How we handle your code.

Colony Cloud runs in US-East and EU-West today. Tenants choose at provisioning time. We do not move tenant data across regions. The audit trail and cost ledger are stored in the same region as the worker pool.

Hybrid tenancy — control plane managed by us, worker pools in your VPC — is currently in private preview for teams with stricter residency requirements, and enters public preview Q3 2026. The control plane never touches code; only metadata and orchestration events flow back.

The Builder agent checks code out into ephemeral workers. Workers are torn down after the issue completes. We do not persist working copies beyond the issue’s lifetime; only the diff, the prompts, and the responses are retained in the audit trail.

The retained prompts and responses are scoped per tenant, encrypted at rest, and accessible only to the tenant’s authorized users. We do not look at tenant prompts except when explicitly invited to (e.g. for debugging a pipeline issue you raised).

Colony talks to model providers (Anthropic, OpenAI) through their enterprise APIs. We use the enterprise endpoints that contractually exclude prompt and completion data from training. Token pass-through pricing is what your tenant pays, plus a small markup — visible in the same ledger your team sees.

If you have a procurement preference for a specific provider, we can pin agents to it on Cloud, or you can configure your own keys on OSS.

Colony installs as a GitHub App with the minimum permissions required for the repositories you grant access to. We request read on issues and code, and write on pull requests, branches, and statuses. We never request organization-wide admin scope.

The Marshal agent uses the same merge surface a human would. Required reviews, required status checks, code-owner approvals, signed-commit requirements — all honored. The agent cannot bypass them.

Your engineering standards survive autonomy. Colony maintains a signed, timestamped audit record for every issue: who authored it, which agent did which work, when each transition happened, what human reviewer approved the PR, and the full cost attribution. Available as CSV export. For most enterprise frameworks this is more traceability than human-only review delivers.

For compliance-sensitive paths, set the automerge threshold to zero on that repository — every PR requires explicit human approval. The pipeline runs; the gate stays human.

Colony Cloud has not yet completed a SOC 2 Type II audit. This page describes the controls themselves rather than a third-party attestation; we’ll publish the audit timeline once it’s scheduled. Bring procurement questions to the pilot call and we’ll answer specifically.

The controls in practice: single-tenant by default, scoped GitHub permissions, enterprise model endpoints that exclude prompts from training, encryption at rest, deletion-on-request with a signed certificate, and the full audit trail described above. Penetration testing is on the roadmap; we’ll name the firm and the date once the first engagement is scheduled.

For HIPAA and FedRAMP-adjacent contexts, hybrid tenancy is the right shape — talk to us on the pilot call.

You can revoke the GitHub App at any time; the pipeline immediately stops. On request, we will delete all retained prompts, completions, and audit data within thirty days, with a deletion certificate signed by an officer.

The cost ledger is retained separately for finance and tax purposes for the period required by jurisdiction.

Security disclosures and questions: [email protected]. We respond within two business days. PGP key on the pilot call.