Security · Vigilo

What we collect

Email address — only when you sign up or subscribe to alerts.
Watched countries — the list of regions you choose to follow, so we can send relevant alerts.
API usage logs — for paid API customers: request count, timestamps, endpoint paths (no payload contents stored).
Anonymous web analytics — via Plausible (no cookies, no cross-site tracking, no IP storage).

We do not collect: your name, location, phone number, payment card details, IDs, or any sensitive personal information. We do not profile users across other sites.

Encryption

In transit: TLS 1.2+ enforced for all traffic (Netlify managed certificates). HTTP redirects to HTTPS.
At rest: Data stored in Netlify Blobs is encrypted at rest by the underlying AWS infrastructure (AES-256). Email-delivery records held by Resend are encrypted at rest per their security posture.
Secrets: API keys, JWT signing secrets, and Bearer tokens are stored as Netlify environment variables — never in code, never in logs.

Authentication

Magic-link sign-in for end users — no passwords stored, no password reuse risk.
HMAC-SHA256 signed webhooks for B2B outbound — every event you receive can be verified against a shared secret.
Bearer-token authentication for admin endpoints — constant-time comparison (no timing leaks).
API keys: per-customer, revocable from your account dashboard.

Data retention & deletion

Alert subscribers: Email retained while subscription is active. Unsubscribe is one-click; address removed from active lists immediately and deleted within 30 days.
Account data: Retained while the account is active. Delete request fully removes account, watched countries, reports, and associated logs within 30 days.
API logs: 30 days rolling window. Retained longer only if required for an active security investigation.
Backups: Encrypted, retained 30 days, then automatically purged.

To request deletion or export of your data, email alex@vigilo.cc with the address on file. We confirm within 7 days; complete within 30.

Subprocessors

The third-party services that process customer data on our behalf, what they do, and where they're based:

Subprocessor	Purpose	Region
Netlify (Inc.)	Hosting, CDN, edge functions, blob storage	US
Resend	Transactional email delivery (alerts, sign-in)	US / EU
Stripe	Payment processing (when paid plan active)	US / EU / IE
Mapbox	Map tiles & geocoding (no PII transmitted)	US
Plausible	Cookie-less, anonymous web analytics	EU (Germany)
GitHub	Source code & scheduled data pipeline	US

We do not use any AI provider on customer personal data. The pipeline's optional AI extraction (Gemini / Groq / Anthropic) operates on public news article text only, never on subscriber emails or account data.

Access control

Production secrets accessible only via Netlify dashboard (MFA required) and CLI with personal access token.
Single founder operation today — the founder is the only person with production access. This is a transparency point, not a marketing claim.
No third-party support staff have access to customer data.
Audit log of admin actions is being added in Q3 2026.

Incident & breach response

If a personal-data breach is detected, affected customers and the relevant supervisory authority are notified within 72 hours, per GDPR Article 33.
Initial notification includes: nature of the breach, categories and approximate number of data subjects affected, likely consequences, mitigation in progress.
Security report contact: security@vigilo.cc (responsibly disclosed vulnerabilities acknowledged within 48 hours).

What we don't have yet — honest roadmap

Where we are today

Vigilo is currently a single-founder operation in early commercial stage. We compensate for the absence of large-org credentials with:

Source-traceable scoring — every risk flag links back to its raw source, with ingestion batch IDs. Nothing is a black box.
Minimal data collection — we hold only email + your watched countries, nothing else.
Open methodology — see /methodology.

What's coming

SOC 2 Type I — planned 2027
ISO 27001 — under evaluation
Admin action audit log — Q3 2026
Customer-managed API key rotation UI — Q3 2026
Public status page — Q3 2026

If your procurement requires any of the above today, please write — we'll explain candidly whether we can serve you yet.

Contact & documents

Privacy policy: /privacy
Data Processing Agreement (DPA): on request — email alex@vigilo.cc
Subprocessor changes are announced 30 days in advance to customers on Team plan and above
Security questions: security@vigilo.cc