Trendslop exists because vibe-coded apps ship insecure. Our own product is held to the same standard we audit our customers' apps against โ and the same standard their customers deserve.
We never store your AWS root keys, your Stripe secret keys, or your Supabase service-role keys. We use scoped, short-lived IAM roles and OAuth tokens โ refreshed per session.
Our deploy role can only touch the S3 bucket, Lambda functions and SES identities you explicitly authorise. CloudFormation diff shown before every deploy. Nothing else gets created.
AES-256 at rest. TLS 1.3 everywhere. Customer data lives in segregated tenant schemas on Supabase with row-level security policies enforced at the database layer.
Every Trendslop action โ patch, deploy, key rotation โ is logged immutably. Team and Enterprise plans get a real-time audit export for SOC 2 / ISO 27001 evidence.
Your code, your prompts, your dependency graphs โ none of it is ever used to train any model, ours or anyone else's. Period.
Rewards are scaled to severity and impact. See our disclosure programme for scope and how we triage.
When you run a Ship audit, Trendslop checks the things every vibe-coded app fails on. The same controls our infrastructure obeys.
*Found a bug? Email security@trendslop.ai with full details. We aim to respond within 24 hours and reward valid reports based on severity and impact. Please don't open public issues.