Security

How we protect customer data and the process for reporting security issues to us.

Last updated: 6/9/2026

Reporting a Vulnerability

If you believe you've found a security issue in ValidateThat — the web app, our API, or the Figma plugin — please email security@validatethat.io (you can also reach us at support@validatethat.io if you don't have an account for the security alias).
We aim to acknowledge reports within 24–48 hours. Critical issues are triaged and patched ahead of any public disclosure; lower-severity issues are scheduled into the normal release cycle.
We follow coordinated-disclosure norms: reporters are credited (with permission), fixes ship first, public write-ups happen after users have had time to update.
We do not currently run a paid bug bounty program. We do recognize researchers publicly and have a small thank-you for valid reports.

In scope: validatethat.io and all subdomains, our API at validatethat.io/api/*, the ValidateThat Figma plugin (id: 1646135071566424895), and the embedded participant-study runner.
Out of scope: third-party services we use (Stripe, Resend, Vercel, Upstash) — report those directly to the relevant vendor. Social engineering, physical attacks, and DDoS testing are also out of scope.
Please do not test against participant accounts you do not own, or run automated scanning that creates load on production. We're a small operation and aggressive scans get noticed.

Application hosting: Vercel (SOC 2 Type 2, ISO 27001).
Database / cache: Upstash Redis (SOC 2 Type 2). Data at rest is encrypted by Upstash; we do not store unencrypted exports outside the database.
Email: Resend, used for transactional sends and broadcasts.
Payments: Stripe (PCI DSS Level 1). ValidateThat does not store card or banking data; all payment data flows directly between the user and Stripe.
All traffic to validatethat.io is TLS 1.2+ enforced. HTTP requests redirect to HTTPS automatically.

User sessions: HTTP-only secure cookies, scoped to validatethat.io and subdomains.
Passwords: stored as bcrypt hashes. Plain-text passwords are never written to logs, the database, or any persistent store.
Password reset: time-limited single-use tokens delivered via email.
API tokens (used by the Figma plugin and any future integrations): generated server-side from 32 bytes of CSPRNG entropy, shown to the user exactly once at creation, and stored server-side only as a SHA-256 hash. The raw token is never persisted on our servers and is only ever transmitted over HTTPS as a Bearer header.

The plugin reads text from the frame you explicitly select in Figma, only when you run the plugin. It does not access other frames, pages, or files in your design.
Card labels, the study title, and any categories you choose to send are transmitted over HTTPS to validatethat.io to create a card-sort study in your account. No Figma file content is stored beyond what you submit.
Authentication uses a per-user API token, stored locally in Figma's clientStorage (scoped to this plugin only) and on our servers as a SHA-256 hash. You can revoke any token instantly from Settings → Integrations.
The plugin transmits no data to Figma, Anthropic, analytics services, or any third party other than ValidateThat. No tracking is added by the plugin.

ValidateThat is operated by a solo developer and is not separately accredited to SOC 2, ISO 27001, or HITRUST.
Where we depend on certified infrastructure, those certifications are listed above (Vercel: SOC 2 Type 2 + ISO 27001; Upstash: SOC 2 Type 2; Stripe: PCI DSS Level 1).
If you're conducting enterprise due-diligence and need additional documentation beyond what's on this page, contact security@validatethat.io and we'll do our best to provide what we can.

Email security@validatethat.io. Acknowledged within 24–48 hours. PGP not required.