Effective 1 May 2026

Security Overview

The Design Phase is built on enterprise-grade infrastructure. This page outlines the security controls and practices we maintain to protect your data.

1. Overview

Security is fundamental to what The Design Phase does. Our platform stores governance-critical data — design decisions, audit trails, sign-offs, and evidence packages — that customers rely on for accountability and legal defensibility. We take the security of that data seriously.

This document provides a summary of our security controls. It is a living document updated as our security posture evolves. Enterprise customers may request additional security documentation by contacting support@thedesignphase.app.

Nothing in this security overview constitutes a warranty or guarantee of security. DDI - TheDesignPhase LLC's liability in connection with any security incident is limited as set out in the Terms of Service.

2. Infrastructure

The Design Phase is hosted on Vercel's global edge network, ensuring low-latency access and high availability. Our database runs on Supabase (managed PostgreSQL), which is hosted on AWS infrastructure in dedicated regions.

All traffic to and from the platform is served exclusively over HTTPS. We enforce TLS 1.2 as the minimum protocol version. HTTP requests are automatically redirected to HTTPS.

We do not operate our own physical data centres. All infrastructure is managed through Vercel and Supabase, both of which maintain SOC 2 Type II certifications and comprehensive independent security audit programmes.

3. Data Encryption

Data at rest: All data stored in our Supabase database is encrypted at rest using AES-256. This includes all project data, session records, RAID entries, and audit logs.

Data in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We do not transmit sensitive data over unencrypted connections.

File storage: File objects stored on the platform (such as design documents or attachments) are accessed via signed URLs with time-limited expiry. Files are not accessible via permanent public URLs.

4. Authentication & Access Control

Row-Level Security (RLS): Every database table is protected by Row-Level Security policies enforced at the database engine level. This ensures that queries made in the context of one workspace can never return data belonging to another workspace.

Role-based access: The platform enforces five distinct roles — Program Administrator, Co-Admin, Project Manager, Workstream Lead, and User — each with granular permissions controlling what data can be read, written, or approved.

Multi-factor authentication: MFA/TOTP is available for all users. Workspace administrators can enforce MFA for all members of their workspace. Users without a verified TOTP factor are redirected to enrol before accessing any MFA-enforced workspace.

Session tokens: Authentication is managed via Supabase Auth using short-lived JWTs with automatic refresh. Sessions are tied to secure, httpOnly cookies. There are no shared or long-lived credentials.

5. Payments

All payment processing is handled exclusively by Stripe, Inc., which is certified as a PCI DSS Level 1 Service Provider — the highest level of payment security certification available.

DDI - TheDesignPhase LLC never stores, transmits, or has access to your full card number, CVV, or other sensitive payment instrument data. All card data is tokenised by Stripe before reaching our systems.

Our checkout flow uses Stripe-hosted pages for payment entry, ensuring that raw card data never touches DDI's servers.

6. Vulnerability Management

DDI monitors the platform for known vulnerabilities through automated dependency scanning. Critical vulnerabilities in application dependencies are assessed and remediated as a priority, targeting resolution within 14 days of confirmed impact.

Infrastructure security patches are managed by our underlying providers (Supabase, Vercel) in accordance with their published security programmes and SLAs.

To report a suspected security vulnerability, contact support@thedesignphase.app with a description of the issue and steps to reproduce. We will acknowledge receipt within 2 business days. We ask that you follow responsible disclosure practices and do not publicly disclose findings until we have had a reasonable opportunity to investigate and remediate.

We do not currently operate a bug bounty programme, but we are grateful to security researchers who help protect our users.

7. Incident Response

In the event of a confirmed security incident affecting the platform or customer data, DDI - TheDesignPhase LLC will: (a) contain and investigate the incident as rapidly as practicable; (b) notify affected customers without undue delay and within 72 hours of confirmation where personal data is involved, in accordance with our DPA obligations; (c) provide a written summary of the incident, its scope, and the remediation steps taken.

Customers are responsible for maintaining the security of their own account credentials and for notifying DDI promptly at support@thedesignphase.app upon becoming aware of any suspected unauthorised access to their accounts.

DDI's incident response notification obligations are set out in full in the Data Processing Agreement at /dpa. DDI's liability in connection with any security incident is limited as set out in the Terms of Service at /terms.

8. Compliance

SOC 2 Type II readiness: DDI - TheDesignPhase LLC is actively progressing toward SOC 2 Type II certification. Our infrastructure providers (Supabase, Vercel) both hold SOC 2 Type II certifications, providing assurance at the infrastructure layer.

GDPR & UK GDPR: DDI processes personal data in accordance with applicable data protection law. Our Data Processing Agreement is available at /dpa.

PCI DSS: DDI does not store card data and delegates all payment processing to Stripe (PCI DSS Level 1). DDI itself is not in scope for PCI DSS certification.

9. Responsible Disclosure

If you discover a security vulnerability in The Design Phase platform, please report it responsibly. Email support@thedesignphase.app with a description of the vulnerability, steps to reproduce, and any supporting evidence.

We will acknowledge your report within 2 business days and will keep you informed as we investigate and remediate the issue. We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.