Security you can verify
How Fragmite protects customer data, where it lives, and what we're certifying next. Last reviewed June 2026.
Security posture
Encryption everywhere
TLS 1.2+ in transit. AES-256 at rest on managed cloud storage. Secrets sealed with workspace-scoped key management.
Auth & access
Email + Google SSO out of the box. Server-side role checks via SECURITY DEFINER functions. No client-side privilege checks, ever.
Row-level security
Every customer-data table is RLS-enabled. Policies scope to authenticated user id. Service role usage is server-only and audited.
Code review & CI
Every change passes typecheck, lint, and security scan before deploy. Dependency audit blocks high/critical advisories.
Isolated environments
Separate dev and production projects. Production secrets never reach dev. Backups taken daily with 30-day retention.
Logging & alerts
Authentication, write, and admin events logged. Anomalies route to on-call within minutes.
Data residency
Customer data for Zambian deployments stays in-country wherever the project's data classification requires.
Encrypted backups and warm-standby compute in South Africa for resilience without leaving the continent.
Compliance roadmap
Subprocessors
Vendors that may process customer data on our behalf.
| Vendor | Purpose | Region |
|---|---|---|
| Lovable Cloud | Application platform, database, auth | EU / US |
| AWS | Backups, failover compute | af-south-1 (Cape Town) |
| Cloudflare | Edge delivery, DDoS protection | Global |
| Resend / Mailgun | Transactional email | EU / US |
Responsible disclosure
Found a security issue? Email security@fragmite.tech with a clear reproduction and impact assessment. We acknowledge within 24 hours, fix critical issues within 7 days, and credit researchers in our changelog. Please do not test against production data, exfiltrate records, or run denial-of-service.