Your data never leaves your servers.

For regulated industries:

The perpetual source code model eliminates the third-party data processor relationship. There is no BAA to negotiate, no data processing agreement to manage, no vendor security questionnaire to complete-because we never touch your data.

For enterprise security reviews:

The risk profile is identical to internally developed software. Your team controls the deployment, the infrastructure, and the data. DavidPM's involvement ends at the point of purchase.

For data residency requirements:

Your data lives where you put it. You choose the jurisdiction. You choose the hosting provider. You choose the database location. We have no say in the matter because we have no involvement in the matter.

For government contractors:

Primer does not require FedRAMP authorization because there is no cloud service to authorize. The source code runs inside your infrastructure. If your environment is already authorized, Primer runs inside it without adding a vendor dependency.

Is Primer HIPAA-compliant?

HIPAA compliance attaches to the deployment, not to the software. Primer runs on your infrastructure and DavidPM never receives, stores, or transmits PHI. There is no data flow between your deployment and DavidPM, so no Business Associate Agreement with DavidPM is required or possible, we are not a Business Associate under the HIPAA Privacy Rule. You deploy Primer inside your existing HIPAA-covered environment the same way you deploy any internally hosted application.

Your responsibility: Access controls, audit logging, encryption at rest and in transit, BAAs with your own hosting and infrastructure providers, workforce training, and breach notification procedures.

How does Primer handle GDPR?

Under GDPR and the German DSGVO, your organization is the data controller for the employee data in Primer, and your organization is also the processor because Primer runs on infrastructure you operate. DavidPM is neither a controller nor a processor of that data, we never receive it. No cross-border transfer to DavidPM occurs, so Standard Contractual Clauses for DavidPM are not applicable. Data residency is whatever you choose when you deploy. EU-only or Germany-only deployment is straightforward: install on infrastructure inside the jurisdiction.

Your responsibility: Your Article 30 records of processing, DPIA if required, lawful basis for processing employee data, data subject request handling, and works council consultation where applicable.

What is Primer's SOC 2 scope?

Primer is not a service you consume from DavidPM, so it does not fall inside a DavidPM SOC 2 report, and a DavidPM SOC 2 report would not cover your deployment even if one existed. Your Primer deployment is inside your SOC 2 scope, not ours. If your organization already holds SOC 2 Type II, Primer becomes another internally managed application under your existing Trust Services Criteria. Auditors who understand self-hosted software accept this model.

Your responsibility: Change management, access reviews, incident response, backup and recovery, and the rest of your existing SOC 2 controls applied to Primer as an in-scope system.

Can Primer be used in FedRAMP-authorized environments?

Primer itself is not FedRAMP-authorized, DavidPM is not a cloud service provider, so there is no service to authorize. Primer can be deployed inside a FedRAMP Moderate or High environment (for example, a GovCloud tenancy or an on-premise ATO boundary) as a customer-developed application. Because the source code is delivered directly, your security team can perform the same SA-11 developmental security testing and SA-15 development process review they would perform on any internally developed application. The NIST 800-53 control families that apply to Primer are the ones that apply to any application running inside your authorization boundary.

Your responsibility: ATO for the deployment environment, control inheritance decisions, continuous monitoring, POA&M management, and integration with your agency's existing authorization boundary.

Does Primer run on an air-gapped network?

Yes. Primer has no phone-home behavior, no external API calls, no license check against a DavidPM server, and no required outbound network access of any kind once installed. The application does not fetch fonts, scripts, analytics, or dependencies from the internet at runtime. All assets ship inside the source code package. Once installed on an isolated network, Primer operates without any connection to the outside world, permanently. Updates are distributed as downloadable source packages that you transfer across the air gap using whatever procedures your environment requires.

Your responsibility: Transfer procedures for source code updates across the air gap, offline dependency mirroring if you rebuild from source, and verification of package integrity against published checksums.

Is a Software Bill of Materials available?

Yes. A CycloneDX-format SBOM is included in every release and lists every direct and transitive dependency, its version, and its license. Because you receive the complete source code, you can also generate your own SBOM at any time using standard tooling (syft, cdxgen, npm sbom) and verify it against ours. You are not dependent on DavidPM for supply-chain visibility, the package.json, lockfile, and every line of code are in your hands from the moment of purchase. This aligns with the US Executive Order 14028 expectations for SBOM delivery in procured software.

Your responsibility: Regular SBOM regeneration after any dependency updates you apply, vulnerability monitoring against your SBOM using your preferred tooling, and integration with your existing supply-chain security program.