ShipSafe is an AI-powered security scanner that finds vulnerabilities in code built with tools like Cursor, Lovable, Bolt, and v0. Paste a GitHub URL and get a plain-English security report in minutes.

How does ShipSafe work?

ShipSafe analyzes your GitHub repository using 30+ security checks including SQL injection, XSS, leaked API keys, and OWASP Top 10 vulnerabilities. It produces a plain-English report with fix recommendations.

Yes, ShipSafe offers a free plan that includes security scans with no credit card required. Paid plans start at $9/month for CLI access with unlimited scans.

What vulnerabilities does ShipSafe detect?

ShipSafe detects SQL injection, cross-site scripting (XSS), leaked secrets and API keys, insecure authentication, CSRF vulnerabilities, and more across the OWASP Top 10 categories.

Does ShipSafe work with vibe-coded apps?

Yes, ShipSafe is specifically designed for apps built with AI coding tools like Cursor, Lovable, Bolt, v0, and Replit. These tools can introduce security vulnerabilities that ShipSafe catches before deployment.

Legal

Data Processing Agreement

Last updated: March 2026

1. Definitions

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ShipSafe ("Processor," "we," "us") operating at ship-safe.co and the customer ("Controller," "you") who uses the ShipSafe service.

"Personal Data" means any information relating to an identified or identifiable natural person, as defined under GDPR Article 4(1).
"Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, erasure, or destruction.
"Controller" means the entity that determines the purposes and means of Processing Personal Data.
"Processor" means the entity that processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
"Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to third countries.

2. Scope and Purpose of Processing

ShipSafe is a SaaS security scanner designed for applications built with AI-assisted coding tools. This DPA applies to all Personal Data that the Processor processes on behalf of the Controller in connection with providing the ShipSafe service.

Subject Matter

The Processor provides security scanning and analysis of source code repositories submitted by the Controller, generating security reports and vulnerability assessments.

Nature and Purpose

Personal Data is processed for the purpose of providing the ShipSafe service, including account management, authentication, security scanning, report generation, payment processing, and transactional communications.

Types of Personal Data

Account identifiers (name, email address, GitHub username)
Authentication data (OAuth tokens, session information)
Repository metadata (repository names, scan timestamps, scan results)
Payment and billing information (processed by third-party payment providers)
Usage data (pages visited, feature usage, device information)

Categories of Data Subjects

Customers and end users of the ShipSafe service
Developers whose repositories are submitted for scanning

Duration

Processing continues for the duration of the Controller's use of the ShipSafe service, plus any retention period required by law or described in Section 9 of this DPA.

3. Data Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, as described in Section 7 of this DPA.
Assist the Controller in fulfilling its obligation to respond to Data Subject requests, as described in Section 6 of this DPA.
Assist the Controller in ensuring compliance with its obligations regarding security of processing, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
At the choice of the Controller, delete or return all Personal Data upon termination of the service, unless retention is required by applicable law.
Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28, and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
Immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other applicable data protection provisions.

4. Sub-processors

The Controller provides general written authorization for the Processor to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes within 30 days.

The Processor has engaged the following sub-processors:

Sub-processor	Purpose	Data Processed	Location
Convex	Database	Account data, scan reports, application state	United States
Clerk	Authentication	Email, name, GitHub profile, session tokens	United States
Anthropic	AI-powered code analysis	Code snippets (transient, not stored)	United States
Resend	Transactional email	Email addresses, notification content	United States
Polar	Payments & subscription management	Payment info, billing data, subscription state	United States
GitHub	Code access via OAuth	Repository contents, OAuth tokens	United States
Sentry	Error monitoring, performance tracking	Error logs, IP addresses, session replays	United States
Vercel	Hosting and edge compute	Request logs, IP addresses	United States

The Processor shall impose the same data protection obligations as set out in this DPA on each sub-processor by way of a contract, ensuring that each sub-processor provides sufficient guarantees to implement appropriate technical and organizational measures.

