Features & Security Architecture

The Way Program Management
Should Have Worked All Along.

The tools program managers have had for 20 years were built for task lists, not phase gates. Phase Gate Manager brings the visibility, structure, and discipline that real program work has always demanded — from the first gate to the day it ships.

Platform Capabilities

Every Feature
Earned Its Place.

Each capability below exists because a real program needed it. No bloat, no filler, no features held back for a higher tier. Every license includes every feature.

Visual Gantt Timeline
Project-per-row architecture with live milestone tracking, auto-scrolling today line, and phase gate status across your entire portfolio in a single glance.
Phase Gate Enforcement
Structured gate approval workflow from concept through market launch. Configurable regulated mode requires evidence documents before gate approval unlocks.
Executive Dashboard
Portfolio health at a glance. Schedule status, open problems, dependency risks, and financial variance across every active project. One page, built for leadership reviews.
Baseline + Waterfall
Snapshot baseline dates at gate approval. Waterfall chart shows plan vs. actual vs. current for every gate — so schedule slippage is visible, not hidden.
Risk Register
Risks captured with owner, severity, probability, and mitigation plan. Tied to projects and gates. Visible at the executive level so nothing stays hidden.
Change Control
Strict change request workflow for regulated industries. Request → Review → Approve/Reject with full audit trail. Who changed what, when, and why — logged forever.
Financial Tracking
Budget, committed, actual, and EAC at gate and project level. Variance tracked automatically. Database-layer access control — financial data never leaks to unauthorized eyes.
Quality Toolkit
5-Why, Why Made/Why Shipped, Cause & Effect, 8D, PDCA, Problem Resolution Timeline — all built in. PDF export per tool with your branding.
Dependency Tracking
Lead-time-based dependencies between tasks and gates. The system flags when the math doesn't work — so you catch schedule problems before they surface in a status meeting.
Task Groups + Filtering
Free-text task groups match how your plant actually works — not hardcoded departments. Collapsible headers and a filter bar that handles 400+ task programs without breaking a sweat.
Project Templates
Save any project as a template. Start new projects from a template in seconds. Handles plant-to-plant variation where departments and processes differ.
Document Version Control
Upload a new version, the old one is superseded automatically. Version badges, history, and rollback — never wonder which PDF is current again.
Immutable Audit Trail
Every approval, change, and administrative action — including vendor access by PGM Master Admin — logged with timestamp, user identity, and reason. Database-enforced append-only. Ready for internal, customer, or regulatory audits.
Role-Based Access
Master Admin, Site Admin, Editor, Viewer. Confidential and financial data gated at the database layer — not hidden in the UI. Enforced, not suggested.
Your Own Instance
Your data, your Supabase account, your subdomain. Single-tenant by design — no shared database, no noisy neighbors, no blast radius from another customer's breach.

The Honest Comparison

Programs Aren't Task Lists.
Why Use a Task List Tool?

A straight-talk comparison across the three approaches most teams are using today. Not every row favors Phase Gate Manager — but the rows that matter for program work, do.

Capability Spreadsheets
+ Email		 Generic
PM Tools		 Enterprise
Phase Gate		 Phase Gate
Manager
Pricing & Model
One-time perpetual license Yes
Typical 3-year total cost (25 users) Hidden labor cost $18K–$30K $150K–$900K+ $27,500 flat
Hard pricing cap N/A $50K cap
Feature gating by tier N/A Yes — common Yes — common None
Phase Gate Methodology
Native phase gate workflow
Gate approval with evidence requirement Varies
Industry gate templates included Paid add-on All included
Baseline + waterfall schedule view
Risk & Change Management
Risk register with severity + mitigation Manual Add-on
Change control workflow
Regulated mode (evidence-gated approvals)
Financial Tracking & Reporting
Budget / EAC / variance tracking Manual
Financial data gated at database layer UI only
Executive dashboard (portfolio view)
Print-ready PDF reports with branding
Quality Toolkit
5-Why, 8D, PDCA built in
Problem Resolution Timeline
Security & Data Ownership
Customer owns their data + infrastructure
Single-tenant deployment (isolated instance) N/A
Immutable audit trail
Database-layer row-level security
Setup & Ongoing
Time from purchase to live Days Hours – Weeks 3 – 6 months Under 20 min
Requires consultants to deploy Sometimes Yes — common Turnkey
Price increases at renewal N/A Frequent Frequent Never — perpetual

● Fully supported · ◐ Partial / varies by vendor or plan · — Not supported. Claims about competitor categories reflect general market characteristics, not specific vendor offerings.

Three Things That Matter Most

Your Data. Your Instance.
Your Audit Trail.

The single biggest difference between Phase Gate Manager and every multi-tenant SaaS tool on the market: you own the whole stack, you run it on your own infrastructure, and every administrative action — ours included — is logged in the same audit trail you already use for your own users.

You Own Your Data
Your Supabase account. Your Cloudflare account. Your database. Every record, every document, every audit log lives in infrastructure you control and can walk away with at any time.
Transparent By Design
A single Master Admin account is reserved for Phase Gate Manager LLC — used only for license verification, applying critical patches, and responding when you request support. The role is documented in your EULA, and every action it takes is captured in the same immutable audit trail your own users are subject to. You see exactly when we've accessed your deployment, why, and what we did.
Single-Tenant, Always
Your deployment is yours, not a shared database with other customers. If a competitor down the street has a security incident, it has zero blast radius to your instance. Single-tenant is the whole architecture — not a premium add-on.

Security Architecture

Defense in Depth.
Three Layers. Zero Shortcuts.

