Security Policy

Last updated: November 29, 2025

At Doddle Software Limited ("we", "us", "our"), we take your privacy and data security seriously. This Security Policy describes the technical and organisational measures we use to protect the confidentiality, integrity, and availability of your information when using the Manifest productivity application and related services (the "Service").

1. Overview

Our goal is to ensure that your data ā€” including your workspaces, goals, milestones, tasks, focus sessions, and AI assistant conversations ā€” is handled safely and securely at every stage.

We implement industry-standard security practices to protect against unauthorised access, alteration, disclosure, or destruction of your data.

2. Infrastructure & Hosting

  • Frontend Hosting: Manifest's web application is hosted on Vercel, a secure, globally-distributed platform with enterprise-grade security.

  • Database & Authentication: All persistent data (user accounts, workspaces, goals, tasks, subscriptions, etc.) is stored on Supabase-managed PostgreSQL databases.

  • Data Region: Primary data is stored in secure cloud infrastructure with appropriate data residency considerations.

  • Backups: Encrypted backups of the database are created automatically by Supabase and securely stored.

  • Encryption at Rest: All data in Supabase is encrypted at rest using AES-256 encryption.

  • Encryption in Transit: All communication between your device and our servers is encrypted using TLS 1.2+ (HTTPS).

  • Environment Isolation: Production, staging, and development environments are logically separated to prevent cross-access.

3. Authentication & Access Control

  • User Authentication: Manifest uses Supabase Auth to manage user accounts and sessions with secure JWT-based authentication.

  • OAuth Integration: Users can authenticate via Google OAuth 2.0 for convenient and secure sign-in.

  • Password Storage: Passwords are hashed using industry-standard algorithms (bcrypt) and never stored in plain text.

  • Session Management: User sessions are securely managed with automatic expiration and refresh token rotation.

  • Row Level Security (RLS): Supabase RLS policies ensure users can only access their own data at the database level. Every query is filtered by user_id to prevent unauthorised data access.

  • Access Limitation: Only authorised personnel of Doddle Software Limited have access to production systems, and such access is restricted to legitimate business needs.

  • Principle of Least Privilege: Permissions and credentials are granted at the minimal level required to perform a task.

4. Application Security

  • Secure Development Lifecycle: All code changes are reviewed via pull requests and tested before deployment.

  • Dependency Management: We monitor dependencies using automated tools (Dependabot, npm audit) to detect and patch vulnerabilities quickly.

  • Environment Variables: Secrets (API keys, database passwords, Stripe keys, AI provider keys) are stored securely using environment variables, never in source code.

  • API Security: All API endpoints are authenticated and protected. Sensitive operations require valid user sessions.

  • Rate Limiting: API endpoints are rate-limited to prevent abuse and denial-of-service attacks.

  • Input Validation: User input is validated and sanitised to prevent common web vulnerabilities (XSS, SQL injection, CSRF).

  • Content Security Policy (CSP): We apply CSP headers to reduce the risk of injection attacks.

  • Stripe Integration Security: All payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. We do not store credit card numbers on our servers.

5. AI Security & Privacy

  • AI Provider Security: AI features are powered by OpenAI and Google Gemini. Your conversations are transmitted securely via encrypted connections.

  • Data Minimisation: We send only the necessary context to AI providers to generate responses.

  • AI Session Tracking: AI usage is tracked per user for subscription limit enforcement, stored securely in our user_monthly_usage table.

  • No Training on Your Data: We do not use your personal data or conversations to train AI models. Refer to OpenAI and Google's enterprise data policies for their commitments.

  • Content Moderation: AI interactions are designed with safety guidelines to prevent harmful or inappropriate content generation.

6. Subscription & Payment Security

  • Payment Processing: All payments are processed through Stripe, which is PCI-DSS Level 1 compliant ā€” the highest level of payment security certification.

  • No Card Storage: We never store your full credit card number. Stripe securely tokenizes payment information.

  • Webhook Security: Stripe webhooks are verified using cryptographic signatures to prevent spoofing.

  • Subscription Data: Subscription status and usage limits are stored securely and enforced at both application and database levels.

7. Data Privacy & Compliance

  • We comply with UK GDPR and EU GDPR data-protection principles.

  • We process data only for legitimate purposes, as described in our Privacy Policy.

  • All subprocessors (Vercel, Supabase, Stripe, OpenAI, Google, PostHog, ImgBB) undergo due diligence review and maintain appropriate security certifications.

  • Data Processing Agreements (DPAs) are in place with key subprocessors.

  • If data is transferred outside the UK/EU, it is protected via approved Standard Contractual Clauses (SCCs) or equivalent mechanisms.

