How it worksPricingDocsBlog

Product

API ReferenceChangelog

Company

AboutSecurity

Legal

PrivacyTerms
Appearance

// legal

Data Processing Agreement

Last updated: March 1, 2025

Plain-English summary

  • This DPA applies automatically when you use VybeSec under our Terms of Service.
  • You are the data controller. VybeSec is your data processor.
  • We only process your users' data on your documented instructions.
  • We use sub-processors (Anthropic, Cloudflare, Resend) — all listed below.
  • Need a signed copy? Email legal@vybesec.com and we'll turn it around in one business day.

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the VybeSec Terms of Service between VybeSec, Inc. (“VybeSec”, “Processor”) and you, the customer (“Controller”). It applies wherever VybeSec processes Personal Data on your behalf.

By using the VybeSec service, you agree to the terms of this DPA. If your organization requires a countersigned copy, email legal@vybesec.com.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person transmitted to VybeSec through your use of the Service, including browser identifiers and anonymous session IDs associated with error events.

“Processing” means any operation performed on Personal Data, including collection, recording, storage, analysis, and deletion.

“Applicable Data Protection Law” means the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and any other applicable data protection legislation.

“Sub-processor” means any third party engaged by VybeSec to process Personal Data on your behalf.

2. Roles and scope

You are the Controller of Personal Data processed through the Service. VybeSec is the Processor, acting only on your documented instructions — including those set out in the Terms of Service, this DPA, and the configuration of the Service.

VybeSec processes Personal Data solely to provide the Service: capturing, grouping, and analyzing error events from your application, and delivering the results to you via the dashboard, API, and alerts.

3. Controller obligations

You represent and warrant that:

  • You have a lawful basis under Applicable Data Protection Law to transfer Personal Data to VybeSec for processing.
  • You have provided all required notices to, and obtained any necessary consents from, your end users.
  • Your instructions to VybeSec comply with Applicable Data Protection Law.
  • You will not instruct VybeSec to process sensitive categories of Personal Data (e.g., health data, financial account numbers) unless you have configured the SDK to scrub such data before transmission.

4. VybeSec's obligations as Processor

VybeSec agrees to:

  • Process Personal Data only on your documented instructions and for no other purpose.
  • Ensure personnel authorized to process Personal Data are bound by confidentiality obligations.
  • Implement and maintain the technical and organizational measures described in Section 6.
  • Assist you in fulfilling your obligations to respond to data subject requests (see Section 7).
  • Delete or return Personal Data upon termination of the Service, as described in Section 8.
  • Provide all information reasonably necessary to demonstrate compliance with this DPA.

5. Sub-processors

You authorize VybeSec to engage the following sub-processors. VybeSec will notify you at least 14 days before adding or replacing a sub-processor by posting an update to this page and emailing customers who have opted into DPA change notifications.

Sub-processorPurposeLocation
Anthropic, Inc.AI error analysis (Claude API)USA
Cloudflare, Inc.Infrastructure, CDN, DDoS protectionUSA / Global
Resend, Inc.Transactional email deliveryUSA
Stripe, Inc.Payment processing (billing data only)USA

If you object to a new sub-processor, you may terminate your subscription within 30 days of the notice without penalty by emailing legal@vybesec.com.

6. Security measures

VybeSec maintains the following technical and organizational measures to protect Personal Data:

  • Encryption in transit: All data is transmitted over TLS 1.2 or higher.
  • Encryption at rest: Stored data is encrypted with AES-256.
  • On-device scrubbing: The SDK scans for and redacts secrets (API keys, tokens, passwords) before transmission.
  • Access controls: Production data access is restricted to authorized VybeSec personnel on a need-to-know basis, with audit logging.
  • IP address handling: Raw IP addresses are used only to derive country/region and are never stored.
  • Incident response: VybeSec maintains a written incident response plan and will notify you within 72 hours of becoming aware of a Personal Data breach.

Full details are available on our security page.

7. Data subject rights

VybeSec will, to the extent technically feasible, assist you in fulfilling requests from data subjects exercising their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, and objection). To submit a request, email privacy@vybesec.com. We will respond within 5 business days.

Note: because VybeSec does not store raw IP addresses or link error events to individual user identities, the scope of data subject requests is limited to session-level identifiers. We will work with you to identify and delete relevant records where possible.

8. Retention and deletion

Personal Data is retained for the duration specified by your plan (7 days on Free, 30 days on Starter, 90 days on Pro, 1 year on Business) and is automatically and permanently deleted after that period.

Upon termination of your account, all remaining Personal Data will be deleted within 30 days. You may request immediate deletion at any time by emailing privacy@vybesec.com.

9. International data transfers

VybeSec is based in the Nigeria. If you are located in the European Economic Area, UK, or Switzerland, Personal Data is transferred to the US under the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914), which are incorporated into this DPA by reference.

A copy of the applicable SCCs is available on request by emailing legal@vybesec.com.

10. Audits

VybeSec will provide information reasonably necessary to demonstrate compliance with this DPA. Upon your written request (no more than once per year), VybeSec will make its relevant policies and security documentation available for review. Physical audits may be arranged at your cost and subject to reasonable notice and confidentiality obligations.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the VybeSec Terms of Service. Nothing in this DPA limits either party's liability for fraud, death, personal injury, or any other liability that cannot be excluded by law.

12. Governing law

This DPA is governed by the laws of the State of California, USA, unless Applicable Data Protection Law requires otherwise (for example, GDPR requirements take precedence for EU data subjects).

13. Contact and signed copies

For questions about this DPA, email legal@vybesec.com. If your organization requires a countersigned DPA — for vendor reviews, enterprise procurement, or compliance records — email us and we will provide a signed PDF within one business day.

VybeSec, Inc.
548 Market St PMB 72879
San Francisco, CA 94104