Phase Gate Manager runs on top of two SOC 2 Type II certified platforms. Each layer handles what it does best — and together they provide the protection that regulated-industry work demands.

Cloudflare ProSOC 2 Type II Certified
Supabase ProSOC 2 Type II Certified
Phase Gate ManagerPen-Tested at Launch · Scanned per Deploy
Security Layer
Cloudflare Pro
Network Edge
Supabase Pro
Database Layer
Phase Gate Manager
Application Layer
Managed WAF (Web Application Firewall) Managed rulesets, continuous updates Handled upstream Handled upstream
Advanced DDoS Mitigation Continuous, auto-scaling protection Handled upstream Handled upstream
Bot Management Automated bot detection & blocking Handled upstream Handled upstream
TLS 1.3 Encryption in Transit Enforced at edge Enforced to DB Inherited
AES-256 Encryption at Rest Not applicable All data encrypted at rest Inherited
Row-Level Security (RLS) Not applicable Enforced at DB query level Policies defined in app
Authentication & Session Management Not applicable JWT, bcrypt, MFA support Role enforcement & session policies
Leaked Password Detection Not applicable Checked on set/change Inherited
Brute-Force Protection Edge rate limiting Auth lockout policies Inherited
Financial & Confidential Data Gating Not applicable Enforced at DB, not UI Policy definition & enforcement
Immutable Audit Trail Not applicable Append-only log table Every action logged w/ user + time
Backup & Point-in-Time Recovery Not applicable Automated daily backups Inherited
DNS & SSL Certificate Management Fully managed Handled upstream Handled upstream
Zero-Day Threat Protection Managed ruleset updates Platform-level patches Critical patches — always included
Data Residency — US Region Global network with US POPs AWS US-East default Inherited

How We Test Our Security

Testing is Proof.
Not a Checkbox.

Security posture is only as good as the evidence backing it. Phase Gate Manager commits to two independent verifications of the code base and deployment — one at launch, and one before every single customer goes live.

At Launch
Full Penetration Test
Independent penetration testing firm engaged before the first commercial client goes live. Full-scope web application assessment, findings remediated, and completion documented on the security page.
  • Full-scope web application security assessment
  • All findings remediated before any client deployment
  • Completion date and scope published publicly
  • Repeat assessment at revenue milestones
Per Deployment
Pre-Deployment Security Scan
Every customer deployment is scanned by an independent security tool before it goes live. No deployment ships without passing the scan — and the findings are documented in your deployment record.
  • Independent security scan before every customer deployment
  • Known vulnerability detection across all dependencies
  • Configuration audit against secure defaults
  • Scan record delivered with your deployment documentation

Frequently Asked

Straight Answers.
No Hand-Waving.

Is Phase Gate Manager SOC 2 compliant?
The two infrastructure platforms Phase Gate Manager runs on — Cloudflare Pro and Supabase Pro — are both SOC 2 Type II certified. PGM LLC's own SOC 2 Type I audit is scheduled at a specific revenue milestone on the published compliance roadmap. Until then, we operate to SOC 2 control principles but do not make our own SOC 2 certification claim. We believe that's the honest answer.
Who has access to my data?
Your deployment runs in your own Supabase and Cloudflare accounts under your credentials. A single Master Admin account is reserved for Phase Gate Manager LLC — disclosed in your EULA — and is used only for license verification, applying critical patches, and responding to support requests you initiate. Every action taken by that account is captured in the same immutable audit trail your own users see, with a required reason logged for each access session. You can verify exactly when we've accessed your deployment, why, and what we did. If PGM LLC disappeared tomorrow, your deployment would keep running, your data stays with you, and you can revoke the Master Admin account entirely if you choose (with the understanding that doing so ends your ability to receive maintenance).
What if Supabase or Cloudflare goes down?
Outages at either provider would affect Phase Gate Manager, like any software running on those platforms. That's a trade-off we accept in exchange for the top-tier security posture both platforms provide. Both companies publish status pages and have documented SLAs — and both have dramatically higher uptime than any small-vendor-built infrastructure could match.
Can we use this in a regulated industry?
Yes. Phase Gate Manager was designed with regulated industries (pharmaceutical, defense, aerospace, medical device) in mind. Regulated mode enforces evidence-gated approvals, change control workflow is strict by default, the audit trail is immutable, and role-based access is enforced at the database layer. For deployments with specific frameworks (FDA 21 CFR Part 11, CMMC), contact us before purchase so we can confirm fit.
How do I get audit evidence for compliance reviews?
The immutable audit trail captures every approval, every change, and every access event with timestamp and user identity. Reports are exportable as PDF with your branding. For deployments on Tier 2 or Tier 3 maintenance, the annual third-party security scan produces a written findings report you can include in your compliance documentation.
What's the data residency?
Your data lives in your Supabase account, which defaults to AWS US-East. If you need a different region (EU, APAC), you can configure your Supabase project accordingly before running the Setup Wizard. Cloudflare's network is global, but customer data flows only through their US points of presence when your Supabase project is US-hosted.
What happens in a security incident?
Infrastructure-layer incidents (Cloudflare, Supabase) are handled by those providers under their documented incident response processes. Application-layer incidents are addressed by PGM LLC via critical patch delivery — which is always included regardless of maintenance status. Because each customer runs a single-tenant deployment, an incident affecting one customer has zero blast radius to other customers.
Are features ever removed or moved to a higher tier?
No. Every feature is included with every license. The pricing scales with seats, not features. Once you own a version of Phase Gate Manager, every feature in that version is yours — and we don't have a mechanism to take features away from a license we already sold.

See It in Action.

The fastest way to evaluate Phase Gate Manager is to start a 30-day trial and run a real program through it.

Request Trial Access