Devin Security

Last updated: June 11, 2026

Licensor maintains a comprehensive documented security program that is based on industry standard security frameworks such as SOC 2 Type II and ISO 27001 (the "Security Program"). Pursuant to the Security Program, Licensor implements and maintains administrative, physical, and technical security measures to protect the software and services provided by Licensor to Customer (the "Software Services"), to provide support for the Software Services, and to maintain the security and confidentiality of Customer Data under Licensor's control as part of providing the Software Services (the "Security Measures"). Licensor's compliance with this Security Exhibit shall be deemed to satisfy any security measures included within the Agreement.

Licensor regularly tests and evaluates its Security Program, and may review and update this Security Exhibit at any time without notice, provided that such updates either make equivalent or enhance Security Measures and do not materially diminish the level of protection afforded to Customer Data by these Security Measures.

1. Deployment Model.

1.1. Architecture. Licensor is a software-as-a-service offering. The components primarily responsible for managing and controlling the services are referred to as the 'Licensor Control Plane'. The compute resources that perform data processing operations are referred to as the "Data Plane". For certain services, the Data Plane may either be deployed in Customer's own cloud service provider account (known as the 'Customer Data Plane') or in a Licensor-controlled account (known as the "Licensor Data Plane"). "Data Plane" shall refer to both Customer Data Plane or Licensor Data Plane, as applicable, unless otherwise specified.

1.2. Data Storage. Depending on your configuration and which Software Services features Customer access, Licensor may process Customer Data stored within Licensor infrastructure or the Licensor Data Plane. For clarity, Licensor cannot access Customer Data stored on the Customer Data Plane.

2. Licensor's Audits & Certifications.

Licensor uses independent third-party auditors to assess the Licensor Security Program at least annually, as described in frameworks such as the SOC 2 Type II and ISO 27001 standards. To the extent that Licensor chooses not to continue maintaining its certification or these standards are replaced, Licensor will adopt or maintain an equivalent, industry-standard framework.

3. Administrative Controls.

3.1. Governance. Licensor's Head of Security leads the Licensor Security Program and develops, reviews, and approves (together with other relevant internal stakeholders) Licensor's Security Measures.

3.2. Change Management. Licensor maintains a documented change management policy, reviewed at least annually.

3.3. ISMS; Policies and Procedures. Licensor has implemented a formal Information Security Management System ("ISMS") in order to protect the confidentiality, integrity, authenticity, and availability of Licensor's data and information systems, and to ensure the effectiveness of security controls over data and information systems that support operations.

3.4. Monitoring & Logging. Licensor employs monitoring and logging technology to help detect and prevent unauthorized access attempts to its network and equipment.

3.5. Access Review. Active personnel with privileged access to the Software Services are reviewed at least quarterly and are promptly removed upon termination of employment. As part of the personnel offboarding process, all accesses are revoked and data assets are securely wiped.

3.6. Third Party Risk Management. Licensor maintains a comprehensive Third Party Risk Management program that assesses the security compliance of applicable third parties, including vendors, contractors and subprocessors, in order to appropriately measure and manage risk.

3.7. Personnel Training. Personnel receive comprehensive training on the Security Measures upon hire and refresher training annually. Personnel are required to certify and agree to the Security Measures and personnel who violate the Security Measures are subject to disciplinary action, including warnings, suspension and up to (and including) termination.

3.8. Personnel Screening and Evaluation. All personnel undergo background checks prior to onboarding (as permitted by local law), which may include, but are not limited to, criminal record checks, employment history verification, education verification, and global sanctions and enforcement checks. Licensor uses a third-party provider to conduct screenings, which vary by jurisdiction and comply with applicable local law. Personnel are required to sign confidentiality agreements.

3.9. Code of conduct. All personnel are required to review upon hiring and on an annual basis thereafter Licensor's Code of Conduct and related training modules covering policies such as acceptable use, network access and security restrictions, anti-bribery, conflicts of interest, professional behavior, and anti-discrimination and harassment. Personnel are advised that violations of these policies may result in disciplinary action including termination.

