DesignCheck

Security

Your trust is our top priority. Learn how we protect your data and maintain the highest security standards.

Our Security Commitment

DesignCheck is built with security as a foundational principle. We implement industry-leading practices to protect your data, maintain system integrity, and ensure the confidentiality of your design reviews.

Data Protection

Encryption

  • In Transit: All data transmitted between your browser and our servers uses TLS 1.3 encryption.
  • At Rest: All stored data, including screenshots and user information, is encrypted using AES-256 encryption.
  • Database: We use Turso (LibSQL) with built-in encryption for all database operations.

Data Storage

  • Geographic Distribution: Data is stored in secure, geographically distributed data centers.
  • Backups: Automated daily backups with encryption and retention policies.
  • Redundancy: Multiple copies ensure data availability and disaster recovery.

Access Control

Authentication

  • GitHub OAuth: Secure authentication through GitHub's trusted OAuth platform.
  • Session Management: Secure session tokens with automatic expiration.
  • No Password Storage: We never store passwords - authentication is handled by GitHub.

Authorization

  • Role-Based Access: Granular permissions based on your role in the organization.
  • Repository Isolation: Screenshots and reviews are only accessible to authorized team members.
  • Least Privilege: Users and systems are granted minimum necessary permissions.

Infrastructure Security

Hosting & Network

  • Cloud Infrastructure: Hosted on enterprise-grade cloud platforms with 99.9% uptime SLA.
  • DDoS Protection: Cloudflare protection against distributed denial of service attacks.
  • Firewalls: Network-level firewalls and intrusion detection systems.
  • CDN: Global content delivery network for performance and security.

Application Security

  • Input Validation: All user inputs are validated and sanitized.
  • SQL Injection Protection: Parameterized queries prevent SQL injection attacks.
  • XSS Protection: Content Security Policy and output encoding prevent cross-site scripting.
  • CSRF Protection: Token-based protection against cross-site request forgery.

Security Practices

Development

  • Secure SDLC: Security is integrated into every phase of development.
  • Code Review: All code changes require peer review before deployment.
  • Dependency Scanning: Automated scanning for vulnerable dependencies.
  • Static Analysis: Automated code analysis to detect security issues.

Operations

  • Regular Updates: Timely security patches and system updates.
  • Monitoring: 24/7 security monitoring and alerting.
  • Incident Response: Documented procedures for security incident response.
  • Logging: Comprehensive audit logs for security analysis.

Compliance & Auditing

Standards

  • OWASP Top 10: Protection against the most critical web application security risks.
  • GDPR Compliance: Full compliance with EU data protection regulations.
  • Privacy by Design: Privacy considerations built into all features.

Third-Party Security

  • GitHub: Enterprise-grade security for authentication and repository access.
  • Stripe: PCI DSS Level 1 certified payment processing.
  • Cloudflare: Industry-leading DDoS protection and WAF.

Your Security

Best Practices for Users

  • Keep your GitHub account secure with a strong password and 2FA enabled
  • Review the permissions granted to the DesignCheck GitHub App
  • Regularly review team member access to your repositories
  • Report any suspicious activity immediately
  • Log out when using shared devices

Vulnerability Disclosure

We welcome responsible security research. If you discover a security vulnerability, please:

Reporting Process

  1. Email: [email protected] with details of the vulnerability
  2. Details: Include steps to reproduce, potential impact, and any relevant screenshots or logs
  3. Response: We will acknowledge your report within 24 hours
  4. Timeline: We aim to resolve critical issues within 72 hours

Our Commitment

  • We will not pursue legal action against researchers who follow responsible disclosure
  • We will credit researchers who discover significant vulnerabilities (with permission)
  • We will keep you informed of our progress in addressing the issue

Incident Response

In the event of a security incident:

  • Detection: Our monitoring systems detect unusual activity in real-time.
  • Containment: Immediate action to isolate affected systems.
  • Investigation: Thorough analysis to understand scope and impact.
  • Notification: Affected users are notified within 72 hours.
  • Remediation: Implementation of fixes and preventive measures.
  • Post-Mortem: Detailed review to prevent future incidents.

Security Updates

We continuously improve our security posture. Stay informed about security updates:

  • Subscribe to our security newsletter
  • Follow our status page for incident notifications
  • Review our changelog for security-related updates

Contact

For security concerns or questions:

Security First

Security is not a feature - it's our foundation. We are committed to maintaining the highest security standards to protect your data and earn your trust.