Security & data
How your data is isolated, encrypted, and what we collect.
Multi-tenant isolation (RLS)
Every table carries an organization_id column. Access is governed by Postgres Row Level Security: user queries automatically see only the rows of their own organization, scoped by auth.uid() at the DB level. No manual per-org_id filtering is applied in application code — security rests on the DB engine, not the code.
Authentication
- Email + password via Supabase Auth (bcrypt hashing)
- Email confirmation required at signup
- Password reset via a 1-hour magic link
- Session cookies HttpOnly, SameSite=Lax, Secure in production
- Leaked-password protection via HaveIBeenPwned on signup and password change
Encryption
- In transit — TLS 1.2+ everywhere (2-year HSTS, preload eligible)
- At rest — AES-256 disk encryption (managed by Supabase / AWS)
- Figma tokens — application-level AES-256-GCM with a server key (
ENCRYPTION_KEY) - API keys — SHA-256 hashed in the DB; the plaintext is shown only once at creation
Security headers
- Content-Security-Policy — default-src 'self' with explicit allowlists (Supabase, Stripe, OpenAI, Sentry)
- HSTS — max-age 2 years, includeSubDomains, preload
- X-Frame-Options: DENY +
frame-ancestors 'none'— anti-clickjacking - Permissions-Policy — camera, mic, geolocation denied by default
- Referrer-Policy — strict-origin-when-cross-origin
Data collected
| Data | Purpose | Retention |
|---|---|---|
| Email + password | Auth | While the account exists |
| Locale (fr/en) | UI + emails | Same |
| IP address at login | Audit / security | 90 days |
| User agent | Audit | 90 days |
| Stripe customer ID | Billing | Same |
| Uploaded assets | Service | As long as you keep them |
Loi 25 (Québec) & GDPR compliance
DesignVault is hosted in Canada (Vercel + Supabase ca-central-1). Data does not leave Canadian territory, except:
- Stripe (US) — billing only
- Resend (US) — transactional email only
- OpenAI (US) — opt-in AI features only (Spec_v0)
Your rights:
- Access / portability — Settings → Privacy → Export my data generates a complete JSON
- Rectification — editable from Settings, or by emailing support
- Erasure — Settings → Privacy → Delete my account, irreversible, full cascade
- Restriction — by email to support@designvault.net
Timelines: 30 days to respond, extendable once with notice. Recourse with the Commission d'accès à l'information du Québec.
Image storage
Thumbnails live in Supabase Storage (private bucket). No direct public link — we generate signed URLs valid for 24h on demand. If you delete an asset, its thumbnail is purged from the bucket immediately.
Backup & disaster recovery
- Supabase Pro keeps daily backups (7-day retention)
- Point-in-Time Recovery (PITR) is available as a Pro add-on and will be enabled before onboarding production customers
- No DesignVault-side backup — we rely on the Supabase infrastructure
Incident response
Sentry captures all server + client errors (without PII: no IP, no body, no cookies). Browser replays mask text, inputs, and media.
In the event of an incident affecting personal data, we notify the affected users and the CAI within the legal Loi 25 timelines. See our Privacy Policy.