ParticlesBeta
ParticlesBeta
Sign inStart for free

Security

Particles UI is a hosted design token platform (Studio, API, CLI, and Figma plugin). This page describes how we handle security, what data we process, and how to report vulnerabilities responsibly.

Report a vulnerability

If you believe you have found a security issue in Particles UI — including our API (api.particles-ui.com), Studio, CLI, or Figma plugin — please report it to security@particles-ui.com. Include a clear description, steps to reproduce, and the impact you believe it has.

We review reports as they arrive, prioritize fixes based on severity, and will work with you on coordinated disclosure when appropriate. Please do not publicly disclose unresolved critical issues before we have had a reasonable time to respond.

We do not currently offer a paid bug bounty program. We appreciate good-faith research and will acknowledge reporters when they wish to be credited.

Infrastructure & transport

All traffic between clients (Studio, Figma plugin, CLI) and our API uses HTTPS/TLS. Application data is stored in managed PostgreSQL databases. Session and cache data use industry-standard server-side storage with access restricted to operational needs.

Secrets (OAuth client credentials, database URLs, signing keys, Stripe keys) are kept in environment configuration on our infrastructure and are not embedded in client bundles or the Figma plugin build.

Authentication & access control

Studio uses Better Auth with OAuth 2.0 (GitHub, Google) and email magic links. Sessions are issued by our hosted API with secure cookie settings in production.

The Figma plugin and CLI use the OAuth 2.0 Device Authorization Grant (RFC 8628). Users approve access in the browser; the plugin never collects passwords inside Figma. Access tokens are stored locally on the user's device (figma.clientStorage, localStorage) and sent only to our API in the Authorization header.

Organization members are assigned roles (Designer, Developer, Admin). API requests are authorized per organization and project; users cannot access projects they do not belong to.

Figma plugin data

The plugin connects only to the Particles API endpoints declared in its manifest. It does not send data to third-party analytics or advertising services.

Stored locally in Figma

Auth session (token and basic profile), and a tokenId → variableName map after Pull — used so Inspector and themes work after reload. Users can sign out to clear local session data.

Stored on our servers

When a user confirms Push, Figma variable values read via the Variables API are sent to our API and stored with the project branch. Pull fetches tokens from our servers into Figma; no Figma file content is uploaded during Pull alone.

Webhooks & integrations

Project webhooks are signed with HMAC-SHA256 so receivers can verify payload integrity. Stripe handles payment card data; we do not store raw card numbers on our servers.

Compliance & certifications

Particles UI is not currently certified under SOC 2, PCI DSS, HITRUST, ISO 27001, or SSAE 18. We follow common SaaS security practices and are working toward more formal policies and disclosures as the product matures.

Contact

Security reports: security@particles-ui.com

Product documentation: Getting started · Figma plugin