Security
Last updated: May 11, 2026
1. Security Overview
Punisher is designed to protect customer data and credentials. We implement the highest security security controls, including encryption, protected credentials, and least-privilege access.
2. Encryption
- In transit: data is protected using TLS where applicable.
- At rest: stored data is encrypted where supported by underlying infrastructure.
3. Credentials & Secrets
We use protected authentication flows and do not expose access tokens.
- Microsoft Azure AD: authentication uses OAuth 2.0 / OIDC flows. Tokens are handled server-side and are not exposed to the browser beyond session cookies secured with HttpOnly and Secure flags.
- Atlassian OAuth 2.0: the Jira integration uses Atlassian's OAuth 2.0 (3-LO) flow. Access tokens are stored server-side with encryption at rest and are scoped to the minimum required permissions (read:jira-work, write:jira-work). Refresh tokens, if issued, follow the same security controls. Users can revoke access at any time from id.atlassian.com/manage-profile/apps.
- Figma API: tokens are held ephemerally for the duration of a comparison job and are not persisted beyond session requirements.
4. Minimal Data & Retention
We aim to store the minimum amount of data necessary to provide the Service. Retention and deletion practices are described in the Privacy Policy and (where applicable) the Data Processing Addendum.
5. Responsible Disclosure
If you believe you have found a security vulnerability, please report it responsibly to: [email protected]. Please include steps to reproduce, impact, and any relevant logs.
6. Status & Incident Communication
If a material security incident occurs, we will communicate in accordance with applicable law and contractual obligations.
7. Operator & Contact
Operator: PunisherLabsES (V. B. Badiuc). Address: Spain, Málaga, San Andrés 5.
For any questions (support, legal, privacy, security, billing): [email protected]