Data security
Client confidentiality, defended in depth
Matter privilege is the foundation of practice. We treat your firm's data the way you treat a client file — locked, isolated, and access-traced. Below is every layer between an attacker and your case notes.
Two-factor authentication
Mandatory for every firm administrator. Six-digit code from your phone in addition to the password. Eight one-time recovery codes for lost-phone recovery. Sign-in on a known browser remembered for 30 days, revocable per device. Stolen passwords alone get attackers nowhere.
Per-firm data isolation
Row-level security in the database — every query is automatically scoped to your firm. A query for cases, clients, invoices, or any other firm record physically cannot return another firm's rows even if a developer wrote a bug. 240+ automated tests run on every deploy to lock this down.
Bot + brute-force defence
Cloudflare Managed Challenge filters automated traffic at the edge before any request reaches our servers. Per-account failed-login tracking layers on top — after a handful of wrong passwords on a single account, you get an immediate security alert and the attacker doesn't. Credential-stuffing attacks bounce.
Encrypted, end-to-end
Every byte encrypted in transit (TLS 1.3) and at rest (AES-256 on Supabase storage). File uploads sniffed for actual file type — a .exe renamed to .pdf is rejected before it touches your firm's storage. Daily backups retained on the host platform.
Additional defensive layers
Audit trail with PII masked
Every create / update / delete is logged with redacted PII — emails, ICs, phones automatically masked. If the audit table itself is breached, the personal data inside it isn't compounded for an attacker.
Session lockdown
Single-session-per-user — signing in elsewhere invalidates the first device. Idle timeout after 30 minutes; absolute cap of 12 hours per session (7 days / 30 days with Remember me). No long-lived tokens to steal.
Hardened browser headers
Content Security Policy + five defense-in-depth HTTP headers (X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Strict-Transport-Security) on every response. Browsers refuse to render the app inside an iframe — clickjacking attempts collapse.
Security is a posture, not a guarantee. We rotate platform credentials annually, document an incident response procedure, and will commission a third-party penetration test before onboarding our first commercial customers. If you have specific security requirements from your firm's IT policy, send them to support@lfms.my— we'll respond with how each one maps to our current controls.