Skip to main content
Primer Primer

Security

Your data never leaves your servers.

Primer runs entirely in your environment. We have no access to your data because no mechanism exists for us to have it.

You own the source code.

Every security question has the same answer. You can audit every line. You can change anything. Nothing phones home. Nothing is hidden.

Your infrastructure

Your Servers
Primer runs here
Your Database
Your data stays here
Your Users
Your auth controls

DavidPM, LLC*

No connection.
No access.
No data.

*DavidPM, LLC is the company that builds and sells Primer. Once you own the source code, there is no technical channel back to us.

Self-hosted

Runs entirely in your environment. Your servers, your containers, your infrastructure.

Air-gapped

No telemetry, no analytics beacons, no license validation pings. Zero external dependencies on DavidPM infrastructure.

Full source code

Not compiled binaries. Your security team can audit every function, every database query, every authentication flow.

Application-layer auth

No vendor-controlled access. No support backdoors. No API keys that grant us access. You control authentication completely.

Database-agnostic

Your data, your provider, your rules. PostgreSQL, SQLite, or any provider you choose. We have no involvement.

Update on your terms

Patches and upgrades roll out when your team approves them. No forced auto-updates, no surprise changes to your environment.

What vendors typically access vs. what we access

Typical SaaS vendor

  • Your data
  • User credentials
  • Usage analytics
  • API keys
  • Billing info
  • Support access

Primer

Nothing. The relationship ends at purchase.

DavidPM has no database containing your information.

DavidPM has no API endpoint that receives data from your deployment.

A breach of DavidPM's systems would expose nothing about your organization.

What this means for your compliance team

For regulated industries:

The perpetual source code model eliminates the third-party data processor relationship. There is no BAA to negotiate, no data processing agreement to manage, no vendor security questionnaire to complete-because we never touch your data.

For enterprise security reviews:

The risk profile is identical to internally developed software. Your team controls the deployment, the infrastructure, and the data. DavidPM's involvement ends at the point of purchase.

For data residency requirements:

Your data lives where you put it. You choose the jurisdiction. You choose the hosting provider. You choose the database location. We have no say in the matter because we have no involvement in the matter.

For government contractors:

Primer does not require FedRAMP authorization because there is no cloud service to authorize. The source code runs inside your infrastructure. If your environment is already authorized, Primer runs inside it without adding a vendor dependency.

We do not have a SOC 2 report. We do not need one. SOC 2 audits the controls around data a vendor holds. We hold none of yours.

What we do have is source code you can read, a deployment model you control, and an architecture that makes the question of vendor data security irrelevant by design.