Security & trust

How we protect the data you trust us with.

TL;DR

Your data lives in encrypted, modern infrastructure. We follow industry-standard practices for a small SaaS, run regular security checks, and are transparent when something needs your attention.

[TBD] Refine TL;DR once full security posture is documented.

Infrastructure

TranscendByDesign runs on Cloudflare and Supabase — both certified, enterprise-grade providers used by tens of thousands of companies of all sizes.

Hosting: Cloudflare Pages (static sites) and Cloudflare Workers (API). Cloudflare maintains SOC 2 Type II, ISO 27001, ISO 27018, and PCI DSS certifications.
Database: Supabase (managed PostgreSQL). Supabase is SOC 2 Type II certified and HIPAA-ready on Pro plans.
Payments: Stripe (PCI DSS Level 1 certified). We never see or store payment card numbers.
Email: Resend (SOC 2 Type II compliant transactional email).

[TBD] Add specific certifications, regions, and uptime SLA targets once finalized.

Encryption

In transit: All traffic between your browser and our infrastructure is encrypted with TLS 1.3.
At rest: Data stored in Supabase is encrypted using AES-256.
Secrets: API keys, database credentials, and webhook secrets are stored in Cloudflare Worker secrets (encrypted, not visible in logs).

Access controls

Authentication: Supabase Auth with email/password and email verification. Optional MFA available.
Row-level security: All customer data is isolated by organization ID via PostgreSQL row-level security policies. You can never see another customer's data.
Founder access: The founder retains administrative access for support purposes. Access is logged and audited.

[TBD] Document the customer data deletion / export process and link to it.

AI & your data

When you use AI features in TranscendByDesign products, your prompts are sent to Anthropic (Claude API) for processing. Anthropic's data handling policy applies.

Anthropic does not use API customer data to train their models.
We do not log full prompt content beyond what is needed for usage tracking and abuse prevention (token counts, cost estimates).
Sensitive data (PII, regulated information) should not be put into AI prompts unless your industry's compliance posture explicitly allows it.

[TBD] Add clarity on prompt retention windows and customer-controlled AI opt-out.

Compliance posture

TranscendByDesign is currently a small, founder-led SaaS. We have not yet pursued formal SOC 2 or ISO 27001 certification — those certifications make sense at a different stage of growth and customer mix.

What we do today:

Use SOC 2-certified underlying infrastructure (Cloudflare, Supabase, Stripe, Resend).
Maintain a security incident response plan and notify affected customers of any breach within 72 hours.
Document security decisions and architecture publicly (this page).

[TBD] When SOC 2 or ISO 27001 is in process, document timeline and link to attestation reports here.

Reporting a vulnerability

If you discover a security issue, please email security@transcendbydesign.io directly. We will acknowledge within 48 hours and work with you on responsible disclosure.

We do not currently run a paid bug bounty program but we will publicly thank credible researchers in this section.

Backups & data portability

Database backed up daily by Supabase with 7-day point-in-time recovery.
Full data export available on request to any customer at any time, in standard CSV/JSON formats.
Account deletion processes all customer data within 30 days; cryptographically erases or removes within Supabase retention windows.

Last updated

This page is a living document. We update it as our security posture evolves.

[TBD] Set "Last updated" date dynamically or update manually with each material change.