Data Security

What we store, how we protect it, and how we work with you

URLs, Not Content

We store task links to your Google Docs, Figma, and repos. Never the actual files.

We Sign Your NDA

Pre-activation call to discuss confidentiality. We'll sign your one-way NDA.

Human Review

AI drafts, humans review. Nothing reaches your team without human oversight.

What Stays Where

Stays in Your Tools
  • Google Docs content
  • Source code
  • Figma/design files
  • Slack messages
  • Meeting recordings
DavidPM Stores
  • URLs to your docs
  • Task titles & status
  • Stakeholder names/emails
  • Check-in responses
  • Progress metrics

Your access controls on external tools remain unchanged. We never see content behind the URLs.

How We Protect Your Data

Encryption

  • HTTPS/TLS in transit
  • AES-256 at rest
  • OAuth tokens encrypted separately

Access Control

  • Row-level security on all tables
  • Per-project admin assignment
  • Users see only their projects

Infrastructure

  • Supabase (SOC 2 compliant)
  • Stripe (PCI-DSS compliant)
  • Postmark (DKIM/SPF auth)

Operations

  • PM confidentiality training
  • Limited data access by role
  • Audit logging enabled

NDA Process

1

Pre-Activation Call

One week before activation, we schedule a call to discuss your confidentiality requirements.

2

Review & Sign

Share your NDA or security docs. We'll sign your one-way NDA if that's what you need.

3

Scope Confirmation

We confirm exactly what we'll access and manage. No surprises.

Our Commitments

Your project info is confidential
Share only with your designated stakeholders
Never share your info with other customers
Team members bound by confidentiality agreements

What We Don't Have (Yet)

We believe in being upfront. Here's what we're building toward:

Not Yet

SOC 2 Certification

Building toward this. Today, we rely on Supabase and Stripe's SOC 2 compliance.

Not Yet

ISO 27001

Not currently certified.

N/A

HIPAA

DavidPM is not suitable for protected health information.

Not Yet

Pen Testing

Internal security reviews only. No third-party pen test reports yet.

Need specific certifications? Let's talk. We're happy to discuss what we can accommodate.

Data Lifecycle

Active Subscription

Full dashboard access. Your work stays in your PM tools.

After Cancellation

Access through billing period. Export activity log if needed.

90 Days Post-Cancel

DavidPM data deleted. Your work remains in your tools.

Since your actual work stays in your PM tools, there's little to "export" — your tasks, docs, and files never left your systems.

Integration Security

When you connect external PM tools:

  • OAuth 2.0 — We never see your password
  • Minimal permissions — Only what's needed for task sync
  • Instant revoke — Disconnect anytime from settings
  • One-way sync — We import from your tools, not write back
Trello Asana Monday.com ClickUp

Questions?

Security questions or need documentation for procurement?

support@davidpm.pro