Posture statement (always include this)
Pathfinder is a single-user macOS desktop application running entirely on customer-owned hardware. We do not host a Pathfinder SaaS. We do not have a multi-tenant backend. We do not have a copy of customer data. The trust boundary is the macOS user account.
Q&A
A. Company & product
| Q |
A |
| Vendor legal name |
Colby's Data Movers LLC |
| Product name |
Pathfinder |
| Deployment model |
Customer-installed desktop application (macOS) |
| Multi-tenant? |
No — single-user per workspace per device |
| Where is product hosted? |
On customer's hardware |
| Where is customer data stored? |
Per-workspace SQLite file on customer's hardware |
| Where do credentials live? |
macOS Keychain (encrypted at rest by macOS) |
| Is there a control plane we depend on? |
No |
| Do you have a SOC 2 report? |
Not currently — see compliance crosswalk for control mapping |
B. Data flows
| Q |
A |
| Does your product send our data to a third party? |
No. Pathfinder reaches customer-owned SaaS endpoints only, pinned by per-connector base-URL allow-list |
| Do you use AI/ML on our data? |
Only if the customer opts in to Fabric, supplies their own LLM API key, and explicitly invokes a pattern. Disabled by default |
| Do you log customer data? |
Diagnostic logs may contain object/field names and counts; never record values, never secrets |
| What outbound URLs does Pathfinder hit? |
Only the customer's configured SaaS APIs. See the HTTP threat model for the allow-list |
| Inbound network listeners? |
None |
C. Access controls
| Q |
A |
| How are vendor employees authenticated to the customer environment? |
They aren't. Pathfinder runs on customer hardware; we do not log in |
| How are credentials stored? |
macOS Keychain via security_framework. Not SQLite. Not env vars. Not logs |
| Encryption at rest? |
macOS FileVault (customer-managed) for the workspace; Keychain for credentials |
| Encryption in transit? |
TLS 1.2+ via rustls for every outbound HTTP call |
| Cert pinning? |
Per-connector base-URL allow-list pins the host; TLS chain validated by OS trust store |
| Privileged access management? |
Not applicable (no shared infrastructure) |
D. Software supply chain
| Q |
A |
| SBOM available? |
Yes — generated per release; see docs/RELEASE_ENGINEERING.md and the script scripts/sbom.sh |
| Dependency vulnerability scanning? |
GitHub Dependabot + cargo deny on every push; standing triage tracked in H6_DEPENDABOT_TRIAGE.md |
| Code signing? |
Apple notarisation per release |
| Reproducible builds? |
Tracked as E7.4 — not guaranteed today; release artefacts checksummed |
| Source code custody? |
Private GitHub repository under tbcolby/pathfinder; will transfer to acquirer at close |
E. SDLC
| Q |
A |
| Code review required? |
Yes — lifecycle/code-reviewer pathkeeper, plus reviewer approval on PR |
| Static analysis? |
cargo clippy, ESLint, cargo deny, secrets-lint CI gate |
| Dynamic / runtime analysis? |
Tests (~5,200+), property tests (~20), criterion benches. Fuzz harnesses for IPC/MCP tracked as E3.6/3.7 |
| Pen test cadence? |
Not currently. Decision documented in ENTERPRISE_HARDENING_PLAN.md §21 |
| Vulnerability disclosure? |
See the Vulnerability Disclosure policy |
F. Incident response
| Q |
A |
| Notification SLA on a confirmed vulnerability? |
72 hours from confirmation |
| Customer-side mitigation guidance? |
Provided as a runbook entry, e.g. docs/runbooks/SUPPORT.md |
| Audit log retention? |
The customer controls retention — the audit chain is per-workspace and append-only |
G. Data subject rights
| Q |
A |
| Data residency? |
Customer's hardware |
| Right to deletion? |
Customer deletes the workspace folder |
| Data portability? |
In-app workspace archive export produces a portable .zip |
| Cross-border transfers? |
Driven by customer's SaaS choices, not by us |
H. Continuity
| Q |
A |
| What happens if Colby's Data Movers shuts down? |
Customer's workspace remains usable indefinitely. Source code transfers per the Agreement |
| Escrow? |
Source escrow available on request |
| Disaster recovery? |
Per-workspace — customer's responsibility on their hardware. The workspace archive supports full restore |
How to use this document
- Copy this file to a customer-specific working copy.
- Walk row-by-row; customise the "A" column with specifics.
- Highlight any "TODO" left in the customer's working copy.
- Send the response.
Refresh this template on every release that materially changes the security posture (new connector type, new substrate, new third-party subprocessor).