4. Physical and Environmental Controls.

4.1. Licensor Corporate Offices. Licensor has implemented administrative, physical, and technical safeguards for its corporate offices. These include, but are not limited to, the below:

  • Visitors are required to sign in and be escorted by Licensor personnel while on premises
  • Licensor personnel badge into the offices
  • Badges are not shared or loaned to others without authorization
  • Physical entry points to office premises are recorded by CCTV and have an access verification system at every door, allowing only authorized employees to enter the office premises
  • Equipment and other Licensor-issued assets are inventoried and tracked and managed remotely via MDM
  • Office Wi-Fi networks are protected with WPA2 encryption

4.2. Licensor Data Centers. Licensor regularly reviews its cloud service datacenters and on-premise datacenters to ensure compliance with ISO 27001 and SOC 2, as applicable. Security controls include, but are not limited to the list below:

  • Biometric facility access controls
  • Visitor facility access policies and procedures
  • 24-hour armed physical security
  • CCTV at ingress and egress
  • Intrusion detection
  • Business continuity and disaster recovery plans
  • Smoke detection sensors and fire suppression equipment
  • Mechanisms to control temperature, humidity and water leaks
  • Power redundancy with backup power supply

5. Systems & Network Security.

5.1. Software Controls.

5.1.1. Isolation. Licensor leverages multiple layers of network security controls, including network-level isolation, for separation between the Licensor's development and production environments.

5.1.2. Firewalls & Security Groups. Firewalls are implemented as network access control lists or security groups within Licensor's production environment. These controls are configured to deny all network traffic by default and permit only explicitly authorized traffic in accordance with Licensor's security policies and least-privilege principles.

5.1.3. Hardening. Licensor employs industry standards to harden images and operating systems under its control that are deployed within the Software Services, including deploying baseline images with hardened security configuration such as disabled remote root login, isolation of user code, and images are regularly updated and refreshed.

5.1.4. Encryption.

5.1.4.1. Encryption of data-in-transit. Customer Data is encrypted using cryptographically secure protocols (TLS v.1.2 or higher) in transit between (1) Customer and the Licensor Control Plane and (2) the Licensor Control Plane and the Data Plane.

5.1.4.2. Encryption of data-at-rest. Customer Data within Licensor's control is encrypted using cryptographically secure protocols (AES-256 bit, or the equivalent or better) while at rest.

5.1.4.3. Review. Cryptographic standards are periodically reviewed and selected technologies and ciphers are updated in accordance with assessed risk and market acceptance of new standards.

5.1.5. Monitoring & Logging.

5.1.5.1. Intrusion Detection Systems. Licensor leverages several tools for security detection of threats and intrusions to Licensor's network.

5.1.5.2. Audit Logs. Licensor generates audit logs from Customer's use of the Software Services. The logs are designed to store information about material events within the Software Services. Licensor stores audit logs for at least one year.

5.1.6. Penetration Testing. Licensor conducts third-party penetration tests at least annually and a bug bounty program.

5.1.7. Vulnerability Management & Remediation. Licensor regularly runs authenticated scans against representative hosts in the SDLC pipeline to identify vulnerabilities and emerging security threats that may impact the Software Services. Licensor will use commercially reasonable efforts to address the following vulnerabilities, with each measured from (a) the date of availability of a compatible, vendor-supplied patch (with respect to publicly declared third party vulnerabilities); or (b) the date such vulnerability is confirmed (with respect to internal vulnerabilities).

5.1.8. Patching.

5.1.8.1. Control Plane. Licensor deploys new code to the Control Plane on an ongoing basis.

5.1.8.2. Data Plane. New Data Plane deployments use the latest applicable source code and system images upon launch.

5.2. Corporate Controls.

5.2.1. Access Controls.

5.2.1.1. Authentication. Licensor personnel are authenticated through single sign-on (SSO) where applicable, and use a unique user ID and password combination and multi-factor authentication. Privileges are consistent with least privilege principles. Security Measures prohibits personnel from sharing or reusing credentials, passwords, IDs, or other authentication information. If your identity provider supports the SAML 2.0 protocol, you can use Licensor's SSO to integrate with your identity provider.