8. Data Retention & Deletion

  • Retention: User data is retained for as long as your account remains active. See our Privacy Policy for specific retention periods.

  • User-Initiated Deletion: You can permanently delete your account and associated data by contacting us at contact@doddle.software or through account settings.

  • Cascade Deletion: When you delete a workspace, all associated goals, milestones, tasks, and related data are automatically deleted.

  • Backups: Deleted data may persist in encrypted backups for up to 30 days before being automatically purged.

  • Usage Data: Monthly usage records are retained for 12 months for billing and analytics purposes, then deleted or anonymised.

9. Monitoring, Logging & Incident Response

  • Monitoring: We use automated monitoring and alerting systems to detect performance anomalies or potential security threats.

  • Analytics: We use PostHog for product analytics to understand usage patterns. Analytics data is handled in accordance with our Privacy Policy.

  • Error Logging: Application errors are logged for debugging purposes. Logs do not contain sensitive user data such as passwords.

  • Access Logging: Database access and key administrative events are recorded and periodically reviewed.

  • Incident Response: In the event of a security incident or data breach, we will:

    1. Investigate and contain the issue immediately.
    2. Notify affected users and relevant supervisory authorities (if required by law) within 72 hours of discovery.
    3. Provide updates and remediation steps as the incident evolves.

  • Post-Incident Review: Every security event is followed by a root-cause analysis and process improvement.

10. Employee Security & Training

  • All employees and contractors of Doddle Software Limited sign confidentiality agreements.

  • Access to production user data is restricted and logged.

  • Team members receive ongoing security awareness training covering data-protection best practices, phishing prevention, and incident reporting.

  • Production access requires authentication and is reviewed regularly.

11. Responsible Disclosure & Vulnerability Reporting

We welcome responsible security research.

If you believe you've found a security vulnerability in Manifest or our infrastructure, please report it immediately to:

šŸ“§ security@doddle.software

Responsible Disclosure Guidelines:

  1. Do not publicly disclose the issue until we have resolved it.
  2. Avoid accessing or modifying user data that isn't your own.
  3. Provide a detailed description, steps to reproduce, and any relevant technical information.
  4. Do not perform denial-of-service attacks or social engineering.

We will acknowledge valid reports within 48 hours and aim to resolve confirmed issues promptly. We appreciate your help in keeping Manifest secure.

12. Availability & Business Continuity

  • We target 99.9% uptime for Manifest under normal operating conditions.

  • Our infrastructure (Vercel, Supabase) includes redundancy and failover mechanisms to maintain service continuity.

  • Supabase provides automatic database backups with point-in-time recovery capabilities.

  • Disaster-recovery procedures ensure we can restore core functionality within 24 hours of a major outage.

  • Regular backups are tested for integrity.

13. Third-Party Security

We carefully vet all third-party services integrated with Manifest:

  • Supabase (Database, Auth, Storage) ā€” SOC 2 Type II, GDPR compliant

  • Vercel (Frontend Hosting) ā€” SOC 2 Type II, ISO 27001

  • Stripe (Payments) ā€” PCI-DSS Level 1

  • OpenAI (AI Assistant) ā€” Enterprise security, SOC 2

  • Google Gemini (AI Features) ā€” ISO 27001, SOC 2

  • PostHog (Analytics) ā€” SOC 2 Type II, GDPR compliant

  • ImgBB (Image Hosting) ā€” HTTPS encrypted

14. Compliance & Future Certifications

  • Currently, Doddle Software Limited adheres to best-practice standards aligned with ISO 27001 and SOC 2 Type II principles.

  • We use security-certified infrastructure providers (Supabase, Vercel, Stripe) that maintain formal certifications.

  • As Manifest grows, we plan to pursue formal certifications and third-party security audits.

  • We continually review and improve our security measures to stay ahead of evolving threats.

15. Your Security Responsibilities

While we implement robust security measures, you also play a role in keeping your account secure:

  • Strong Passwords: Use a unique, strong password for your Manifest account.

  • Secure Access: Do not share your login credentials with others.

  • Device Security: Keep your devices secure with up-to-date software and malware protection.

  • Suspicious Activity: Report any suspicious account activity to us immediately.

  • Logout: Log out of Manifest when using shared or public devices.

16. Contact Information

For any questions about this Security Policy or data protection at Manifest, please contact:

Doddle Software Limited šŸ“ 127 Foundry Lane, Fareham, SO15 3LD, United Kingdom šŸ“§ security@doddle.software (security issues) šŸ“§ contact@doddle.software (general enquiries)

At Doddle Software Limited, we believe that productivity tools should be both empowering and secure. We are committed to continuously improving our defences to keep your data safe and your focus protected.