Privacy Policy

Last updated: January 16, 2026

FedrampGPT KSI Checker ("the App") is a GitHub App designed to help cloud service providers evaluate FedRAMP 20x Key Security Indicators (KSIs) using automated, machine-based analysis of infrastructure-as-code and related artifacts.

This Privacy Policy describes how the App accesses, uses, and handles data.

Data We Access

The App accesses only the minimum data required to perform its intended functionality, which may include:

  • Repository metadata (repository name, owner, commit SHA)
  • GitHub Actions workflow metadata (run ID, trigger type, timestamps)
  • Machine-generated evidence artifacts produced by GitHub Actions workflows
  • Infrastructure-as-code files (such as Terraform) when evaluated within a GitHub Actions run

The App does not access:

  • Source code outside of the enabled repository
  • Secrets, credentials, or environment variables
  • Issue comments, pull request comments, or user messages
  • Personal data beyond what is provided by GitHub as part of repository metadata

How Data Is Used

Data accessed by the App is used solely to:

  • Evaluate FedRAMP 20x Key Security Indicators
  • Generate PASS / FAIL / ERROR results
  • Produce machine-readable evidence artifacts
  • Display evaluation results as GitHub Check Runs

The App does not use data for advertising, tracking, or analytics purposes unrelated to FedRAMP KSI evaluation.

Data Storage and Retention

  • Evidence artifacts are stored in the customer's GitHub repository as GitHub Actions artifacts.
  • The App does not permanently store customer source code or artifacts outside of GitHub.
  • Any transient data processed by the App service is used only for evaluation and check rendering and is not retained beyond operational needs.

Data Sharing

The App does not sell, rent, or share data with third parties. Data is only accessed within GitHub and processed for the purpose of generating evaluation results for the installing organization.

Security

The App follows the principle of least privilege and uses GitHub's short-lived installation tokens. No long-lived credentials are stored.

Changes to This Policy

This Privacy Policy may be updated from time to time. Updates will be reflected on this page with a revised "Last updated" date.

Contact

If you have questions about this Privacy Policy, please contact the maintainer through the project's GitHub repository.