ProvenanceOS is a provenance product — claim integrity is the point. Here is exactly how we protect your data and what we do (and don't) claim.
The short version: we never store your source code. ProvenanceOS scans metadata and signals only, so there is no copy of your repository for an attacker to take.
ProvenanceOS analyzes metadata and derived signals — not your code. Source content is processed transiently to compute provenance signals and is not retained. There is no repository mirror to breach.
All data is encrypted at rest with AES-256 and in transit with TLS 1.3. Secrets and credentials are stored in managed secret storage, never in source control.
The platform is engineered against SOC 2 Trust Services Criteria (security, availability, confidentiality). Independent SOC 2 certification is in progress; we describe our posture honestly rather than claiming a certificate we do not yet hold.
Every response ships HSTS (preload), a strict Content-Security-Policy, X-Frame-Options: DENY, X-Content-Type-Options: nosniff, and a strict Referrer-Policy. Authentication routes are marked noindex.
We honor Global Privacy Control (GPC) signals and load analytics only after an explicit consent decision, with granular cookie preferences. We collect the minimum needed to operate the service.
Production access is scoped and audited. Database access is governed by row-level security so tenants can only reach their own records.
We welcome responsible disclosure. If you believe you have found a security issue, email hello@developer312.com with details and reproduction steps. Please give us a reasonable window to remediate before any public disclosure. Our machine-readable policy is published at /.well-known/security.txt.
ProvenanceOS is built by Developer312. You reach the founder directly — there is no support tier between you and the person who maintains the platform.
Questions about security or a compliance review?
Contact us