How LDPS Africa protects your data.
This whitepaper summarises the architecture, controls and operational practices used to protect livestock producer, cooperative and investor data on the LDPS Africa Intelligence Platform.
This document is app-owned editable content, not a third-party attestation or certification. It describes controls and practices as they exist at the review date.
Platform architecture
The LDPS Africa Intelligence Platform is a single-tenant-per-organisation application hosted on Lovable Cloud. The client is a React application served over a global edge network. App-internal logic runs as authenticated server functions; webhooks and public read endpoints are isolated under /api/public/* with per-endpoint signature verification.
All customer data is stored in a managed Postgres database with encryption at rest handled by the underlying cloud provider. Traffic between clients, the edge, and the database is served over TLS 1.2+.
Identity and access
Authentication is provided by Supabase Auth. Email/password and Google sign-in are enabled by default. Passwords are checked against the Have-I-Been-Pwned password-leak list on set/reset. TOTP-based multi-factor authentication is available under Settings → Security.
Roles are stored in a dedicated user_roles table, never on the user profile. Privileged role grants require an explicit super_admin check enforced by a SECURITY DEFINER function with a pinned search_path.
Data protection
Every customer-facing table has Row Level Security enabled and policies scoped to the authenticated user, the organisation membership, or a narrow service role for verified background jobs. GRANTs are applied per table and reviewed alongside each migration.
Service-role credentials are never bundled into the client. They are used only inside verified server-only modules for tasks such as webhook processing, backups, and administrative maintenance.
Application security
The server sends a strict Content-Security-Policy, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy on every response. State-changing requests go through typed server functions or signature-verified webhooks — there is no bearer-tokenless mutation path.
Every migration is passed through the Supabase linter and remaining findings are triaged. Dependency updates go through the standard build and typecheck pipeline before release.
Monitoring and observability
Server errors and unhandled client exceptions are captured with request IDs into a persistent error_log table accessible only to super-admins. Sensitive lifecycle events — role changes, audit runs, payment outcomes, KPI snapshot writes — are recorded in append-only audit and operational logs.
Shared responsibility
LDPS Africa is responsible for platform security, the database tier, the API surface, and the managed identity provider. Customers are responsible for their own account credentials, the environments from which they upload data, and any integrations they enable against the LDPS Africa API.
Email security@ldpsafrica.com for the security team or info@ldpsafrica.com for general enquiries.