Trust
Security at LendScope.
Brokers handle sensitive financial data. We take that responsibility seriously — here's how we protect your workspace.
Infrastructure
- Hosted in Sydney (ap-southeast-2). Database, file storage, and backups all stay in Australia.
- Managed Postgres via Supabase, with row-level security policies isolating every user's data.
- TLS 1.2+ everywhere. HSTS enabled. No insecure HTTP endpoints exposed.
- Encrypted at rest via AES-256 on the database and backup volumes.
Authentication
- Supabase Auth with PKCE flow — no plaintext password exchange.
- Social sign-in via Google and Microsoft (OAuth 2.0).
- Password reset links are single-use, time-bound, and PKCE-bound.
- Multi-factor authentication is on the roadmap for Team and Enterprise tiers.
Application security
- Content Security Policy in place; no inline-script execution from untrusted origins.
- All user input is escaped before being rendered into the DOM (
escHtml/escHhelpers). - Quarterly dependency audit — we keep critical-CVE patch latency under 14 days.
Operational security
- Production access is restricted to a small named team, audited monthly.
- Backup integrity is tested quarterly via point-in-time recovery drills.
- Incident response runbook tested annually.
Responsible disclosure
If you find a vulnerability, please email security@lendscope.com.au with reproduction steps. We acknowledge within 24 hours and aim to patch critical issues within 7 days. We don't pursue legal action against good-faith researchers who follow responsible disclosure.
For data-handling specifics, see our Privacy Policy.