Pixel Tinkers — Security Policy
Last updated: May 2026
Applies to: Pixel Tinkers hosted services, including the Pixel Mirror plugin backend and related Canva companion app infrastructure.
Overview
Pixel Tinkers ("we," "us") builds creative tools for designers. Some of our products—including Pixel Mirror—use a hosted backend to transfer export data between Figma and Canva. We take the security of that infrastructure and of user data seriously.
This page describes how to report security vulnerabilities, what is in scope, and how we handle reports. For general privacy practices, see our Privacy Policy.
Reporting a Security Vulnerability
If you believe you have found a security issue affecting Pixel Tinkers services, please report it to us as soon as possible.
Contact: products@pixeltinkers.io
Subject line (recommended): Security report — Pixel Mirror (or the affected product name)
Please include as much detail as you can:
- A clear description of the issue and its potential impact
- Steps to reproduce the vulnerability
- Affected URLs, API endpoints, or product names (e.g. Figma plugin, Canva app, backend hostname)
- Proof-of-concept code, screenshots, or logs (if available)
- Your name and contact information (optional, but helps us follow up)
We prefer encrypted email if you have a concern about sensitive details in transit. If you need to use PGP, mention that in your initial email and we will provide a public key.
Please do not:
- Publicly disclose the issue before we have had a reasonable opportunity to investigate and remediate
- Access, modify, or delete data that does not belong to you
- Perform denial-of-service attacks or automated scanning against production systems beyond what is necessary to demonstrate the issue
- Test against accounts or exports you do not own or have explicit permission to use
What We Will Do
When we receive a valid security report, we aim to:
| Step | Target timeline |
|---|---|
| Acknowledge receipt | Within 5 business days |
| Initial triage and severity assessment | Within 10 business days |
| Provide a status update on confirmed issues | As investigation progresses |
| Deploy fixes for confirmed high-severity issues | As soon as reasonably possible after validation |
Timelines may vary for complex issues. We will keep you informed when you provide contact details.
We do not currently operate a paid bug bounty program. We are grateful for responsible reports and will acknowledge researchers who wish to be credited (with your permission) after a fix is deployed.
Scope
In scope
Security issues in Pixel Tinkers hosted services and official client applications that we maintain, including:
- Pixel Mirror Figma plugin (UI and plugin sandbox logic we ship)
- Pixel Mirror Canva companion app
- Backend API at
figma-canva-backend.pixeltinkers.workers.devand related Cloudflare infrastructure (Workers, D1, R2, Durable Objects) - Authentication and session handling for Pixel Mirror (Google Sign-In integration, device pairing, export access controls)
- Export storage, presigned upload URLs, and data lifecycle (creation, access, expiration, deletion)
- Our public website properties under pixeltinkers.com that we operate directly
Examples of issues we want to hear about:
- Unauthorized access to another user's export or account data
- Authentication or authorization bypass
- Injection vulnerabilities in our APIs
- Insecure direct object references on export or asset endpoints
- Leakage of secrets, tokens, or presigned URLs in ways that grant unintended access
- Server-side flaws that expose stored export metadata or assets
Out of scope
The following are generally out of scope for this program (though we may still forward feedback where appropriate):
- Vulnerabilities in third-party platforms (Figma, Canva, Google, Cloudflare) — please report those to the respective vendors
- Social engineering, phishing, or physical attacks
- Issues requiring unlikely user interaction or compromised end-user devices
- Missing security headers or best-practice hardening without demonstrated exploitability
- Rate limiting or denial-of-service unless you can show meaningful impact on service availability or user data
- Bugs in Figma or Canva product behavior unrelated to our plugin/app code
- Automated scanner output without a working proof of concept
Pixel Mirror — Security Architecture Summary
This section helps researchers and reviewers understand what our backend does and how data is protected.
Purpose
The Pixel Mirror plugin reads design information from the Figma Plugin API, converts it into an intermediate format, and uploads export assets and metadata to our backend. The Canva companion app retrieves that data so the user can import the design into Canva.
Data handled
| Data type | Description | Retention |
|---|---|---|
| Account information | Email, display name, profile photo, and technical user ID from Google Sign-In | Retained while the account is active; deletion on request |
| Export metadata | Design structure derived from Figma (layout, text, styles, element references) | 24 hours after export creation, then deleted |
| Export assets | PNG, JPEG, or SVG files derived from Figma layers | 24 hours after export creation, then deleted |
| Session / auth tokens | Used to authenticate API requests | Per session policy; we do not store Google passwords |
We do not sell user data. See our Privacy Policy for full details.
Infrastructure
- Hosting: Cloudflare Workers (API), Cloudflare D1 (relational data), Cloudflare R2 (object storage), Cloudflare Durable Objects (real-time export status)
- Transport: HTTPS for all API traffic
- Authentication: Bearer tokens on protected routes; Google OAuth handled by our auth provider; passwords are never stored by Pixel Tinkers
- Asset uploads: Direct-to-storage via time-limited presigned URLs; exports are scoped to the authenticated user
- Monitoring: Error and usage telemetry via Sentry (no intentional collection of export design content in error reports beyond what is needed for debugging)
Compliance
Pixel Tinkers is not independently certified under SOC 2, ISO 27001, PCI DSS, HITRUST, or SSAE 18. Our infrastructure provider, Cloudflare, maintains platform-level compliance certifications documented on Cloudflare's trust and compliance pages.
Safe Harbor
We support responsible security research. If you act in good faith, follow this policy, avoid privacy violations and service disruption, and give us reasonable time to remediate before public disclosure, we will not pursue legal action against you for your research activities related to in-scope systems.
This safe harbor applies only to Pixel Tinkers systems and only when our policy is followed. It does not authorize testing of third-party services (Figma, Canva, Google, etc.).
Security Updates and Contact
We may update this policy as our products and infrastructure evolve. Material changes will be reflected on this page with an updated "Last updated" date.
- Security reports: products@pixeltinkers.io
- Privacy and data requests: products@pixeltinkers.io
- General product support: products@pixeltinkers.io
© Pixel Tinkers. All rights reserved.