Top risks and how we manage them.
An abridged, customer-visible view of the risks that LDPS Africa tracks across the platform, our data operations and our commercial partners.
This document is app-owned editable content, not a third-party attestation or certification. It describes controls and practices as they exist at the review date.
How we manage risk
Risks are reviewed each quarter by the LDPS Africa engineering and operations leads. Each risk carries a category, a qualitative likelihood/impact assessment, and a documented mitigation. New risks surfaced by incidents, security scans, or customer feedback are added between reviews.
Current register
| ID | Category | Description | L | I | Mitigation |
|---|---|---|---|---|---|
| R-01 | Platform | Unauthorised access to customer records via a leaked credential. | Medium | High | HIBP password-leak protection, optional TOTP MFA, per-user RLS policies, audit-logged role changes. |
| R-02 | Platform | Privilege escalation through a mis-scoped RLS policy on a new table. | Low | High | Every migration lints RLS + GRANTs; SECURITY DEFINER helpers pin search_path; automated security scanner in release checklist. |
| R-03 | Data | Accidental deletion or corruption of customer KPI data. | Low | Medium | Point-in-time recovery on the managed database and app-level snapshot exports with SHA-256 checksums (see /founder/backups). |
| R-04 | Financial | Payment webhook spoofing crediting a subscription without funds. | Low | High | Paddle and M-Pesa webhooks verify HMAC signatures against the raw body; failed verifications are logged and dropped. |
| R-05 | Operational | Extended outage of a third-party subprocessor (auth, email, payments). | Medium | Medium | Status page tracks provider health; degraded-mode paths for reads; incident response runbook (see BCP/DR). |
| R-06 | Regulatory | Cross-border data-residency requirements evolve for African markets. | Medium | Medium | Compliance roadmap tracks jurisdiction changes; contractual data-processing terms with customers reviewed annually. |
| R-07 | AI | Model output leads a user to an unsafe operational decision. | Medium | Medium | AI outputs are labelled as advisory; recommendations require human confirmation; source data links are preserved in the response. |
Reporting a new risk
If you have identified a risk that is not on this list, email security@ldpsafrica.com. Acknowledged reports are triaged within one business week.
Email security@ldpsafrica.com for the security team or info@ldpsafrica.com for general enquiries.