TRUST

VibeEval is a security testing tool, so we hold ourselves to the standard our customers expect of any vendor handling scan data, credentials, and findings.

Reporting a vulnerability

Email security@vibe-eval.com. Machine-readable disclosure metadata is published at /.well-known/security.txt.

We respond within two business days. Please give us a reasonable window to remediate before public disclosure.

Data handling

• Scan targets — only URLs you submit and authorize. We do not scan endpoints you have not explicitly entered.
• Findings storage — vulnerability findings are stored against your account and retained for the life of your subscription plus 30 days after cancellation.
• Credentials — when you provide authentication material for authenticated scans, it is encrypted at rest and scoped to that scan job.
• Transit — all traffic to and from the Service is TLS 1.2+.
• Access — production data access is restricted to a small number of engineers under least-privilege controls and is logged.

Sub-processors

Changes to this list are announced via our updates feed. Customers on enterprise terms can subscribe to direct notification by contacting support@vibe-eval.com.

Compliance

VibeEval is committed to handling Personal Data in accordance with GDPR, UK GDPR, and CCPA. Our Data Processing Agreement is incorporated into the Terms of Service and applies to customers subject to those regimes.

Formal third-party certifications (SOC 2, ISO 27001) are not currently in place. Enterprise customers requiring attestation should contact support@vibe-eval.com to discuss timeline and scope.

Service responsibility

VibeEval performs non-invasive, read-only scans on targets you own or are authorized to test. The Terms of Service describe authorization requirements and acceptable use. Customers remain responsible for ensuring scans comply with applicable law and any third-party terms.

Contact

• Security: security@vibe-eval.com
• Support and DPA requests: support@vibe-eval.com