Legal policy

Security Overview

Last Updated: June 24, 2026*Draft for lawyer review

A transparent overview of Vibeler's current security posture without unsupported certification or uptime claims.

Draft for lawyer review: This page is a practical Vibeler policy draft, localized for Canadian requirements where relevant. It is not legal advice and should be reviewed by counsel before launch or enforcement.

Jump to section

1. Draft status and no certification claim

This Security Overview is a practical operating draft and must be reviewed by a qualified lawyer and security owner before launch. Vibeler does not currently claim SOC 2, ISO 27001, PCI certification by Vibeler, guaranteed uptime, or a formal DPO unless later verified and approved.

2. Account security

  • Authentication uses HTTP cookies through Vibeler's same-origin Next.js API proxy.
  • Password sign-in remains available, with email verification and password recovery flows.
  • Passkeys/WebAuthn are optional convenience credentials where configured.
  • Sensitive creator actions may require a recent strong session through passkey login or email OTP step-up.
  • Users are responsible for protecting credentials and reporting unauthorized access promptly.

3. Access control and protected media

Vibeler enforces stage-admin, content-manager, channel visibility, entitlement, subscription, ban, and media-readiness checks on backend endpoints. Public, private, hidden, draft, scheduled, processing, failed, and paid content are handled through server-side visibility and entitlement services.

Protected media delivery uses Vibeler's media gateway. HLS video, playable audio, product files, and course resources are authorized before short-lived credentials are issued.

4. Infrastructure and subprocessors

  • Frontend and backend deploy as separate DigitalOcean apps from GitHub-built container images.
  • Cloudflare R2/S3-compatible storage is used for media objects and generated variants.
  • Stripe handles card/payment infrastructure and Connect onboarding.
  • SendGrid handles email delivery and delivery events.
  • OpenAI handles AI text generation when users choose AI tools.
  • Valkey/Redis-style caching and Celery/outbox workers support rate limiting, async jobs, and durable workflow processing.

5. Operational safeguards

  • Backend exception handlers sanitize unexpected errors.
  • Rate limiting is configured at the backend.
  • Async outbox jobs preserve durable intent for media processing, emails, Stripe webhook retries, event reminders, notifications, and related workflows.
  • Sensitive browser reads use no-store and viewer-scoped query keys where access can differ by user.
  • Custom domains route public audience pages only; studio/admin surfaces remain on the platform host.

6. Security reporting

Report suspected vulnerabilities to [email protected]. Please include the affected URL, steps to reproduce, impact, screenshots or logs where safe, and your contact information. Do not access, modify, destroy, exfiltrate, or disclose other users' data while testing.

All policies

Structural reference: Bento Security Overview. Vibeler policy text is original and adapted to Vibeler's product surface.