Trust & safety

Safe by construction.

You’re pointing a security scanner at your own app — so it has to be impossible to misuse. The free Vibe Check only reads what your site already shows the public, and anything deeper runs only on targets you’ve proven you own. These guarantees are structural — enforced in architecture, not promised in a policy doc.

No override path in code Re-verified every run Tamper-proof audit

The four pillars

Why it’s safe to run on your app

Each pillar is a property of the system — not a setting a human could turn off.

Authorization-first

Ownership is re-verified before every scan. There is no override flag anywhere in the code.

Tenant isolation

Row-level security at the database means cross-tenant access is impossible, not just disallowed.

Immutable audit

Every action is written to an append-only, tamper-proof log, scoped per tenant.

Human accountability

Findings are confirmed by a person. Nothing is ever auto-exploited.

Ownership verification

Prove it’s yours, then we go deeper

The free Vibe Check is passive — it only reads what’s already public. For any deeper scan you can’t reach a target until you’ve proven you control it. Three steps, re-checked live before every run.

Add the asset

Enter a domain or URL. It’s added unverified — not yet scannable.

Publish a one-time token

Prove control with a DNS TXT record or a /.well-known file containing the token. Only someone who controls the domain can.

Verified — re-checked live

We confirm the token, then re-verify on every run. Lose control of the asset and scanning stops automatically.

The scope guard

One chokepoint. Seven checks. No bypass.

Every scan request passes through a single guard before anything runs. It executes seven ordered checks and records the decision — allow or deny — to an immutable log. There is no field, flag or admin path that skips it.

assertScanAllowed() → ALLOW · queued

unverified target → DENY · blocked · audited

Platform kill switch

Global and per-tenant halt — checked first, every run.

Allowlist

Target must be on the tenant’s verified asset allowlist.

Live ownership

Ownership re-verified live (DNS TXT / file challenge) on every run.

Authorization

A signed authorization agreement must be on file.

Mode gate

Production-safe by default; intrusive checks gated to staging.

Rate limit

Per-target rate limiting keeps testing non-disruptive.

Audit record

Every decision — allow or deny — is recorded immutably.

Platform practices

Security hygiene, end to end

Data residency

EU-hosted by default, with data residency options for enterprise.

Encryption

Encrypted in transit and at rest across the platform.

Least privilege

Privileged operations run behind a narrow, audited service boundary.

Non-destructive

Scans are non-destructive by default and production-safe.

Isolated runners

Scanners execute in ephemeral, sandboxed environments — your code is cloned in, then deleted.

Exportable evidence

Every action recorded in an immutable, per-tenant log you can export when a customer or auditor asks.

Evidence, when you need it

There when an auditor asks

Most AI builders never think about SOC 2 or ISO 27001 — until a bigger customer asks. When that day comes, the immutable audit trail and posture history export as evidence that’s current at any moment, not an annual PDF that’s stale on arrival. It’s there when you need it, invisible until then.

SOC 2 / ISO 27001 evidence export
GDPR-aligned data handling
Per-tenant immutable audit trail
On-demand posture reports

Point it at your app — safely.

The free Vibe Check only reads what’s already public. Run one now, or try to scan a target you can’t prove you own and watch it get blocked and audited.

Run a free Vibe Check Talk to us