At Sonar, we are driven by our mission to empower all developers to write secure, high-quality code. With over seven million developers worldwide relying on our SonarQube offering, we are committed to providing not only innovative tools but also the highest levels of security and trust.
Today, we are thrilled to share that Sonar has achieved SOC 2 Type II compliance. This is a significant milestone that reflects our dedication to protecting customer data and ensuring the integrity of our operations now and in the future.
What Is SOC 2 Type II Compliance and Why Does it Matter?
SOC 2 (Service and Organization Controls 2) is a rigorous standard for managing customer data based on five key principles: security, availability, confidentiality, privacy and processing integrity. To achieve SOC 2 Type II compliance, an audit is required by a third party to validate that these principles are consistently met over an extended period.
This certification provides our customers the assurance that Sonar implements and maintains industry-leading controls to safeguard sensitive code, metadata, and operational processes. The Trust Services Criteria (TSC) we pursued include:
- Security: Also known as the "Common Criteria," this criterion is the most critical and is required for all SOC 2 evaluations. It ensures that an organization’s systems are protected against unauthorized access, including both physical intrusions and cyber threats. Its objectives include the proper processing, transmission, and disposal of all data and information. The security criterion involves putting various controls and practices in place, such as firewalls and encryption, as well as routine security audits and vulnerability assessments.
- Confidentiality: This criterion is designed to ensure sensitive information is properly protected from unauthorized access and disclosure. With a focus on the measures and controls implemented to safeguard confidential data, it requires that organizations define all access limitations of involved team members and customers. Controls often include access restrictions and secure data transmission methods, for example, and the practice of regular employee training on data protection, access, and monitoring.
- Availability: This criterion ensures that our systems are accessible for operation and use as needed. Addressing if systems include controls to support timely and uninterrupted services, it reflects our capacity to meet service level agreements (SLAs).
While the Security criteria is typical, we chose to add Confidentiality and Availability because, as cloud adoption continues to grow, we want to provide the necessary assurances to customers (new and migrating), that the same protections they receive in SonarQube Server (self-hosted or Enterprise) can be expected in SonarQube Cloud. Instead of simply offloading availability to the cloud service provider, we share this responsibility with them and hold ourselves accountable for availability and performance of the system in the cloud. This ensures that the system and service customers are consuming and using from Sonar have the requisite controls in place to deliver optimal availability, giving customers confidence in the cloud.
A Testament to Our Commitment to Security
We’ve always placed a high importance on security, and with data breaches continuing to increase, achieving SOC 2 Type II compliance was a clear next step in strengthening the trust that organizations and developers place in us and our solutions.
In addition to external auditing, our products are continuously pen-tested by independent testers, we partner with other organizations to perform red-team exercises, and we subject key systems to regular internal security tests by our security team and our researchers. You can find the pen-test certificates through our Trust Center.
Whether you're using SonarQube Server on-premise to analyze code, leveraging SonarQube Cloud for continuous code quality in the cloud, or relying on SonarQube for IDE to catch issues early on in development, you can be confident that your data is protected. Our SOC 2 Type II compliance ensures that:
- Your code and metadata are handled securely and confidentially
- Our solutions maintain high availability and reliability
- We adhere to best practices for risk management and operational oversight
Looking Ahead
As the software development ecosystem continues to evolve, so too will the security landscape. At Sonar, we are dedicated to always enhancing our security and meeting top industry data protection standards, maintaining the trust of our users. From encryption to regular penetration testing, we are constantly evolving our security measures to stay ahead of emerging threats.
To learn more about our commitment to security, visit our compliance page.