Trust

Security & compliance

Lymra exists to make a cleaning company’s service record defensible. That only works if our own handling of your data is itself defensible. This page documents how we operate, where data is processed, and how we comply with POPIA.

1. Trust principles

Lymra is built to be a trust system, not a scheduling tool. The guarantees that make a proof report defensible to a property manager have to also hold up in our own infrastructure:

  • Evidence is tamper-evident. Every uploaded image is hashed (SHA-256) at intake; the hash is stored alongside the object key, so any post-upload modification is detectable.
  • GPS and time are recorded server-side. Capture timestamps from the device are bounded against server time on upload. The server’s clock — not the device’s — leads on the proof report.
  • Encryption in transit is mandatory. All HTTP traffic is TLS-only via the hosting edge. Session cookies are issued with HttpOnly and Secure flags in production.
  • POPIA compliance is ongoing, not a checkbox. An Information Officer is named and reachable, retention windows are enforced by an automated daily job, and data subject rights can be exercised from inside the product.

2. Where your data is processed

Lymra is a South African company serving South African cleaning operators. Our cloud infrastructure is hosted in the European Union and adjacent regions, where data-protection laws meet POPIA’s “adequate level of protection” standard for cross-border processing.

For procurement reviews, the full sub-processor list is in Section 8.

3. POPIA compliance

Lymra (Pty) Ltd processes personal information in accordance with the Protection of Personal Information Act, 2013 (POPIA) of the Republic of South Africa.

Owen Mostert — Information Officer, Lymra (Pty) Ltd

Email: privacy@lymra.co.za

Designated under POPIA s55–56. Statutory response window: 30 days. Urgent security notifications acknowledged within one business day.

Cross-border processing is conducted under POPIA Section 72 (transfer of personal information outside the Republic), where the receiving country has data-protection laws providing an adequate level of protection. Data subject rights — access, correction, deletion, objection, portability — can be exercised directly from account settings or by emailing the Information Officer.

If you remain unsatisfied after engaging our Information Officer, you may lodge a complaint directly with the Information Regulator of South Africa.

4. Encryption

  • In transit. TLS 1.2+ on every connection between client, edge, and origin. HTTP requests are upgraded; mixed-content is blocked.
  • At rest. Storage is encrypted at the provider layer. Turso and Cloudflare R2 both encrypt object and database storage by default.
  • Sessions. Sealed by iron-session — signed and encrypted server-side cookie payloads. HttpOnly, Secure (in production), SameSite=Lax.
  • Secrets. Database credentials, R2 keys, email credentials, and session passwords are stored as Vercel environment variables, never in source. Rotation is tracked in an internal log.

5. Access controls & audit trail

  • Role-based access. Owner, Admin, Supervisor, and Cleaner roles inside a tenant; Property Manager users in a separate isolated realm; Internal Admin users for platform operations.
  • Tenant isolation. Every tenant query is scoped by company_id at the data-access layer. Cross-tenant reads by internal admins are recorded in a separate audit trail (see below).
  • Two-factor authentication. TOTP-based MFA is enforced for internal admin users. Tenant users can opt in.
  • Tenant audit log. All sensitive actions inside a tenant — invites, deactivations, payment-status changes, privilege grants, evidence access — are written to a tamper-evident audit log retained for 12 months.
  • Cross-tenant access trail. Whenever a Lymra internal admin reads a tenant’s data, the action is recorded in a cross-tenant access trail. The relevant tenant can request a copy of their slice at any time. Retained for 12 months.
  • Rate limiting. Login, contact, MFA, and other sensitive endpoints are rate-limited at the IP level via Upstash Redis.

6. Retention

A daily retention job hard-deletes records older than the window below. The same windows are documented in our Privacy Policy and the two stay aligned by policy:

  • Active account data — retained while the account is active.
  • Evidence photos — 12 months as standard. Per-plan adjustments available.
  • Tenant audit log — 12 months.
  • Cross-tenant access trail — 12 months.
  • Outbound email log — 6 months. Provider message-id and delivery status only; bodies are not stored.
  • CSP violation reports, cron-run history — 90 days.
  • Marketing-funnel events — 12 months.
  • Soft-deleted records — 90 days, then hard-deleted.

7. Incident response

If a security incident affecting personal information is identified or reported, our response operates against these commitments:

  • Acknowledgement. Initial acknowledgement within one business day of report.
  • Containment. Immediate steps to limit ongoing exposure (revoking credentials, rotating secrets, isolating affected systems).
  • Notification to the Information Regulator. Where notification is required under POPIA s22, this is filed within statutory windows.
  • Notification to affected data subjects. Where reasonably required, affected users are notified directly by email with a description of the incident, the personal information involved, and recommended steps.
  • Post-incident review. Root-cause review feeds into corrective changes (code, configuration, process). Findings are summarised and shared with affected tenants.

To report a suspected security issue, email privacy@lymra.co.za with as much detail as you can share. We acknowledge urgent reports within one business day.

8. Sub-processors

The following cloud providers are engaged in the processing of personal information on Lymra’s behalf, under data processing agreements:

Vercel

Application hosting + edge delivery

Global edge; primary serverless region eu-central-1 (Frankfurt, Germany) per Lymra project config

Turso

Primary database (libSQL / SQLite-compatible)

AWS eu-west-1 (Ireland)

Cloudflare R2

Evidence images and proof-report storage

Eastern Europe (EEUR)

Resend

Transactional email (notifications, invitations, auto-replies)

EU

Upstash Redis

Rate limiting + session-adjacent counters

AWS eu-west-1 (Ireland)

Material changes to this list are announced to existing tenants by email at least 14 days in advance, except where a shorter window is required to address a security risk.

9. Reach the Information Officer

For privacy questions, data subject requests, security disclosures, or to inspect this site’s POPIA compliance posture in detail, the Information Officer is the named point of contact.

Lymra (Pty) Ltd

Johannesburg, South Africa

Email: privacy@lymra.co.za