Manifest is operated by TribalHouse. We take the security of your design data seriously and welcome reports from security researchers. This page describes how to report a vulnerability, what to expect from us, and the infrastructure our service runs on.
We acknowledge your report within 3 business days.
We assess and prioritize the issue by severity and confirm the outcome with you.
We fix confirmed high-severity issues before public disclosure and keep you updated on progress.
We credit reporters who ask to be named once a fix ships.
Safe harbor
We will not pursue or support legal action against researchers who act in good faith and follow this policy. Good-faith research means you:
Do not access, modify, or delete data that does not belong to you.
Do not degrade or interrupt the service for other users.
Stop testing and report the issue as soon as you find it.
Give us a reasonable window to remediate before any public disclosure.
Scope
In scope:
The Manifest Figma plugin.
The Manifest backend API at yotfjwocaabhnqrlpugi.supabase.co.
This website and its Cloudflare Pages functions.
Out of scope:
Vulnerabilities in third-party providers (Supabase, Paddle, Sentry, Figma). Report those to the provider directly.
Denial-of-service and volumetric attacks.
Social engineering, phishing, or physical access attempts against TribalHouse staff or users.
Reports from automated scanners without a demonstrated, exploitable impact.
Infrastructure and subprocessors
Manifest is an independent product and is not itself certified against SOC 2, ISO 27001, PCI DSS, HITRUST, or SSAE 18. Our stack runs on accredited providers:
Supabase hosts our database and object storage in the EU region (Frankfurt, Germany). Supabase maintains SOC 2 Type II, ISO 27001, and HIPAA compliance. See supabase.com/security.
Paddle is our merchant of record and processes all payments. Paddle holds PCI DSS Level 1 and SOC 2 Type II. Manifest never receives or stores card data. See trust.paddle.com.
Sentry receives runtime error reports for monitoring. We do not send design content to Sentry.
How we protect your data
All traffic between the plugin, this site, and the backend uses HTTPS/TLS.
We store only the node structure (JSON) and PNG preview images that you explicitly commit. We do not scan or index your Figma file in the background.
Row-level security enforces data isolation at the database layer, so members of one workspace cannot reach another workspace's data.
Preview images and snapshot JSON sit behind signed URLs. Direct public access is not possible.
Authentication tokens are stored in Figma's clientStorage, local to your machine.
Our Privacy Policy describes what we collect, where it is stored, and your rights.