Frequently Asked Questions
Everything you need to know about ProvenanceOS.
How do I get access to ProvenanceOS?
Scan intake is live now for early-access teams. For the full platform — AI-origin scoring, dependency lineage, policy evaluation, and compliance reports — join the launch waitlist and we will reach out as each phase ships.
When does self-serve signup open?
Self-serve signup opens as each capability reaches general availability. Pricing is published on the Pricing page now so you can plan ahead.
Do you offer discounts for startups or nonprofits?
Yes. Contact us at hello@developer312.com for startup and nonprofit pricing.
Is my code data secure?
Source content may be processed transiently to compute provenance signals and is never retained — there is no stored repository mirror. All data is encrypted at rest (AES-256) and in transit (TLS 1.3), and the platform is built to SOC 2 controls.
What repositories do you support?
GitHub, GitLab, and Bitbucket.
What compliance standards are supported?
SOC 2 compliance reports are rolling out now. EU AI Act, GDPR, HIPAA, and SLSA Level 3 reporting is planned for later phases. The platform is built to SOC 2 controls today.
How does scanning work today?
Authenticated scan intake is live now: connect a repository or upload a small archive from the app and ProvenanceOS creates a durable, queued scan job. Worker-backed AI-origin scoring, dependency lineage, policy evaluation, and report generation are rolling out in phases.
How ProvenanceOS processes your data
ProvenanceOS may process source content transiently to calculate provenance signals. Source files are not retained after processing, are not used to train models, and are not stored as a repository mirror. We retain only the account, job, repository metadata, derived signals, policy outcomes, and reports needed to provide the service.
| Data type | Processed | Retained | Retention | Third-party access |
|---|---|---|---|---|
| Source files[data-handling:Source files] | Yes, transiently. Archive uploads are SHA-256 hashed for integrity; source content is not stored as a repository mirror. | No | Deleted after job completion/failure window. Archive bytes are never persisted; only the hash is stored on the scan job. | No third-party access to source content. Processing runs in ProvenanceOS infrastructure. (Subprocessor list: see /security.) |
| Repository metadata[data-handling:Repository metadata] | Yes. Repository URL, provider, default branch, and commit reference are read to create a durable scan job. | Yes | Retained for the life of the account so job history is queryable. Deleted on account deletion. Edward to confirm exact retention window. | Hosted on InsForge (managed Postgres). No source content is sent to third parties. |
| Derived signals[data-handling:Derived signals] | Yes. Provenance signals (AI-origin indicators, confidence scores, policy outcomes) are computed as each enabled capability completes. | Yes | Retained with the scan job so results remain queryable and exportable. Deleted with the job or on account deletion. Edward to confirm exact window. | Stored in ProvenanceOS infrastructure (InsForge managed Postgres). Not shared with third parties. |
| Reports[data-handling:Reports] | Yes. Audit-ready compliance and provenance reports are generated from derived signals as report generation rolls out. | Yes | Customer-controlled. You can delete a report at any time; export retains your copy. Deleted on account deletion. | Only when you explicitly export or share a report. No automatic third-party access. |
| Credentials/tokens[data-handling:Credentials/tokens] | Yes. OAuth tokens for repository providers are stored to read repository metadata on your behalf. | Yes, encrypted | Retained until you revoke the connection or delete your account. Revocation removes the token immediately. | Stored in managed secret storage (InsForge). Provider tokens are used only to read repository metadata you have authorized. |
Still have questions?
Contact our team