LEGAL_SPEC_v1.2

Privacy & Security

Last Updated: Sunday, March 8, 2026

Privacy Policy

Data Transparency

Tabletop Designer is designed with a "Privacy First" architecture. We only transmit data to our Cloud API when it is strictly necessary to perform heavy processing tasks that exceed Figma's sandbox limitations (such as CMYK conversion and high-resolution PDF generation).

Note: Standard exports (PNG/JPEG) in sRGB for users are processed entirely locally on your machine and are never sent to our servers.

What Data We Collect

  • Asset Metadata: Temporary identifiers for your export session to track progress and session IDs.
  • Image Data: When you export to CMYK, PDF, or TIFF, the raw image bytes from Figma are sent to our secure Cloud API for processing.
  • Data Source URLs: If you use Google Sheets integration, the published CSV URL is sent to our server to bypass CORS (Cross-Origin Resource Sharing) restrictions.

How Data is Handled

  • In-Memory Processing: All image conversion happens in high-performance system memory.
  • No Permanent Storage: We do NOT store your design assets, image data, or Google Sheet contents on our servers permanently. Once your export session is closed and the ZIP/PDF is returned to you, all associated data is purged from our system memory.
  • Encryption: All data is transmitted over standard SSL/TLS (HTTPS) encryption to ensure it remains private during transit.

Third-Party Services

We do not sell, trade, or otherwise transfer your data to outside parties. We only interact with the following services:

  • Google Sheets: To fetch the data you explicitly provide via a published link.
  • Figma: To manage your subscription via the official Figma Payments API.
REF_002: VULNERABILITY_MANAGEMENT

Security Vulnerabilities Protocol

In alignment with industry standards and Figma’s security guidelines, we maintain a proactive protocol for identifying and resolving security vulnerabilities within the Tabletop Designer ecosystem.

Reporting Channel

If you discover a potential vulnerability, please report it immediately via the Feedback Loop or directly to support@tabletop-designer.cc.

Triage Timeline

All security reports are triaged within 24 hours. We acknowledge all legitimate reports and provide regular status updates during the resolution process.

Internal Monitoring & Prevention

1. Automated Dependency Auditing

We use automated tools to monitor our npm dependencies for known vulnerabilities (CVEs). Audits are performed during every build cycle, and high-severity patches are applied immediately to both the plugin and the Cloud API.

2. Dynamic Authentication & Token Rotation

The connection between the Figma Plugin and our Cloud API is protected by a Dynamic HMAC-SHA256 Authentication protocol. Security tokens are regenerated every 60 seconds based on a rolling timestamp, preventing static secret leakage and replay attacks.

3. Environment Isolation

The Cloud API operates within an isolated Docker Container environment. This ensures that processing tasks (like Sharp image conversion) are sandboxed from the host system, providing an additional layer of defense-in-depth.

4. Processing-Only Architecture

By design, we minimize our "attack surface" by maintaining a zero-storage policy. We do not use databases to store user design data. All processing happens in ephemeral system memory and is purged the moment the file is delivered.

Incident Response & Patching

  • Server-Side Patches: Security fixes for the Cloud API are prioritized and typically deployed within 48 hours of verification.
  • Client-Side Updates: Vulnerabilities requiring plugin-level changes are submitted to Figma for review immediately upon resolution.
  • Responsible Disclosure: We ask that you provide us with a reasonable amount of time to resolve the issue before making any information public.

Commitment

We are committed to providing a secure and professional environment for board game designers. Your trust and the integrity of your design data are our highest priorities.