Your code queries are sent to third-party AI providers. If your administrator enables the embeddings feature, a full copy of your code repository is also sent to a third-party AI provider.
This analysis describes what Sourcegraph Cody's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision discloses that enabling the embeddings feature triggers transmission of full repository contents to a third-party provider, which is an operationally significant data sharing event that may not be apparent to individual users and is controlled at the administrator level.
Under this provision, both individual code queries and, if embeddings are enabled by an administrator, entire repository contents are transmitted to third-party LLM providers. The scope of this data sharing is stated to be limited to service provision, but the activation of embeddings represents a broader data transfer than routine query processing.
Cross-platform context
See how other platforms handle Third-Party Data Sharing and Embeddings and similar clauses.
Compare across platforms →Monitoring
Sourcegraph Cody has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 10 platforms.
"Yes. Cody sends LLM Prompts to a third-party LLM provider. In addition, when an administrator turns on the feature to generate embeddings for a repository, a copy of the repository contents will be shared with a third-party LLM provider for the sole purpose of providing you the service.— Excerpt from Sourcegraph Cody's Sourcegraph Cody Usage and Privacy
REGULATORY LANDSCAPE: Transmission of full repository contents to third-party providers engages GDPR data transfer requirements, including requirements for data processing agreements and, for cross-border transfers, appropriate transfer mechanisms. CCPA service provider rules require that shared data be used only for the specified purpose. The provision states the sole purpose is service provision, which should be reflected in applicable DPAs. If repositories contain personal data, data subject notification obligations may be relevant. GOVERNANCE EXPOSURE: High. The embeddings feature involves transmission of entire codebases to a third-party provider, which is a materially broader data sharing event than individual query processing. This may include proprietary algorithms, credentials, personal data of employees or customers embedded in code, or regulated information. Administrator-level control over this feature means individual users may not be aware of the extent of data sharing. JURISDICTION FLAGS: EU and EEA organizations must ensure that full repository transfers to third-party LLM providers are covered by valid data processing agreements and, where applicable, Standard Contractual Clauses or other GDPR transfer mechanisms. California organizations should assess whether repository contents include personal information subject to CCPA. Organizations in regulated industries such as financial services or healthcare should assess whether repository contents include regulated data before enabling embeddings. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should document which third-party LLM providers receive repository data when embeddings are enabled and ensure those providers are covered by appropriate DPAs. The document does not name the specific third-party LLM providers, which may require supplementary disclosure requests. Administrator training on the data sharing implications of enabling embeddings is advisable. COMPLIANCE CONSIDERATIONS: Organizations should classify repository contents before enabling embeddings and conduct a data protection impact assessment covering the full repository transfer. Access controls for the embeddings feature should be reviewed to ensure only appropriately authorized administrators can enable it. Data maps should be updated to reflect this third-party transfer pathway.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Watcher: 10 platforms + same-day alerts. No credit card required.
Professional Governance Intelligence
Need to monitor specific governance provisions?
Professional includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision discloses that enabling the embeddings feature triggers transmission of full repository contents to a third-party provider, which is an operationally significant data sharing event that may not be apparent to individual users and is controlled at the administrator level.
Under this provision, both individual code queries and, if embeddings are enabled by an administrator, entire repository contents are transmitted to third-party LLM providers. The scope of this data sharing is stated to be limited to service provision, but the activation of embeddings represents a broader data transfer than routine query processing.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Sourcegraph Cody.