Security & Privacy

The VibingIQ GitHub App requests read access to the repositories you grant. Write access is never enabled unless you explicitly opt in to auto-heal PRs, and even then every PR is draft-first and requires your review.

Test logins, API keys, and database URLs you connect are encrypted at rest with AES-256-GCM envelope encryption. The master key lives in our runtime secret store and is never shipped to the dashboard or exposed in logs.

When our AI agent needs to log in or enter a credential during a persona scan, it emits a placeholder (like {{login.email}}). The actual secret is substituted inside the harness at send time. The LLM never sees the real value, and we redact it from every persisted transcript.

We integrate via a proper GitHub App (not a PAT), scoped to the repositories you pick. You can revoke our access at any time from your GitHub settings, and that immediately cuts off all VibingIQ activity against your code.

Our synthetic-user scanner runs in an isolated Playwright browser. Navigations off the allowed origin are refused. Form submissions and signup attempts are rate-limited to protect your app from our own loop.

We are actively working toward SOC 2 Type II. Once complete, our auditor and report will be linked here. If you need a security review before that, email us and we will share our current controls.