New: CheckVibe MCP server — scan from Claude Code and Cursor nativelyRead the docs
Last updated: May 17, 2026 (v1.0)
This Data Processing Addendum (“DPA”) forms part of the agreement between CheckVibe (“Processor”) and the customer entity that subscribes to the Service (“Controller”) under our Terms of Service (the “Agreement”). It applies where, and to the extent that, CheckVibe processes Personal Data on behalf of the Controller in the course of providing the Service. Capitalized terms used but not defined here have the meaning given in the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, or the Swiss Federal Act on Data Protection (“FADP”), as applicable.
By accepting the Agreement, the Controller accepts this DPA. Where a separate, negotiated data-processing agreement has been signed between the parties, that agreement controls in the event of conflict.
In respect of Personal Data submitted to the Service by or on behalf of the Controller (the “Customer Personal Data”), the Controller is the data controller and CheckVibe is the data processor. CheckVibe processes Customer Personal Data only on the documented instructions of the Controller, which are: (a) to provide, secure, and support the Service as described in the Agreement and the Documentation; and (b) any further instructions the Controller communicates to CheckVibe in writing that are compatible with the functionality of the Service.
The duration of processing is the term of the Agreement plus any post-termination period required to return or delete Customer Personal Data. The nature of processing is the operation of an automated security-scanning service. The purpose is to deliver the functionalities of the Service that the Controller configures.
Depending on the Controller's use of the Service, the categories of data subjects may include: Controller's personnel and authorized users; Controller's end-customers and website visitors (where the threat-detection feature is deployed); and individuals referenced in scanned content.
Categories of Personal Data may include: identifiers (name, email, account ID); technical and connection data (IP address, user agent, device fingerprint); scan-result content (which may incidentally contain Personal Data); integration tokens (held encrypted); and support-correspondence content. The Service is not intended to process special categories of data under Art. 9 GDPR; the Controller agrees not to use the Service to deliberately submit such data without prior written agreement and additional safeguards.
CheckVibe ensures that persons authorized to process Customer Personal Data are bound by confidentiality obligations (whether contractual or statutory) and process the data only on the Controller's instructions and as required by law.
CheckVibe implements and maintains appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, including: TLS encryption in transit; encryption of sensitive credentials at rest; secure password hashing; role-based access controls and least-privilege provisioning; row-level security on the database; multi-factor authentication for administrative accounts; centralized authentication; logging and monitoring; periodic vulnerability assessment; vendor risk management; secure development lifecycle practices; and security training for personnel. A summary of measures is available on request.
The Controller authorizes CheckVibe to engage the subprocessors listed at checkvibe.dev/subprocessors and to add or replace subprocessors as needed for the Service, subject to reasonable prior notice (generally at least thirty (30) days for material additions, unless urgent for security or legal reasons). CheckVibe will impose data-protection obligations on each subprocessor consistent with this DPA and remains liable to the Controller for the acts and omissions of its subprocessors.
The Controller may object in writing, on reasonable data-protection grounds, to a new subprocessor within fifteen (15) days of notice. If the parties cannot resolve the objection by appropriate measures, the Controller may terminate the affected portion of the Service for convenience.
Where the processing of Customer Personal Data involves a transfer of data to a country outside the European Economic Area, the United Kingdom, or Switzerland that has not been the subject of an adequacy decision, the parties enter into the European Commission's Standard Contractual Clauses (Module 2: Controller-to-Processor) and, where applicable, the UK International Data Transfer Addendum and the Swiss Annex, each of which is incorporated by reference into this DPA and completed with the information set out in the Annexes below. Where a recipient is certified under the EU-U.S. Data Privacy Framework (or its UK or Swiss extensions), reliance on the framework may apply in addition to or instead of the SCCs.
Taking into account the nature of the processing, CheckVibe will assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligations to respond to requests from data subjects exercising their rights under Chapter III GDPR. To the extent legally permissible, CheckVibe will promptly notify the Controller of any data-subject request it receives directly that relates to the Controller's data and will not respond except on the Controller's documented instructions or as required by law.
CheckVibe will notify the Controller without undue delay (and in any event within seventy-two (72) hours where feasible) after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information reasonably available to CheckVibe to allow the Controller to meet its obligations under Arts. 33 and 34 GDPR (or analogous obligations).
Where required by Art. 35 or 36 GDPR (or analogous law), CheckVibe will provide reasonable assistance to the Controller in carrying out Data Protection Impact Assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to CheckVibe.
On termination or expiry of the Agreement, CheckVibe will, at the Controller's choice and within a reasonable period (generally not more than thirty (30) days), delete or return Customer Personal Data to the Controller, and delete existing copies, except to the extent that retention is required by law, audit, dispute, or for security purposes. Back-up copies will be overwritten in the ordinary course of operations.
CheckVibe will make available to the Controller, on reasonable written request and no more than once per year (or more frequently in case of a documented Personal Data Breach involving the Controller's data, or where required by a supervisory authority), information reasonably necessary to demonstrate compliance with this DPA, including summary reports of CheckVibe's security and privacy program. To the extent an on-site audit is required by mandatory law, the parties will agree on the scope, timing, and conduct in advance, the audit will be conducted by an independent auditor bound by confidentiality, will not unreasonably interfere with operations, and will be at the Controller's expense unless material non-compliance is found.
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Liability under this DPA does not increase the aggregate cap in the Agreement.
In the event of conflict between this DPA and the Agreement on data-protection matters, this DPA controls. In the event of conflict between this DPA and the SCCs incorporated by reference, the SCCs control. This DPA is governed by the law set out in the Agreement except where mandatory data-protection law requires otherwise.
A. Parties. Controller: the customer entity that subscribes to the Service. Processor: CheckVibe (Switzerland).
B. Description of transfer. Categories of data subjects and Personal Data, sensitive data (if any), frequency, nature, purpose, and retention are as set out in Sections 2 and 3 of this DPA. Transfers occur on a continuous basis for the duration of the Agreement. Onward transfers to subprocessors are made on the same basis.
C. Competent supervisory authority. The Swiss FDPIC; or, where the Controller has a Lead Supervisory Authority under the GDPR, that authority.
The measures set out in Section 5 of this DPA constitute Annex II to the SCCs. Additional detail is available on request to support@checkvibe.dev.
The list at checkvibe.dev/subprocessors constitutes Annex III to the SCCs.
Requests under this DPA may be sent to support@checkvibe.dev with the subject “DPA Request.”
See also: Privacy Policy · Subprocessors · Terms of Service
