We use cookies

    We use essential cookies to run this service and optional Google Analytics cookies to understand how it's used. Read our Cookies Policy.

    Summary DPIA — last updated May 2026

    Data Protection Impact Assessment

    Purpose of this DPIA

    This page is a summary Data Protection Impact Assessment (DPIA) for Vibe.WithGov.io. It records the personal data the service processes, the lawful basis for processing, the risks involved, and the mitigations applied. It is published so that government service teams can complete their own DPIA for procurement or service-assessment purposes.

    Vibe.WithGov.io is a rapid-prototyping tool. It is not intended to process the personal data of citizens or service users. The DPIA below covers the personal data of the people who use Vibe.WithGov.io (service designers, researchers, developers, etc.).

    Description of processing

    What we process

    • Account data — email address, display name and avatar URL provided by the OAuth identity provider (Google) or SAML SSO at sign-in
    • Workspace content — service specifications, AI prompts and generated prototype code that users create inside Vibe.WithGov.io
    • Audit metadata — workspace membership changes, role changes, sign-in events, IP address at sign-in
    • Operational telemetry — request logs, error traces, AI prompt/response observability (Langfuse)
    • Analytics — aggregated usage statistics collected by Google Analytics 4, only after explicit consent (see Cookies)

    What we do NOT process

    • Any data a research participant or end user enters into a running prototype. Prototype submissions stay in the sandbox session only and are wiped when the sandbox hibernates. Vibe.WithGov.io does not persist them to its database.
    • Special-category data (health, biometric, etc.). Users are instructed not to put real personal data into prototypes; prototype forms exist purely for user-research flow testing.

    Lawful basis

    Vibe.WithGov.io processes account, workspace and audit data on the basis of the contract between Vibe.WithGov.io and the workspace owner (UK GDPR Article 6(1)(b)). Operational telemetry is processed under the legitimate interest of operating and securing the service (Article 6(1)(f)). Analytics is processed on the basis of consent (Article 6(1)(a)) collected via the cookie banner.

    Necessity and proportionality

    Account data is the minimum required to authenticate users and scope a workspace. Workspace content is the product itself — it is the prototype the user is building. Audit and telemetry are retained only as long as is needed to meet security, billing and support obligations. Analytics is off by default and only runs after the user accepts.

    Data flows and processors

    The following sub-processors hold personal data on Vibe.WithGov.io's behalf. Default data residency is the UK; an EU region is available on request for procurement scenarios that require it.

    • Supabase — Postgres database, authentication, file storage. Hosted in the UK (London) by default.
    • E2B — disposable per-project sandbox runtime for live prototype previews. UK region by default; sandboxes auto-hibernate when idle and are torn down with the project.
    • Redis (managed) — queue and short-lived cache. UK region.
    • Anthropic, Google (Gemini) — AI model providers used for code generation. API-only access under data processing agreements; prompts and responses are not retained by the provider beyond the duration of the request and are not used to train models.
    • Stripe — billing and subscription management. Card data never touches Vibe.WithGov.io's servers.
    • Langfuse — LLM observability. UK / EU region. Disabled in dev.
    • Google Analytics 4 — aggregated usage analytics, only after consent.

    Risks and mitigations

    RiskLikelihoodMitigation
    Unauthorised cross-workspace data accessLowPostgres Row Level Security policies enforce workspace-scoped reads/writes; reviewed in CI.
    Real personal data placed inside a prototype formMediumPrototype submissions are not persisted by Vibe.WithGov.io; sandbox is wiped on hibernation. Documentation and FAQ instruct users to use synthetic data.
    Sub-processor training on Vibe.WithGov.io dataLowAI providers used under enterprise/API agreements that prohibit training; reviewed annually.
    Account takeover via leaked credentialsLowAuth via Google OAuth or SAML SSO (no Vibe-held passwords); workspace-level SSO enforcement; audit log for sign-in events.
    Long-term retention of unused dataLowAccount deletion removes prototype data within 30 days; idle sandboxes hibernate and are reclaimed.

    Retention

    • Account and workspace data: for the lifetime of the account. On account deletion, removed within 30 days.
    • Sandbox session state (including any data entered into a running prototype): held in memory in the sandbox only; wiped on hibernation.
    • Audit logs: retained for 12 months.
    • Operational telemetry: retained for 30 days unless tied to a specific incident investigation.
    • Backups: full-database snapshots retained for 7 days; point-in-time recovery for 14 days.

    Data subject rights

    Users may at any time request access to, correction of, or deletion of their personal data, or export of their workspace content. Requests are handled within 30 days. To exercise a right, contact hello@vibe.withgov.io.

    Review cycle

    This DPIA is reviewed annually, and whenever there is a material change to the processing — for example, adding a new sub-processor, expanding the categories of data collected, or rolling out to a new jurisdiction. The current version is published at /dpia.

    Contact

    For DPIA queries, security questions or to ask for a copy of the full assessment, contact us at hello@vibe.withgov.io. Related pages: Privacy, Confidentiality, Cookies.