Loading...
Last updated: May 7, 2026
This page summarises, in plain language, the Data Processing Agreement (“DPA”) that governs Vibeless's processing of personal data on behalf of customers. It is a customer-friendly overview, not the controlling legal text — for a signed DPA covering Team and Enterprise tiers, email legal@vibeless.pro.
For personal data submitted to Vibeless by or on behalf of a customer in connection with the Service:
We process personal data for the sole purpose of providing, securing, and improving the Service in line with the customer's instructions: account management, authentication, hosting of customer-supplied content (specs, context, architecture documents), agent integrations, billing, and support.
Vibeless engages a limited set of vetted sub-processors to operate the Service. The current list is published and kept up to date on our security page. Each sub-processor is bound by a written agreement that imposes data-protection obligations no less protective than those in this DPA.
We will provide at least 30 days' advance notice before adding or replacing a sub-processor. Team and Enterprise customers may object on reasonable grounds and we will work in good faith to resolve the objection.
Categories of data subjects: customer end-users, authorised account administrators, and any individuals identifiable in customer-supplied content.
Categories of personal data: identifiers (name, email, IP address, device identifiers); account data (profile preferences, role, plan); commercial data (subscription history, payment metadata processed by Stripe); technical data (usage events, log data); and any personal data the customer chooses to include in user-generated content.
We retain personal data only for as long as needed to deliver the Service or meet a legal obligation. On termination of the customer's subscription, or upon written request, we will delete or return all personal data within 30 days, except where applicable law requires further retention (for example, financial records).
Backups and snapshots that include deleted data are aged out according to our backup retention schedule, after which they are cryptographically erased.
Vibeless implements appropriate technical and organisational measures to protect personal data — including TLS 1.2+ in transit, AES-256 encryption at rest, role-based access control, audit logging of administrative actions, and incident response procedures. Full details are listed on the security page.
Vibeless and its sub-processors operate primarily in the United States. Where personal data is transferred from the EEA, United Kingdom, or Switzerland to a country that has not been deemed adequate, the transfer relies on the European Commission's Standard Contractual Clauses (SCCs), supplemented as needed by additional safeguards. The UK addendum to the SCCs applies for transfers from the United Kingdom.
On reasonable prior notice and no more than once per year (or as required by a competent supervisory authority), Vibeless will make available information necessary to demonstrate compliance with this DPA. For Enterprise customers we will also reasonably cooperate with on-site or remote audits, subject to a mutually agreed confidentiality framework.
We will notify the customer without undue delay — and in any event within applicable statutory time-frames — after becoming aware of a personal-data breach affecting customer data. The notice will include a description of the nature of the breach, the categories and approximate volume of data subjects and records affected, and the measures taken or proposed to address it.
We publish our current list of sub-processors on the security page and update it before any change takes effect. Customers may subscribe to be notified of changes via the email address on file for the account administrator.
This DPA is governed by the laws of the State of Delaware, United States, except where mandatory data-protection law in another jurisdiction requires otherwise. The SCCs themselves remain governed by the law specified in their applicable module.
For a signed DPA covering Team and Enterprise tiers, email legal@vibeless.pro. Include your account email, plan tier, and the legal entity name to be named as the controller.