDPR compliant. ICO registered. Data Processing Agreements available for business customers. Subprocessors list published and updated at getcode.one/subprocessors. SOC 2 audit planned for 2026.
Report a vulnerability
If you discover a security vulnerability in GetCode, please disclose it responsibly. Do not create public GitHub issues or social media posts for security bugs.
Email: security@getcode.one
PGP key available on request. We aim to respond within 24 hours and resolve critical issues within 72 hours.