Security Policy

Security at Vigile

How we protect your data and our infrastructure.

Responsible Disclosure

If you discover a security vulnerability in Vigile, we want to hear about it. Please report vulnerabilities responsibly so we can address them before they are publicly disclosed.

Email security@vigile.dev with a detailed description of the vulnerability, steps to reproduce, and any proof-of-concept code.

We respond within 48 hours and aim to resolve critical issues within 7 days.

Data Handling

Encrypted at rest

All stored data is encrypted using industry-standard AES-256 encryption.

API keys hashed

API keys are hashed before storage. Plaintext keys are never persisted.

No source code stored

Scans analyze code in memory. Source code is never stored on our servers.

Tier-based retention

Scan history retention scales with your plan. Data is purged automatically after the retention window.

Tamper-evident audit log

Every action is recorded in a hash-chained audit log. Any modification to historical entries is detectable.

Infrastructure

Vigile runs on modern, security-conscious infrastructure:

  • Frontend hosted on Vercel with automatic HTTPS and edge caching
  • API hosted on Railway with isolated containers and automatic TLS 1.3
  • No third-party analytics on paid tiers
  • Secrets managed via environment variables, never committed to source control
  • Rate limiting on all API endpoints with IP-based throttling for unauthenticated requests

Trust Score Methodology

Vigile trust scores are transparent and reproducible. The 5-factor model weights code analysis, dependency health, permission safety, behavioral stability, and transparency into a 0–100 composite score. Every factor is documented and the CLI produces identical results to the API.

Code AnalysisDependency HealthPermission SafetyBehavioral StabilityTransparency
View Full Methodology

Compliance

SOC 2 Status

Not yet certified

Our security controls are designed with SOC 2 readiness in mind, and we intend to pursue formal certification as the platform matures. We believe in honest communication about our security posture rather than overclaiming compliance status.

Found a vulnerability?

We appreciate responsible disclosure and will credit researchers who report valid findings.

Report to security@vigile.dev