Skip to main content
Pricing
Sign inRequest demo

Privacy Policy

Last updated: January 16, 2026

This Privacy Policy covers both Boundera's public marketing website and the Boundera KSI Checker product.

The marketing website may use analytics and advertising tools with visitor consent. The product is designed to help cloud service providers evaluate FedRAMP 20x Key Security Indicators (KSIs) using automated, machine-based analysis of infrastructure-as-code and related artifacts.

Website Analytics and Advertising

Boundera's public marketing website may use analytics tools and advertising platform tags to understand site usage, measure campaign performance, and build remarketing audiences.

  • Analytics events such as page views, CTA clicks, and demo requests
  • Attribution data such as UTM parameters and referring campaign metadata
  • Advertising tags from platforms such as Meta and Google, when enabled

These technologies are used only on the marketing site and are not required to browse the site. They can be accepted or declined through the site's cookie banner.

Product Data We Access

The Boundera KSI Checker app accesses only the minimum data required to perform its intended functionality, which may include:

  • Repository metadata (repository name, owner, commit SHA)
  • GitHub Actions workflow metadata (run ID, trigger type, timestamps)
  • Machine-generated evidence artifacts produced by GitHub Actions workflows
  • Infrastructure-as-code files (such as Terraform) when evaluated within a GitHub Actions run

The App does not access:

  • Source code outside of the enabled repository
  • Secrets, credentials, or environment variables
  • Issue comments, pull request comments, or user messages
  • Personal data beyond what is provided by GitHub as part of repository metadata

How Product Data Is Used

Data accessed by the product is used solely to:

  • Evaluate FedRAMP 20x Key Security Indicators
  • Generate PASS / FAIL / ERROR results
  • Produce machine-readable evidence artifacts
  • Display evaluation results as GitHub Check Runs

The product does not use customer repository data for advertising, retargeting, or unrelated marketing analytics.

Data Storage and Retention

  • Evidence artifacts are stored in the customer's GitHub repository as GitHub Actions artifacts.
  • The App does not permanently store customer source code or artifacts outside of GitHub.
  • Any transient data processed by the App service is used only for evaluation and check rendering and is not retained beyond operational needs.

Data Sharing

The App does not sell, rent, or share data with third parties. Data is only accessed within GitHub and processed for the purpose of generating evaluation results for the installing organization.

Security

The App follows the principle of least privilege and uses GitHub's short-lived installation tokens. No long-lived credentials are stored.

Changes to This Policy

This Privacy Policy may be updated from time to time. Updates will be reflected on this page with a revised "Last updated" date.

Contact

If you have questions about this Privacy Policy, please contact the maintainer through the project's GitHub repository.