Skip to main content
LLDPS Africa
Risk Register

Top risks and how we manage them.

Version 1.0 · Last reviewed July 2026 · Maintained by LDPS Africa

An abridged, customer-visible view of the risks that LDPS Africa tracks across the platform, our data operations and our commercial partners.

This document is app-owned editable content, not a third-party attestation or certification. It describes controls and practices as they exist at the review date.

How we manage risk

Risks are reviewed each quarter by the LDPS Africa engineering and operations leads. Each risk carries a category, a qualitative likelihood/impact assessment, and a documented mitigation. New risks surfaced by incidents, security scans, or customer feedback are added between reviews.

Current register

IDCategoryDescriptionLIMitigation
R-01PlatformUnauthorised access to customer records via a leaked credential.MediumHighHIBP password-leak protection, optional TOTP MFA, per-user RLS policies, audit-logged role changes.
R-02PlatformPrivilege escalation through a mis-scoped RLS policy on a new table.LowHighEvery migration lints RLS + GRANTs; SECURITY DEFINER helpers pin search_path; automated security scanner in release checklist.
R-03DataAccidental deletion or corruption of customer KPI data.LowMediumPoint-in-time recovery on the managed database and app-level snapshot exports with SHA-256 checksums (see /founder/backups).
R-04FinancialPayment webhook spoofing crediting a subscription without funds.LowHighPaddle and M-Pesa webhooks verify HMAC signatures against the raw body; failed verifications are logged and dropped.
R-05OperationalExtended outage of a third-party subprocessor (auth, email, payments).MediumMediumStatus page tracks provider health; degraded-mode paths for reads; incident response runbook (see BCP/DR).
R-06RegulatoryCross-border data-residency requirements evolve for African markets.MediumMediumCompliance roadmap tracks jurisdiction changes; contractual data-processing terms with customers reviewed annually.
R-07AIModel output leads a user to an unsafe operational decision.MediumMediumAI outputs are labelled as advisory; recommendations require human confirmation; source data links are preserved in the response.

Reporting a new risk

If you have identified a risk that is not on this list, email security@ldpsafrica.com. Acknowledged reports are triaged within one business week.

Questions or corrections?

Email security@ldpsafrica.com for the security team or info@ldpsafrica.com for general enquiries.