fastpace trust portal
Trust portal

Self-serve security posture for fastpace

Everything a CISO, security architect, or procurement lead needs to evaluate fastpace — attestations, sub-processors, security questionnaires, threat model, and a self-serve evidence-package request flow. Updated continuously; this is the canonical source.

fastpace is the vendor-neutral governance & compliance layer: one signed evidence chain, one policy, and one context source across Claude Code, Codex, and Gemini CLI. The same guardrails and signed capture deploy to each (one hook codebase, generated per vendor), so the evidence you hand an auditor doesn't move when your team swaps models.

Why a separate portal?

The marketing site explains what fastpace does. This portal proves it. Everything here is artifact-driven — sub-processors, attestation statuses, and questionnaires are stored as JSON in version control, so changes have a git history a procurement reviewer can audit.

Updated for v0.45.0 (May 2026)

fastpace shipped 30+ new commands and a new Platform tier between Team and Enterprise across waves 1 through 5d.B. The threat-model below covers the new attack surfaces — extended audit-chain event types (deploy.recorded, deploy.verified, metrics-source.queried, auditor.invited, review.meta.completed), platform-team metrics rollup, BYOK key vault, opt-in burnout signal, and the metrics-source connector trust boundary (Datadog / Prometheus / Sentry adapters landed in v0.41.0). See threat model →

Recent sub-waves: 5c.B (v0.41.0 — deploy verify, release-window, rollback assess, audience-projected changelog, MetricsSource adapters) · 5d.A (v0.42.0 — per-control evidence generator, continuous control monitor, auditor-portable evidence packs, gap-analysis) · 5a (v0.43.0 — plan-execution drift reconciliation with the Spike-001 hybrid matcher) · 5b (v0.44.0 — multi-pass PR review with a second-layer meta-reviewer persona) · 5d.B (v0.45.0 — Ed25519-signed auditor invites, sub-processor flow-down attestation, custom-framework registration, evidence-request inbox).

For the latest outcome guarantees (audit-chain coverage, framework readiness, plus four new candidates landing in v0.37 contract revision) see fastpace.net/outcomes. The full ELI5'd catalog of every metric fastpace produces is at fastpace.net/metrics.

Quick access

Section What's there Link
Attestations SOC 2, ISO 27001, ISO 42001 — current status + targets View →
Sub-processors Every third party that touches fastpace data (short list) View →
Questionnaires CAIQ, SIG Core, SIG Lite, VSA — answered under NDA View →
Threat model STRIDE walk against every shipped fastpace primitive View →
Evidence request Self-serve flow for attestation reports, audit packages, more Request →
Maturity score AI-Native Maturity (F4.12) — 9 competencies, auto-updated daily from the install. Consent-gated. View →
Outcome metrics The 6 customer-visible numbers that back fastpace's outcome-based pricing: audit-chain coverage, framework readiness, maturity climb, reliability score, evidence SLO, chain-integrity uptime. View →
Public commitments Founder's signed, unilateral, refundable commitments — the buyer-asymmetry resolver. Hit/miss outcomes tracked over time. View →

AI-Native Maturity (consent-gated)

Customers running fastpace ≥ 0.28 publish a signed Maturity Scorecard — a 0–100 number across nine industry-standard AI-native engineering competencies (Project Setup, Spec-Driven Development, Context Management, Testing, Harness Engineering, Architectural Guardrails, Review Maturity, AI SDLC Metrics, Prompt Engineering). Updates auto-flow from each developer's machine via F3.11 audit replication; the trust portal averages across the org. Per-customer scores are only published with explicit consent — most prospects use this internally first.

Architecture in two sentences

Local by construction. The core fastpace runtime — skills, agents, hooks, local UI — runs on the developer's machine and never transmits source code or prompts to a fastpace-operated service. The optional org dashboard is self-hosted and only ingests signed audit summaries (counts, hashes, trends) — never code, never prompts, never responses.

No telemetry. fastpace ships zero telemetry. Updates are explicit (npm update -g @fastpace-ai/fp then fastpace update). The runtime that touches your code is open source and auditable.

Verify it from the terminal

Three commands prove what's installed and what each install has done.

fastpace verify — walks the F0.2 hash-chained audit log and reports any tampering since install.

fastpace inventory — lists every agent, runtime, MCP server, and identity active on this machine.

fastpace snapshot --since YYYY-MM-DD — packages ADRs, the audit log, run manifests, and AI-BOMs into one auditor-ready tarball. The evidence-request flow is the portal-side wrapper around this.