# Faultline DPA Readiness Overview

Last updated: 2026-05-14

This public overview is intended to help enterprise reviewers understand the default Faultline data boundary before a formal procurement process. It is not a signed data processing addendum and does not replace a negotiated agreement.

## Default processing model

Faultline is designed around source-free scanner snapshots. The open-source scanner runs where customer source code already lives. Enterprise ingestion receives repository and governance metadata by default, not source code.

## Data categories

- Repository metadata and service identifiers
- Ownership and CODEOWNERS-derived signals
- Policy findings and suppression metadata
- Audit export metadata and accountability events
- Integration delivery status for configured tools
- Account, organization, role, and authentication metadata

## Data not required by default

- Source code
- Full ASTs or compiled artifacts
- Production runtime traces
- Customer application secrets
- Developer workstation contents
- Private incident notes unless explicitly supplied by the customer

## Security controls represented publicly

- OIDC and role-based access control for Enterprise deployments
- Organization-scoped PostgreSQL row-level security
- Redis-backed API rate limiting
- Encrypted integration secrets
- Signed audit exports
- Customer-managed cloud deployment support for Enterprise requirements

## Subprocessor review

Faultline may use infrastructure, analytics, billing, scheduling, source hosting, and email services including AWS, Google Analytics, Stripe, Calendly, GitHub, and AWS SES. Enterprise procurement can request the current subprocessor list and deployment model during DPA review.

## Requesting the enterprise packet

For a formal DPA review, security questionnaire, or procurement packet, contact security@gofaultline.dev.