Security You Can Trust
Vibgrate is built with security at its core. We protect your code intelligence, dependency data, and organisational information with enterprise-grade controls designed for the most demanding environments.
Security Principles
Our security architecture is built on defence-in-depth principles, ensuring multiple layers of protection for your data.
Encryption Everywhere
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database fields containing sensitive information use application-level encryption with rotating keys.
- AES-256 encryption at rest
- TLS 1.3 for all connections
- Automatic key rotation
- Certificate pinning for API calls
Identity & Access Management
Enterprise SSO via SAML 2.0 and OIDC. Fine-grained role-based access control at organisation, team, and repository levels with mandatory MFA for all accounts.
- SAML 2.0 & OIDC SSO
- Role-based access control (RBAC)
- Mandatory multi-factor authentication
- Session management & token rotation
Network Security
Infrastructure runs in isolated VPCs with strict network segmentation. All external traffic passes through WAF and DDoS protection layers.
- VPC isolation & network segmentation
- Web Application Firewall (WAF)
- DDoS mitigation
- IP allowlisting for enterprise
Audit Logging
Comprehensive, immutable audit trail of every action across the platform. Logs are retained, searchable, and exportable for compliance and forensic analysis.
- Immutable audit logs
- Full API request logging
- User activity tracking
- Exportable compliance reports
Data Isolation & Residency
Strict tenant isolation ensures your data is never co-mingled. Choose your data residency region to meet jurisdictional requirements.
- Logical tenant isolation
- Configurable data residency
- No cross-tenant data access
- Regional data processing
Vulnerability Management
Continuous automated scanning of our infrastructure and application code. Regular third-party penetration testing with findings remediated on strict SLAs.
- Continuous vulnerability scanning
- Annual third-party penetration testing
- Responsible disclosure programme
- Strict remediation SLAs
Operational Security
Security isn't just about technology — it's about people, processes, and continuous improvement.
Business Continuity
Automated backups, multi-region failover, and disaster recovery procedures tested quarterly.
Incident Response
Defined incident response plan with 24/7 on-call engineering. Post-incident reviews published for transparency.
Personnel Security
Background checks for all employees. Security awareness training on hire and annually thereafter.
Secure Development Lifecycle
Code review, static analysis, dependency scanning, and automated testing in every deployment pipeline.
Infrastructure Security
Vibgrate runs on hardened cloud infrastructure with automated provisioning via infrastructure-as-code. Every deployment is immutable, versioned, and reproducible.
Our CI/CD pipeline enforces security gates at every stage — from static analysis and dependency scanning to container image signing and runtime policy enforcement.
Platform Architecture
CDN, WAF, DDoS protection, rate limiting
Containerised microservices, API gateway, auth middleware
Encrypted databases, isolated tenants, automated backups
Hardened VMs, network policies, secrets vault
Compliance & Certifications
We invest continuously in meeting and exceeding industry compliance standards.
GDPR
CompliantFull compliance with EU General Data Protection Regulation
HIPAA
ReadyArchitecture supports HIPAA-regulated workloads
ISO 27001
In ProgressInformation security management system certification
CCPA
CompliantCalifornia Consumer Privacy Act compliance
How We Handle Your Data
Transparency about what data we collect, how we use it, and how we protect it.
What We Analyse
- Dependency manifests (package.json, requirements.txt, etc.)
- Framework and language versions
- Configuration patterns (anonymised)
- Git metadata (commit hashes, timestamps)
What We Never Access
- Your application source code
- Environment variables or secrets
- Customer or user data in your apps
- Private repository contents beyond manifests
Data Retention
- Scan results retained per your plan tier
- Deleted data purged within 30 days
- Full data export available on request
- Right to erasure honoured within 72 hours
Responsible Disclosure
We value the work of security researchers. If you believe you've found a vulnerability in Vibgrate, we encourage you to report it responsibly.
security@vibgrate.com
Acknowledgement within 24 hours
We will not pursue legal action against good-faith reporters
Contributors credited in our security hall of fame
Have Security Questions?
Our security team is available to discuss your requirements, answer security questionnaires, and provide additional documentation for your procurement process.