Privacy & security

Kodik is a locally installed IDE that reaches out to cloud AI services only when you explicitly use those features. This page describes which data leaves your machine and which stays on it.

What is sent to the Kodik cloud

When you use managed models (Kodik’s cloud-hosted models), the following data is transmitted through the Kodik API:

Chat request content — message text, code snippets, and files you explicitly add to context.
Tool results — file contents, command output, search results, and MCP server responses the agent collects while working on a task.
Indexing embeddings — text chunks from your workspace source code sent to the Kodik API to generate vectors (see the indexing section below for details).
Authentication data — session tokens used to identify your account with each request.

All AI requests are handled in accordance with GDPR and Russian personal data law.

What stays local

Source code itself never leaves your machine unless you add it to the chat context or the agent reads files as part of a task.
The codebase index is stored in .kodik/index inside your workspace as a SQLite file. Source files are not uploaded — only numeric vectors are transmitted.
Memories are stored locally and never sent anywhere.
Settings are stored in standard VS Code directories on your machine.
Ollama — when using local models via Ollama, all requests are processed on your device and the cloud is not involved.

Anonymizer

The Anonymizer (KodikShield) lets you mask sensitive content before it reaches the model. You can manually mark code regions as sensitive, and you can enable automatic detection of secrets in tool results. Instead of real values, the model receives placeholders of the form __KODIK_...__.

For full instructions, see Anonymizer.

.kodikignore

A .kodikignore file at the root of your workspace blocks the agent from accessing specific files and directories. The agent cannot read, modify, or run commands against those paths, even if you explicitly ask it to. The syntax follows .gitignore rules; an !include directive is supported for pulling in additional rule files.

For more detail, see Ignoring files.

Indexing: where data is stored

Codebase indexing allows the agent to perform semantic search over your project. The index is stored locally in .kodik/index (a SQLite file). Source files are never uploaded to the Kodik API.

To generate embeddings (numeric vectors), text chunks are sent to the Kodik API. If the API is unavailable, a local deterministic algorithm is used as a fallback — search quality is reduced, but the feature remains functional.

By default, indexing respects .gitignore rules. You can also exclude paths via .kodikignore — those paths will not be indexed. You can manage the index (rebuild, delete, pause) in the Indexing section of Kodik Settings.

For more detail, see Codebase indexing.

Secret redaction from memory

Before long-term memories are persisted, Kodik automatically scrubs secrets from the content. The following are redacted:

PEM-format private keys;
JWT tokens;
API keys for popular providers (OpenAI, Anthropic, GitHub, AWS, Google, Slack, Stripe, and others) — matched by characteristic prefixes (sk-, sk-ant-, ghp_, AKIA, etc.);
Bearer tokens in headers;
Values in assignments where the variable name contains words like secret, token, password, api_key, private_key, and similar.

Detected secrets are replaced with the placeholder [REDACTED]. The algorithm is heuristic-based and is not guaranteed to catch every case — review important memories before sharing the contents of your Kodik home directory.

For more detail, see Memory.

Recommendations

Use the Anonymizer to protect secrets and sensitive code when sending context to a model.
Add a .kodikignore for files the agent should not read or modify.
For fully local operation, connect Ollama and select a local model — requests will not leave your machine.
On an Enterprise plan, check with your administrator about on-premises deployment options.