Last updated: 18 July 2026
Security & Trust
This page summarizes security and trust controls that external reviewers can cross-check against our published policies and product behavior. Claims below match what CodXER implements or publicly documents today. Where a detail depends on an Enterprise agreement, we say so.
Transport security (TLS)
Public web and API traffic to codxer.com and api.codxer.com is served over HTTPS (TLS). Clients should reject plaintext HTTP for credentials and API keys.
Passwords and API keys
- Passwords — stored with one-way hashing (bcrypt). Plaintext passwords are not stored.
- API keys — stored as SHA-256 hashes of the secret. The full key is shown once at creation and cannot be retrieved later from the account UI.
See also Privacy Policy §2.1 and API docs — Authentication.
Two-factor authentication (2FA)
Signed-in users can enroll TOTP authenticator-app 2FA from Account → Security. Enrollment and verification are enforced by the API for accounts that enable it. 2FA is optional for Free-tier accounts; Enterprise may require it by policy.
Retention and no-training
- Default content retention — prompts/completions are retained for 90 days by default, then deleted or anonymized on a rolling basis (Enterprise may negotiate custom retention in a DPA).
- No training on customer data — CodXER does not use customer prompts, completions, or API content to train our own or third-party public foundation models.
Source: Privacy Policy §8.
Processing location
Primary processing infrastructure is in the Federal Republic of Germany (European Union). Cross-border transfers use appropriate safeguards as described in the Privacy Policy.
Subprocessors
Infrastructure and AI model providers process request data under contractual confidentiality and security requirements. The current subprocessor list is available to Enterprise customers under DPA/NDA (not published publicly because routing may change). Request via [email protected]. Pro/Enterprise DPA: see Terms — Enterprise.
Availability
Live component status: https://codxer.com/status/ (same data as /legal/status.html). Paid tiers publish a 99.9% monthly uptime target for API and authenticated chat; Free is best-effort.
Responsible disclosure
Report vulnerabilities or account compromise to [email protected] with subject line Security. Do not include live secrets in email; we will provide a secure channel if needed. We aim to acknowledge active-threat reports within one business day when possible.
How to verify (external reviewers)
- Confirm TLS on
https://codxer.comandhttps://api.codxer.com. - Create a Free account, enable 2FA in Account → Security, create an API key (shown once).
- Call
POST https://api.codxer.com/v1/chat/completionsand inspect response metadata for Evolution models (see API docs — verify metadata). - Read Evolution rotation specification and machine-readable evolution-rotation-spec.json.
- Check /status/ against live public status API.
Prepared public example sources (pending GitHub org publish): /public-artifacts/codxer-examples/.