How We Hardened the Danger Zone: Preventing Accidental Irreversible Data Loss
How We Hardened the Danger Zone: Preventing Accidental Irreversible Data Loss
Release: v0.1.187 Area: Settings → Danger Zone
Destructive actions — deleting an account, purging tenancy data, removing an organisation — are by definition irreversible. A single misclick shouldn't be enough to trigger them. In v0.1.187 we audited every destructive control in the Settings page and introduced a layered system of friction designed to make accidental data loss practically impossible.
The Problem with Single-Step Confirmation
The Danger Zone tab in Settings already existed behind a tab boundary, which provided some passive friction. But once a user landed on that tab, destructive actions were only one confirmation step away. This is a well-documented failure mode across SaaS products:
- A single
ConfirmPopovercan be dismissed or accepted reflexively. - Keyboard navigation and misclicks can trigger confirmations without intent.
- High-pressure or fatigued users are more likely to confirm without reading.
The result is irreversible data loss that cannot be undone server-side.
The Two-Stage Deletion Flow
Destructive actions now require two distinct, deliberate steps:
Step 1: Confirm Popover
The first interaction with any destructive action button opens a ConfirmPopover. This surfaces a plain-language warning explaining what will happen and that the action cannot be undone. The user must explicitly click to proceed — they cannot continue by pressing Enter or dismissing the popover.
Step 2: Type-to-Confirm Modal
After the popover, a modal appears requiring the user to type their organisation name exactly into a text field before the confirm button becomes active.
This step:
- Requires deliberate, unambiguous user intent
- Cannot be triggered by a misclick or keyboard shortcut
- Introduces enough cognitive pause to interrupt an accidental flow
- Mirrors the pattern used by GitHub, Heroku, Vercel, and other platforms for irreversible operations
┌─────────────────────────────────────────────┐
│ Are you absolutely sure? │
│ │
│ This will permanently delete your │
│ organisation and all associated data. │
│ This action cannot be undone. │
│ │
│ Please type [organisation name] below: │
│ ┌─────────────────────────────────────┐ │
│ │ │ │
│ └─────────────────────────────────────┘ │
│ │
│ [ Cancel ] [ Delete ] │
└─────────────────────────────────────────────┘
The Delete button remains disabled until the typed value matches the organisation name exactly (case-sensitive).
30-Second Undo Grace Period
Even after both confirmation steps, the action is not immediately executed server-side. Where supported, a 30-second countdown begins, during which:
- The user sees a visible timer and an Undo button.
- Clicking Undo cancels the operation entirely — no data is changed.
- If the timer expires without cancellation, the server-side deletion proceeds.
This soft-delete pattern provides a last line of defence while keeping the overall flow non-blocking for users who genuinely intend to proceed.
Danger Zone Tab Visibility Changes
Beyond the action flows themselves, the tab entry point has also been hardened:
| Change | Before | After |
|---|---|---|
| Tab label colour | Standard (same as all other tabs) | Muted/destructive colour to signal severity |
| Tab position in strip | Unaudited / arbitrary | Last in the tabs array, away from accidental hover |
Positioning the Danger Zone tab last means it is never adjacent to the most-used settings tabs. The distinctive label colour ensures users do not stumble onto it while scanning.
Summary
These changes collectively make it practically impossible to accidentally delete an account or purge data through the Settings page:
- The Danger Zone tab is visually distinct and positioned last.
- Destructive actions require a two-step confirmation: popover → type-to-confirm.
- A 30-second soft-delete grace period allows reversal even after confirmation.
This brings the platform in line with established industry best practices for destructive operations and directly supports our commitment to fair, auditable, and recoverable tenancy management.