Security & trust

How we protect the data you trust us with.

TL;DR

Your data lives in encrypted, modern infrastructure. We follow industry-standard practices for a small SaaS, run regular security checks, and are transparent when something needs your attention.

[TBD] Refine TL;DR once full security posture is documented.

Infrastructure

TranscendByDesign runs on Cloudflare and Supabase — both certified, enterprise-grade providers used by tens of thousands of companies of all sizes.

Hosting: Cloudflare Pages (static sites) and Cloudflare Workers (API). Cloudflare maintains SOC 2 Type II, ISO 27001, ISO 27018, and PCI DSS certifications.
Database: Supabase (managed PostgreSQL). Supabase is SOC 2 Type II certified and HIPAA-ready on Pro plans.
Payments: Stripe (PCI DSS Level 1 certified). We never see or store payment card numbers.
Email: Resend (SOC 2 Type II compliant transactional email).

[TBD] Add specific certifications, regions, and uptime SLA targets once finalized.

Encryption

In transit: All traffic between your browser and our infrastructure is encrypted with TLS 1.3.
At rest: Data stored in Supabase is encrypted using AES-256.
Secrets: API keys, database credentials, and webhook secrets are stored in Cloudflare Worker secrets (encrypted, not visible in logs).

Access controls

Authentication: Supabase Auth with email/password and email verification. Optional MFA available.
Row-level security: All customer data is isolated by organization ID via PostgreSQL row-level security policies. You can never see another customer's data.
Founder access: The founder retains administrative access for support purposes. Access is logged and audited.

[TBD] Document the customer data deletion / export process and link to it.

AI & your data

When you use AI features in TranscendByDesign products, your prompts are sent to Anthropic (Claude API) for processing. Anthropic's data handling policy applies.

Anthropic does not use API customer data to train their models.
We do not log full prompt content beyond what is needed for usage tracking and abuse prevention (token counts, cost estimates).
Sensitive data (PII, regulated information) should not be put into AI prompts unless your industry's compliance posture explicitly allows it.

[TBD] Add clarity on prompt retention windows and customer-controlled AI opt-out.

Industries we do not currently serve

TranscendByDesign is built for small businesses and lean teams in industries where standard SaaS is a clean fit. We are not currently certified or appropriate for the following:

Healthcare and HIPAA-covered entities — medical practices, dental, behavioral health, and any business that creates, receives, maintains, or transmits Protected Health Information (PHI).
Health insurance, life insurance, property & casualty insurance, and brokers — subject to state insurance regulations and (for health) HIPAA, neither of which we are certified for.
Banks, credit unions, lenders, and mortgage originators — subject to GLBA, BSA, and state lending regulations we have not pursued.
Investment advisors and broker-dealers — subject to SEC and FINRA recordkeeping requirements we are not certified for.
Cannabis, CBD, and dispensary operations — the federal/state regulatory mismatch creates banking and payment processing complications we are not equipped to navigate.

Visitors who select one of these industries during signup are politely declined and offered a notification list in case our compliance posture changes.

For accounts in legal, accounting, government contracting, K-12 education, and FDA-regulated retail, we accept signups with a written attestation that the customer takes responsibility for their own compliance posture and will not store regulated data in TBD products.

This restriction is also in our Terms of Service. Accounts found to be in violation are terminated for cause with a refund of any unused pre-paid time.

Compliance posture

TranscendByDesign is currently a small, founder-led SaaS. We have not yet pursued formal SOC 2 or ISO 27001 certification — those certifications make sense at a different stage of growth and customer mix.

What we do today:

Use SOC 2-certified underlying infrastructure (Cloudflare, Supabase, Stripe, Resend).
Maintain a security incident response plan and notify affected customers of any breach within 72 hours.
Document security decisions and architecture publicly (this page).

[TBD] When SOC 2 or ISO 27001 is in process, document timeline and link to attestation reports here.

Reporting a vulnerability

If you discover a security issue, please email security@transcendbydesign.io directly. We will acknowledge within 48 hours and work with you on responsible disclosure.

We do not currently run a paid bug bounty program but we will publicly thank credible researchers in this section.

Backups & data portability

Database backed up daily by Supabase with 7-day point-in-time recovery.
Full data export available on request to any customer at any time, in standard CSV/JSON formats.
Account deletion processes all customer data within 30 days; cryptographically erases or removes within Supabase retention windows.

Last updated

This page is a living document. We update it as our security posture evolves.

[TBD] Set "Last updated" date dynamically or update manually with each material change.