LEGAL / DPA /EFFECTIVE MAY 11, 2026

DATA PROCESSING AGREEMENT

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and VibeEval (“Processor”) and governs the processing of Personal Data on your behalf when you use the VibeEval security scanning service.

1. Roles and Scope

You act as the Controller of any Personal Data submitted to the Service. VibeEval acts as the Processor and will process Personal Data only on your documented instructions and as necessary to deliver the Service described in our Terms of Service and Privacy Policy.

2. Subject Matter and Duration

VibeEval processes Personal Data for the duration of your subscription and for the limited retention periods described below. The subject matter is automated security scanning of web applications you own or are authorized to test.

3. Nature and Purpose of Processing

  • Receiving scan target URLs and authorization metadata
  • Generating, storing, and presenting vulnerability findings
  • Account administration, billing, and support communications

4. Categories of Data and Data Subjects

Personal Data categories: account contact details (name, email, company), IP address, technical telemetry, and any Personal Data incidentally captured in scan output that you authorize the Service to fetch.

Data subjects: your authorized users, and any individuals whose data may be incidentally returned by a scanned endpoint.

5. Sub-processors

VibeEval uses the following sub-processors to deliver the Service:

  • Vercel — hosting and request delivery
  • Modal — scan execution infrastructure
  • Beehiiv — newsletter and update communications
  • Microsoft Clarity — usage analytics

We will notify customers of changes to this list. Customers may object to a new sub-processor by emailing support@vibe-eval.com.

6. Security Measures

VibeEval implements technical and organizational measures appropriate to the risk, including encryption in transit, access controls, least-privilege production access, and logging. See our Trust page for the current posture.

7. International Transfers

Where Personal Data is transferred outside the EEA, UK, or Switzerland, transfers are governed by the European Commission’s Standard Contractual Clauses (2021/914) and the UK International Data Transfer Addendum, as applicable.

8. Data Subject Requests

VibeEval will assist the Controller, taking into account the nature of processing, in responding to requests from data subjects to exercise rights under applicable law.

9. Breach Notification

VibeEval will notify the Controller without undue delay after becoming aware of a Personal Data breach affecting Controller data.

10. Audit Rights

Upon reasonable request and subject to confidentiality, VibeEval will make available information necessary to demonstrate compliance with this DPA.

11. Return or Deletion

Upon termination, VibeEval will delete or return Controller Personal Data within 30 days, except where retention is required by law.

12. Executing this DPA

This DPA is automatically incorporated into your Terms of Service. Customers requiring a signed counterpart should contact support@vibe-eval.com.