Loading...
Last updated: May 7, 2026
We take the security of customer data seriously. This page describes the technical and organisational controls Vibeless has in place today, as well as how to report a vulnerability. The page will evolve as we complete additional audits and expand our compliance posture.
All traffic between your browser, our edge, and our origin is served exclusively over HTTPS using TLS 1.2 or higher. HTTP requests are redirected to HTTPS at the edge, and HSTS is enabled so compliant browsers refuse to fall back to plaintext.
Customer data is stored in Neon (managed PostgreSQL). Neon encrypts all data on disk using AES-256, and snapshots and backups inherit the same encryption. Application-level secrets (such as third-party API keys) are stored as encrypted environment variables and are never exposed in the client bundle.
User authentication is handled by Clerk. Vibeless never stores user passwords directly. Clerk provides industry-standard credential hashing, brute-force protection, breach detection, and session management out of the box.
MFA is supported for all user accounts via Clerk, including TOTP authenticator apps and SMS. We strongly recommend customers enable MFA, and we plan to make it a requirement for Team and Enterprise tiers in a future release.
Sessions use short-lived, signed tokens issued by Clerk. Cookies are set with the HttpOnly, Secure, and SameSiteattributes. Sessions can be revoked from the user's account settings, and stale sessions expire automatically.
Access to Vibeless admin tooling is gated behind a separate, allow-listed admin user table and requires a one-time password (OTP) delivered to a registered admin email on every sign-in. Admin actions are written to an immutable audit log that records actor, action, target, and source IP.
Admin one-time codes are emailed via SendGrid; we configure the lowest available retention on our email provider to limit exposure of expired codes.
max-age and includeSubDomains so browsers always upgrade to HTTPS.nosniff to prevent MIME confusion attacks.strict-origin-when-cross-origin to limit referrer leakage to third parties.If you believe you have found a security vulnerability in any Vibeless product or service, please email security@vibeless.pro with a description of the issue, a clear reproduction, and any supporting material (screenshots, logs, proof-of-concept).
We aim to acknowledge new reports within 72 hours (aspirational SLA) and to keep you updated on remediation progress through resolution. We do not currently operate a paid bug-bounty program, but we are happy to publicly acknowledge researchers who responsibly disclose valid issues.
Please test only against accounts you own, do not access or modify other users' data, do not perform denial-of-service testing, and give us a reasonable opportunity to fix the issue before disclosing it publicly.
Vibeless engages the following sub-processors to operate the Service. Each is contractually bound to security and data-protection terms equivalent to those we provide our customers.
| Sub-processor | Purpose | Region |
|---|---|---|
| Clerk | Authentication & identity | United States |
| Stripe | Payment processing & subscriptions | United States |
| SendGrid | Transactional email delivery | United States |
| Vercel | Application hosting & edge | United States & global edge |
| Neon | PostgreSQL database hosting | United States |
| Cloudflare | DNS & DDoS mitigation | Global |
| Anthropic | LLM inference for agent workflows | United States |
We provide at least 30 days' advance notice of new sub-processors via this page and via email to account-administrator contacts on Team and Enterprise plans.
For security questions, vulnerability reports, or compliance documentation requests, email security@vibeless.pro.