5.2.1.2. Role-Based Access Controls (RBACs). Licensor enforces RBACs (based on security groups and access control lists). Only authorized roles, which are defined based on the principle of least privilege and segregation of duties, are allowed to access production systems.

5.2.2. Workstation Controls. Licensor enforces certain security controls on its workstations used by personnel, including:

  • Full-disk encryption
  • Anti-malware software
  • Automatic screen lock after 15 minutes of inactivity
  • Secure VPN

6. Breach Detection & Response.

6.1. Detection & Investigation. Licensor's dedicated security and infra team deploys and develops intrusion detection monitoring across its computing resources, with alert notifications sent to the Security Incident Response Team (SIRT) for triage and response. The SIRT employs an incident response framework to manage and minimize the effects of unplanned security events.

6.2. Security Breaches. "Security Breach" means a breach of security leading to any confirmed accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data under Licensor control. A Security Breach shall not include an unsuccessful attempt or activity that does not compromise the security of Customer Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents. Licensor maintains a record of Security Breaches that includes description, dates and times of relevant activities, and disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed Security Breaches, Licensor will take appropriate, reasonable steps to minimize product and Customer damage or unauthorized disclosure.

6.3. Communications & Cooperation. Where required under applicable data protection laws, Licensor will notify Customer of any Security Breach for which that Customer is impacted and take appropriate measures to address the Security Breach, including measures to mitigate any adverse effects resulting from the Security Breach.

7. Customer Audit Rights.

7.1. Upon written request and at no additional cost to Customer, Licensor shall provide Customer, and/or its appropriately qualified third-party representative (subject to confidentiality terms provided in the Agreement), access to reasonably requested documentation evidencing Licensor's compliance with its obligations under this Exhibit in the form of the relevant audits or certifications listed in Section 2 (Licensor's Audits and Certifications) above. Such audits are performed (a) at least once annually; and (b) by independent third-party security professionals selected by Licensor. Such audits result in the generation of a confidential audit report collectively, "Audit Reports".

7.2. Only to the extent that Customer is not reasonably satisfied with Licensor's compliance with this Exhibit through the Audit Reports, Customer may send a written request to conduct an audit of Licensor applicable controls during the term of the Agreement no more than once per year. Following receipt by Licensor of such a request, Licensor and Customer shall mutually agree in advance on the details of the audit, including the reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. Customer acknowledges that any audit may not occur at the same time as another audit and that Licensor has the right to choose the auditor subject to Customer's approval. The Audit Report, audit, and any information arising therefrom shall be considered Licensor Confidential Information and may only be shared with a third party (including a third party controller) with Licensor's prior written agreement.

7.3. Notwithstanding any other audit provisions in the Agreement, Customer requests for audits are limited to once per year and shall be subject to Licensor's reasonably requested security policies and procedures.

8. Backups, Business Continuity, and Disaster Recovery.

8.1. Business Continuity and Disaster Recovery. Licensor Business Continuity (BC) and Disaster Recovery (DR) plans are reviewed and drills are conducted annually.

8.2. Data Resiliency. Licensor performs backups for the Licensor Control Plane, generally managed by the Cloud Service Provider capabilities, for data resiliency purposes in the case of a critical systems failure. While Licensor backs up certain service elements that persist in the Licensor Control Plane as part of its systems resiliency, those backups are maintained only for emergency recovery purposes and are not available for Customer.

9. Data Deletion.

9.1. Upon Customer Request or Contract Termination. Customer Data under Licensor's control is permanently deleted within ninety (90) days: (a) upon Customer's request at any time; and (b) following any termination or expiration of the Agreement.