Parity

Security and vulnerability disclosure

Effective date: May 15, 2026

We take the security of Parity and the data you trust us with seriously. If you believe you have found a security vulnerability in the Parity Figma plugin, our backend services, or parityplugin.design, we want to hear from you.

Certifications and shared responsibility

Parity (the Figma plugin, our API services, and this website) is not independently certified to SOC 2, PCI DSS, HITRUST, ISO 27001, SSAE 18, or similar frameworks. We are a small product and rely on vendors that maintain their own security and compliance programs.

Subprocessors we depend on include Google Cloud (Cloud Run for the audit service and related APIs; Google Secret Manager for production secrets), Anthropic (Claude API — audit payloads are sent from our backend to Anthropic over HTTPS to generate reviews), Supabase (Postgres for metering and billing associations), Stripe (payments and customer portal), Vercel (hosting for parityplugin.design), PostHog (product analytics), and Sentry (server-side error monitoring). For current certifications and data-handling terms, read each vendor's official trust, security, and legal pages directly — they change over time.

Payment card data is collected and processed only by Stripe; Parity's servers do not receive or store full card numbers. How audit content reaches Anthropic, and how long we retain inputs on our side, is described in our privacy policy.

The version of Parity published on Figma Community routes cloud audits through Parity's hosted backend only; it does not include optional user-configured ("bring your own") AI endpoints.

How to report a vulnerability

Please email a description of the issue to support@parityplugin.design with the subject line Security report. Include enough detail for us to reproduce the issue: the affected component (plugin, backend API, marketing site), reproduction steps, and any proof-of-concept material.

You can expect an initial acknowledgement within 72 hours. We will keep you informed as we investigate, develop a fix, and ship the remediation.

Scope

The following are in scope for security reports:

  • The Parity Figma plugin (the bundle published on Figma Community).
  • Parity's backend services hosted on Google Cloud Run, including the audit pipeline, URL capture, billing endpoints, and the server-side integration that calls Anthropic's Claude API on behalf of users.
  • The parityplugin.design marketing and account site.

The following are out of scope:

  • Findings against third-party providers we depend on (Google Cloud, Anthropic, Supabase, Stripe, PostHog, Sentry, Vercel). Please report those directly to the providers.
  • Reports that require physical access to a user's device, social engineering, or unprivileged use of features working as documented.
  • Automated scanner output without a working proof of concept, and theoretical issues with no demonstrated impact.

Safe harbor

We will not pursue legal action against researchers who report vulnerabilities to us in good faith and who:

  • Make a reasonable effort to avoid privacy violations, destruction of data, and degradation of service to other users.
  • Do not exploit a vulnerability beyond what is necessary to confirm it.
  • Do not disclose the vulnerability publicly before we have had a reasonable opportunity to remediate it.
  • Comply with all applicable laws.

What to expect after reporting

  • Within 72 hours: an acknowledgement that your report has been received.
  • Triage: we will validate the report, determine severity, and share our assessment with you.
  • Remediation: we will work on a fix and keep you posted on progress. Critical issues are prioritised ahead of feature work.
  • Disclosure: once the fix has shipped, we are happy to publicly acknowledge your contribution if you want credit, or keep your report private if you prefer.

Acknowledgements

We do not currently run a paid bug bounty program. We are a small, solo-developer plugin and rely on the goodwill of the security community. We appreciate every well-formed report and will list reporters who would like credit on this page once their finding is fixed.

Contact

Security reports: support@parityplugin.design. Please use the subject line Security report so we can route it to the top of our inbox.