The Processor remains fully liable to the Controller for the performance of each sub-processor's obligations.

5. Controller Obligations

The Controller shall:

Ensure that it has a lawful basis for the processing of Personal Data and that all necessary consents have been obtained from Data Subjects where required.
Provide documented processing instructions to the Processor.
Ensure that repositories submitted for scanning do not contain Personal Data beyond what is necessary, or that appropriate safeguards are in place where they do.
Comply with its obligations under applicable data protection laws, including GDPR.

6. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under GDPR, including:

Right of access — obtaining confirmation and a copy of Personal Data being processed.
Right to rectification — correcting inaccurate or incomplete Personal Data.
Right to erasure — deleting Personal Data ("right to be forgotten").
Right to restriction of processing — limiting the processing of Personal Data in certain circumstances.
Right to data portability — receiving Personal Data in a structured, commonly-used, machine-readable format.
Right to object — objecting to processing based on legitimate interests or for direct marketing.

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to the request without the Controller's prior written authorization, unless required by applicable law.

Data Subject requests can be submitted to support@ship-safe.co and will be addressed within 30 days.

7. Data Security Measures

The Processor implements the following technical and organizational measures to protect Personal Data, in accordance with GDPR Article 32:

Technical Measures

Encryption of data in transit using TLS 1.2 or higher.
Encryption of data at rest in all databases and storage systems.
Source code submitted for scanning is processed in memory and is not stored permanently. Code is discarded once the security report is generated.
Role-based access controls limiting access to production systems and Personal Data.
Regular security assessments and vulnerability scanning of our own infrastructure.
Automated monitoring and alerting for anomalous access patterns.

Organizational Measures

Principle of least privilege for all personnel with access to Personal Data.
Confidentiality obligations for all personnel who process Personal Data.
Regular review of third-party service configurations and access permissions.
Data minimization — we collect and process only the Personal Data necessary to provide the service.
Documented incident response procedures for handling data breaches.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach, in accordance with GDPR Article 33.

The notification shall include:

A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned.
The name and contact details of the Processor's point of contact for further information.
A description of the likely consequences of the breach.
A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects.

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of each Personal Data breach.

9. International Data Transfers

Personal Data is processed primarily in the United States. For Controllers and Data Subjects located in the European Economic Area (EEA), United Kingdom, or Switzerland, the Processor ensures that appropriate safeguards are in place for international transfers of Personal Data.

Transfer Mechanisms

Standard Contractual Clauses (SCCs) — the Processor uses the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) for transfers of Personal Data to third countries that do not have an adequate level of data protection, as approved by Commission Implementing Decision (EU) 2021/914.
Sub-processor agreements — the Processor ensures that all sub-processors listed in Section 4 maintain equivalent data transfer safeguards, including SCCs where applicable.
Supplementary measures — the Processor implements additional technical and organizational measures (such as encryption and access controls) to supplement transfer mechanisms where necessary.

The Processor shall promptly inform the Controller if it becomes aware of any changes in applicable law that may affect the validity of the transfer mechanisms in place.

10. Duration and Termination

This DPA shall remain in effect for the duration of the Controller's use of the ShipSafe service. Upon termination of the service:

The Processor shall, at the Controller's choice, delete or return all Personal Data processed on behalf of the Controller within 30 days of receiving a written request, unless applicable law requires further retention.
The Processor shall delete existing copies of Personal Data unless applicable law requires storage of the Personal Data.
Upon request, the Processor shall provide written certification of deletion to the Controller.

Obligations relating to confidentiality, data security, and cooperation with supervisory authorities shall survive the termination of this DPA.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for obligations that cannot be limited under applicable data protection law.

12. Contact Information

For questions or requests related to this Data Processing Agreement, contact us at:

support@ship-safe.co

You may also review our Privacy Policy and Terms of Service for additional information about our data practices.