VectorGraph trust
Security
VectorGraph is designed around server-side workspace authorization, private-team filtering, scoped agent access, and durable audit trails. Clerk authentication is necessary, but VectorGraph-owned workspace authorization is still enforced by the product.
Tenant and permission model
- Workspace ID is the tenant boundary for workspace-owned data.
- Every object fetch and mutation must resolve the authenticated user or actor against active workspace membership on the server.
- Private-team data is excluded from direct object reads, search, exports, notifications, realtime streams, GitHub-linked activity, and agent access unless the actor is allowed to see it.
Programmatic access
- CLI tokens are scoped, revocable, and checked against workspace membership and permissions.
- Hosted MCP uses the same workspace and private-team rules as the UI and API.
- Agent identities are distinct from human users and should be auditable by actor, tool, source context, and requested action.
- NorthGraph indexes code locally by default and exposes local repository facts through the CLI or local MCP server.
Data protection
- Browser, CLI, MCP, webhook, and service traffic should use encryption in transit.
- Production product data, backups, and attachment storage should use provider-managed encryption at rest.
- CLI and MCP tokens are shown once, stored hashed, scoped, expirable, revocable, and checked on every request.
- Secrets should live in managed environment configuration, not source files, docs, issue comments, prompts, logs, or screenshots.
GitHub and webhook security
- GitHub is implemented as a first-party GitHub App with installation-level access.
- GitHub installations and selected repositories are scoped to one workspace.
- Webhook signatures are verified, delivery IDs are stored, and processing is idempotent.
- Private repository metadata must not be exposed to users who cannot access the linked workspace issue.
Operational security
- Sensitive workspace actions are designed to be written to an append-only audit trail.
- Production backups, restore drills, incident response, token rotation, provider incidents, and security reports should follow the published runbooks.
- Employee or admin access to customer data should be limited to support, security, abuse prevention, billing, legal, and operational needs.
Compliance status
- VectorGraph is not currently claiming SOC 2 certification.
- A public subprocessor list, vulnerability disclosure process, incident contact, and data deletion/export process are part of the commercial trust surface.
- Responsible disclosure reports should be sent to security@vectorgraph.app before public disclosure.
Responsible disclosure
Send security reports to security@vectorgraph.app. Include the affected URL, actor/workspace context if available, reproduction steps, impact, and whether any data may have been accessed.
Incident contact
Report suspected tenant data exposure, compromised tokens, account takeover, abusive activity, or production security incidents to security@vectorgraph.app. Include severity, affected workspace or route, observed time window, and any containment steps already taken.