LilliMad is committed to maintaining the security and integrity of your data. This policy describes the technical and organisational measures we take to protect the platform and the information entrusted to us by our customers.
To report a security concern, contact: [email protected]
All passwords are hashed using bcrypt before storage. Plain-text passwords are never written to disk, logs, or transmitted in responses. Password reset flows use short-lived, single-use tokens.
Sessions are maintained via HttpOnly, SameSite=Lax cookies (access_token for org sessions; platform_token for platform administration). Tokens are signed JWTs with configurable expiry. Tokens are validated server-side on every authenticated request.
Within each organisation, users are assigned roles (Owner, Admin, Member) that control which actions and data they can access. Platform administration is wholly separate from org access — a platform session cannot be used to enter the org application without explicit approval from an org owner.
Platform support staff can only enter an organisation's workspace after submitting a formal access request that is explicitly approved by an organisation owner. All such access is time-limited (maximum 24 hours), logged, and visible to org owners in the Settings page. Approved sessions use the same authentication mechanism as standard org users with no additional privileges.
All traffic between clients and LilliMad servers is encrypted using TLS 1.2 or higher. Plain HTTP connections are redirected to HTTPS. Internal service-to-service communication within the hosted infrastructure is also encrypted.
Database volumes and object storage (MinIO) are stored on encrypted block storage. File attachments and uploads are stored with server-side encryption enabled.
Each organisation's data is isolated at the application layer through mandatory organisation-scoped query filtering. API routes enforce organisation membership on every request; cross-organisation data access is not possible through the standard API.
The LilliMad platform runs on servers located within the United Kingdom or European Economic Area. Our infrastructure is deployed using container-based architecture with network-level isolation between services. Database and file storage services are not directly accessible from the public internet.
Regular automated backups are taken of all database and file storage. Backups are encrypted and stored in a separate location from primary data.
Server-side request logs (IP address, timestamp, HTTP method, endpoint, response status) are retained for security monitoring and incident investigation. Logs do not contain request bodies, passwords, or session token values. Logs are retained for a minimum of 90 days.
We monitor for anomalous access patterns including repeated authentication failures, unusual API usage volumes, and access from unexpected locations.
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us at [email protected] before publishing or sharing details publicly. We commit to:
Please include steps to reproduce, the potential impact, and any proof-of-concept where safe to do so.
In the event of a confirmed data breach or security incident affecting your organisation's data, we will notify affected organisation owners within 72 hours of becoming aware of the incident, in accordance with UK GDPR and EU GDPR obligations. Notifications will include the nature of the incident, the categories of data affected, and steps taken or planned to address it.
We may update this policy periodically. Material changes will be communicated to organisation owners by email or in-app notice at least 14 days before they take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Michael Etherington
LilliMad
[email protected]