Vibranium Audits handles your code, your repositories, your unreleased product, and (sometimes) personally identifiable user data. Here is exactly how we treat all of it, where we are in our compliance roadmap, and how to reach our security team.
We will not claim a standard we have not been audited against. This is exactly where we are.
SSO/2FA on all internal systems, role-based access, full disk encryption, secrets in a managed vault, signed commits, branch protection on every audit repo, mandatory peer review.
LiveOur bug bounty programme is live and pays out within 14 days of fix verification. See the dedicated page for scope and severity payouts.
LiveCurrently working with a compliance partner to formalise our control set, evidence collection, and internal audit cycle in preparation for SOC 2 Type I attestation.
In progressFollowing Type I, we will run a 12-month observation window and complete a Type II report. Targeted for late 2026.
PlannedInformation security management system aligned to ISO 27001 controls, formal external audit, and certification. Targeted for 2027.
PlannedEvery Vibranium engagement involves access to private code and sometimes sensitive operational data. Here is what we do, and what we explicitly don't do, with all of it.
TLS 1.3 everywhere on the public surface. Repositories cloned to encrypted volumes (LUKS / FileVault). Reports stored encrypted at rest on cloud storage with provider-side encryption + our own key wrapping.
Per-engagement access. Only the named senior auditors on a project see the repo. No company-wide read access. Access revoked within 24h of engagement close.
Every engagement starts with a mutual NDA. We will sign yours, or you can sign our standard one below. We never share your code, your findings, or the existence of the engagement with third parties without your written consent.
Audit artefacts are retained for 24 months for re-audit and dispute resolution, then deleted. You can request earlier deletion in writing at any time — we will comply within 30 days for everything except items we are legally required to retain.
Your code is never fed into a third-party LLM training pipeline. Our internal AI triage uses self-hosted models with no telemetry to model providers. Period.
Primary infrastructure is hosted in the UK. We are a UK-registered company subject to UK GDPR. EU mirrors available for clients with EU data residency requirements.
The vendors we use to operate the business. Where data lives is not a secret — it should be public.
| Sub-processor | Purpose | Data class | Region |
|---|---|---|---|
| Webflow | Public marketing site & CMS | Public-by-design content only | US (CDN: global) |
| Cloudflare | DNS, CDN, WAF | HTTP request metadata | Global edge |
| Google Workspace | Email, docs, calendar | Client correspondence | EU/US |
| GitHub | Source repos for audit work | Client source code (under NDA) | US |
| Crisp | Website live chat | Chat messages, contact details | EU (France) |
| Calendly | Audit-call scheduling | Name, email, calendar slot | US |
| Stripe | Payment processing | Billing details (PCI scope on Stripe) | US/EU |
| Brandfetch | Public logo CDN for press strip | None (public images only) | EU |
This list is updated when we onboard or offboard a sub-processor. Material changes will be communicated to enterprise clients 30 days in advance.
Downloadable documents. Reach out if you need a custom NDA, DPA, or vendor security questionnaire response.
If you believe you have found a security issue in any Vibranium-operated system, email our security team. We acknowledge within 24 hours.
security@vibraniumaudits.com
PGP key available on request. See our Bug Bounty Programme for scope and payouts.
Custom NDA terms, vendor security questionnaire, or a sit-down with our security lead before signing? We do all of that.
Contact security team Book a call