Security & Data Handling
VibeOps is built with security at its core. We follow industry best practices for data handling, implement robust access controls, and provide full audit trails for compliance.
What VibeOps Accesses (GitHub Scopes)
VibeOps requests the minimum permissions necessary to analyze and deploy your code:
repo:read— Read repository contents for analysisrepo:status— Update deployment status checksadmin:repo_hook— Create webhooks for automatic deploymentsread:org— Read organization membership for team features
We never access private repositories without explicit authorization. You can revoke access at any time from your GitHub settings.
Where Builds Run
All builds run in secure, isolated environments:
- AWS Fargate — Serverless containers with strict network isolation
- Ephemeral environments — Each build gets a fresh container, destroyed after completion
- No persistent storage — Build artifacts are not retained between runs
- VPC isolation — Build environments have no access to other customer workloads
- Egress controls — Outbound network access is restricted and monitored
Enterprise customers can opt for dedicated build infrastructure or BYOC deployments.
Secrets Handling
We take secrets security seriously at every layer:
Encryption
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- AWS KMS for key management
Access Controls
- Role-based access with least privilege
- Secrets never appear in logs
- Automatic secret rotation supported
Detection
- Pre-commit scanning for leaked secrets
- CI/CD checks for exposed credentials
- Alerts for sensitive data in code
Audit Logs
Every action in VibeOps is logged with full attribution:
- Who — User identity and authentication method
- What — The action performed and affected resources
- When — Timestamp with timezone
- Where — IP address and client information
- Result — Success/failure status and any errors
Logs are retained for 90 days on standard plans, with extended retention and SIEM export available on Enterprise plans.
SOC-2 Style Checks (What It Means Today)
VibeOps implements security controls aligned with SOC-2 Trust Service Criteria:
- Security — Access controls, encryption, vulnerability management
- Availability — Uptime monitoring, incident response, disaster recovery
- Processing Integrity — Data validation, error handling, audit trails
- Confidentiality — Data classification, access restrictions, secure disposal
- Privacy — Consent management, data minimization, retention policies
⚠️ Important Disclaimer
"SOC-2 style checks" does not mean VibeOps certifies SOC-2. We use SOC-2 Trust Service Criteria as a framework for our security controls.
Questions about security?
Contact our security team at hi@vibeops.tech or request a security review call for Enterprise evaluations.
Common Questions
VibeOps requires read access to repository contents and metadata for analysis, and write access to create webhooks and deployment status updates. We follow the principle of least privilege and request only the permissions necessary for functionality.
Your code runs in isolated, ephemeral containers in AWS. Each build gets a fresh environment that is destroyed after completion. We use AWS Fargate with strict network isolation and no persistent storage between builds.
Secrets are encrypted at rest using AES-256 and in transit using TLS 1.3. We use AWS Secrets Manager for storage. Secrets are never logged, and access is audited. We also scan your code to prevent accidental secret commits.
We store source code only during active analysis and deployment. Code is cached in encrypted storage for performance but can be purged on demand. We do not retain code after you disconnect a repository.
Yes, all actions in VibeOps are logged with timestamps, user attribution, and resource details. Enterprise plans include extended log retention and SIEM integration capabilities.
Yes, we have a responsible disclosure program. Please report security vulnerabilities to security@vibeops.tech. We appreciate researchers helping us keep VibeOps secure.
Yes, Enterprise customers can use our Bring Your Own Cloud (BYOC) option to deploy resources in their own AWS account while still benefiting from VibeOps automation and security checks.