WakaTime never has access to your source code. WakaTime plugins only send limited metadata about your IDE usage to populate your personal metrics dashboard. For the full list of data sent to our servers, see this FAQ answer and the WakaTime Privacy Policy.
Your data is stored securely in DigitalOcean, Amazon AWS, and Cloudflare data centers. Your personal information is only retained for as long as necessary to provide the requested service features, and is immediately deleted from our servers when no longer needed to provide the requested service. WakaTime provides a way for account ownders to delete one’s own account and all associated data using this form. Within 24 hours of account deletion, WakaTime hard deletes all information from running production systems. WakaTime service backups are destroyed within 27 days, excluding security and access logs. *
All WakaTime user data is ingested, processed, and maintained in SOC 2 and ISO/IEC 27001:2013 compliant facilities/data centers:
https://aws.amazon.com/compliance/soc-faqs/
https://aws.amazon.com/compliance/iso-27001-faqs/
https://www.digitalocean.com/trust/certification-reports/
https://www.cloudflare.com/trust-hub/compliance-resources/
WakaTime’s Security team utilizes monitoring and analytics capabilities to identify potentially malicious activity within our infrastructure. User and system behaviors are monitored for suspicious activity, and investigations are performed following our incident reporting and response procedures.
We place strict controls over our employees’ access to the data you and your users make available via the WakaTime services. The operation of the WakaTime services requires that some employees have access to the systems which store and process customer data. For example, in order to diagnose a problem you are having with the WakaTime services, we may need to access your customer data. These employees are prohibited from using these permissions to view customer data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to customer data is logged.
New features, functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is tested and manually peer-reviewed prior to being deployed to production. The security team works closely with development teams to resolve any additional security concerns that may arise during development.
WakaTime also operates a public security bug bounty program. Security researchers around the world continuously test the security of the WakaTime services, and report issues via the program. More details of this program are available at the bounty site.
*WakaTime backups are destroyed within 27 days, except that during an on-going investigation of an incident such period may be temporarily extended.