The AI providers Sourcegraph works with are required not to store your prompts or the AI's responses after the response is generated.
This analysis describes what Sourcegraph Cody's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes that third-party LLM providers do not retain Customer Content, which is a material data protection commitment for enterprise users whose proprietary code is transmitted to those providers.
Interpretive note: Zero Retention is a contractual assertion by Sourcegraph on behalf of Partner LLMs; the document does not describe technical verification, auditing, or certification mechanisms supporting this claim.
User Prompts, LLM Prompts, and Responses transmitted to Sourcegraph Partner LLMs are stated to be deleted after each response is generated, meaning third-party providers do not accumulate a record of your code queries or outputs. This commitment does not apply if you use your own LLM relationship.
How other platforms handle this
We retain personal information for as long as necessary to provide our services, comply with legal obligations, resolve disputes, and enforce our agreements. The specific retention periods depend on the type of information and the purposes for which it is processed.
We keep information for as long as we need it to provide our products, comply with legal obligations, or for other legitimate purposes, such as to maintain safety, security, and integrity.
After your account is deleted, we keep data about interactions you've had on our service to prevent abuse, ban evaders and others in an effort to protect and ensure the safety and security of our service and our members.
Monitoring
Sourcegraph Cody has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Sourcegraph Partner LLMs will not retain any input or output from the model, including embeddings, beyond the time it takes to generate the output ("Zero Retention").— Excerpt from Sourcegraph Cody's Sourcegraph Cody Usage and Privacy
REGULATORY LANDSCAPE: Zero Retention commitments interact with GDPR data minimization and storage limitation principles, as well as CCPA restrictions on service provider data retention. The provision may also engage contractual data processing agreement requirements under GDPR Article 28, which require documented processor obligations including retention limitations. The EU AI Act's requirements for high-risk AI system documentation may also be relevant depending on deployment context. GOVERNANCE EXPOSURE: Medium. The Zero Retention claim is a contractual assertion by Sourcegraph on behalf of its Partner LLMs. The document does not provide technical verification mechanisms, audit rights, or references to independent certification of this practice. Organizations relying on Zero Retention as a key data protection control should assess whether it is verifiable. JURISDICTION FLAGS: EU and EEA organizations face heightened exposure if Zero Retention commitments are not backed by auditable GDPR-compliant data processing agreements with each Partner LLM. The provision explicitly carves out customers using their own LLM keys, creating a two-tier data protection posture that may require disclosure in DPIAs or data mapping exercises. CONTRACT AND VENDOR IMPLICATIONS: Procurement teams should request copies of Sourcegraph's data processing agreements with each named Partner LLM to verify that Zero Retention is contractually required and auditable. The embeddings carve-out in the FAQ confirms that repository contents shared for embeddings generation are also subject to Zero Retention, but this should be verified against Partner LLM DPAs. COMPLIANCE CONSIDERATIONS: Data protection officers should document Zero Retention as a stated control in DPIAs and data maps, while noting it is a contractual rather than technically verified control. Organizations should include audit rights for LLM data practices in enterprise contract negotiations with Sourcegraph.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Ad personalization controls removed. Contact scanning added. Advertiser data partnerships quietly dropped. A timeline of every change.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes that third-party LLM providers do not retain Customer Content, which is a material data protection commitment for enterprise users whose proprietary code is transmitted to those providers.
User Prompts, LLM Prompts, and Responses transmitted to Sourcegraph Partner LLMs are stated to be deleted after each response is generated, meaning third-party providers do not accumulate a record of your code queries or outputs. This commitment does not apply if you use your own LLM relationship.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Sourcegraph Cody.