Back to Legal

Data Processing Agreement

Last updated: February 2025

For Enterprise Customers

This DPA supplements our Terms of Service for customers who need GDPR-compliant data processing commitments. If you need a signed copy or have specific requirements, contact us.

Request custom DPA →

1. Definitions

  • "Controller" means you, the customer
  • "Processor" means VibeGuard
  • "Personal Data" has the meaning given in GDPR Article 4
  • "Processing" has the meaning given in GDPR Article 4
  • "Services" means VibeGuard's products as described in our Terms of Service

2. Scope and Context

VibeGuard is a local-first CLI tool. This DPA applies to the limited personal data we process:

  • Account information (email, name) for Pro customers
  • Payment data (processed by Stripe as a sub-processor)
  • Usage telemetry (anonymized, opt-out available)

Important: Code scans run locally on your infrastructure. Source code is not transmitted to VibeGuard servers. This DPA does not cover code you scan - that never leaves your machine.

3. Processing Details

Subject Matter

Provision of the VibeGuard security scanning service, including account management, licensing, and customer support.

Duration

For the duration of the agreement plus any legally required retention period.

Nature and Purpose

Account authentication, license validation, billing, and product improvement.

Types of Personal Data

  • Email address
  • Name (if provided)
  • Payment information (card last 4 digits, billing address)
  • IP address (for security and fraud prevention)

Categories of Data Subjects

Employees and contractors of Customer who are authorized users of the Service.

4. Processor Obligations

VibeGuard agrees to:

  • Process personal data only on documented instructions from Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist Controller in fulfilling data subject rights requests
  • Delete or return personal data upon termination (at Controller's choice)
  • Make available information necessary to demonstrate compliance
  • Allow and contribute to audits conducted by Controller or an authorized auditor

5. Sub-processors

We use the following sub-processors:

Sub-processorPurposeLocation
StripePayment processingUSA (EU SCCs)
AWSCloud infrastructureUSA/EU (EU SCCs)
ResendTransactional emailUSA (EU SCCs)

We will notify you of any new sub-processors at least 30 days before engagement. You may object to new sub-processors within 14 days of notification.

6. Security Measures

We implement security measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security assessments
  • Incident response procedures
  • Employee security training

See our Trust page for more details.

7. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify you without undue delay (within 72 hours where feasible)
  • Provide details of the breach, affected data, and remediation steps
  • Assist you in meeting your notification obligations to supervisory authorities and data subjects

8. International Transfers

For transfers outside the EEA, we rely on:

  • EU Standard Contractual Clauses (SCCs)
  • Adequacy decisions where applicable

9. Data Subject Rights

We will assist you in responding to data subject requests for:

  • Access to personal data
  • Rectification
  • Erasure
  • Data portability
  • Restriction of processing
  • Objection to processing

10. Term and Termination

This DPA is effective for the duration of your use of VibeGuard Services. Upon termination, we will delete or return your personal data within 90 days, except as required by law.

Contact

For DPA-related inquiries: dpa@vibeguard.co