Security at Vyrable

How we protect
your data.

Plainly-worded security posture. We list what we actually do, not aspirational claims. If something below is wrong or out of date, email us and we'll fix it.

Last reviewed: 13 May 2026

Encryption in transit

All traffic to vyrable.ai is served over modern TLS with HTTP Strict Transport Security enforced. Plain-HTTP requests are rejected at the edge.

Encryption at rest

Customer data is encrypted at rest. Sensitive secrets — such as third-party API keys customers store in the platform — are independently encrypted using authenticated symmetric encryption with a master key that never appears in the database. Tampering is detected on decrypt.

Authentication

Passwords are stored only as salted, slow one-way hashes — never as plaintext or reversible forms. Two-factor authentication (TOTP) is available on every account from Settings → Security and we recommend enabling it on every owner account. Single-sign-on via standard OAuth providers is also supported. Sessions expire on a regular cadence and rotate their tokens automatically.

Organisation isolation

Every authenticated request is scoped to the customer's organisation in every layer that touches the database — web, background workers, public REST API, MCP server. There is no application-layer switch that can grant a user access to another organisation's data. Public lead-magnet endpoints (e.g. the AI visibility check) operate without an account context and never touch org-scoped tables.

Access control

Production access is restricted to a small number of named platform staff using strong authentication. Elevated operations are logged. Staff-only admin pages within the application are gated server-side, audit-logged on use, and write a notification visible to the affected customer when any change is made on their behalf.

Hosting & infrastructure

The platform is hosted in the European Union with daily encrypted backups and documented restore procedures. Internal services are not directly reachable from the public internet; access between application components is authenticated. The complete list of sub-processors and their locations is on the Privacy Policy.

Sub-processors & vendor management

We engage third-party sub-processors only where needed to deliver the Service. The full list is on /privacy §7 and is the authoritative source — it's updated when sub-processors are added, replaced, or removed. We commit to 14 days' advance notice by email before any change to the list, giving customers a window to object on reasonable data-protection grounds.

Incident response & breach notification

We will notify customers without undue delay — and in any event within 72 hours — after becoming aware of a personal data breach affecting their data. The notification will describe the nature of the breach, the categories and approximate number of records concerned, the likely consequences, and the measures taken or proposed. See /dpa §8 for the full clause.

Application security

Public-facing endpoints are rate-limited. Inbound webhooks from third-party services are signature-verified and de-duplicated by source event ID so retries can't double-fire side effects. Browser sessions use HttpOnly, Secure cookies with appropriate same-site policy. CSRF protection is enforced on state-changing requests. User-provided text inputs are length-bounded server-side.

Payment security

We do not directly handle card numbers. All payment processing is delegated to Stripe (PCI DSS Level 1 certified) via Stripe Checkout and the Stripe Customer Portal — the card is entered into a Stripe-hosted form and the token returned to us is the only payment artefact stored on our side. Webhook signatures are verified on every event.

Responsible disclosure

If you discover a security vulnerability, please report it privately rather than publishing it. We commit to:

  • Acknowledge your report within 3 business days.
  • Provide an initial severity assessment within 10 business days.
  • Offer credit in the public changelog for legitimate findings (unless you prefer to remain anonymous).
  • Take no legal action against good- faith researchers acting within scope.

In scope: the production application at vyrable.ai, the public REST API at /api/v1, the MCP server at /api/mcp, and any subdomain we operate.

Out of scope: denial-of-service, social engineering, physical attacks, vulnerabilities in third-party services we depend on (those should be reported to the vendor), and unsubstantiated scanner output.

Reports go to security@vyrable.ai. Please include reproduction steps, the affected URL or endpoint, and (where applicable) any relevant request / response headers. PGP-encrypted reports are accepted via the public key at /.well-known/security.txt.

Related documents