Trust & transparency
How Lettr handles your data.
One page covering where your data lives, who processes it, how to reach our security team, and how to check whether the service is healthy right now.
Australian data residency
Your data is stored in Supabase's Sydney region (ap-southeast-2). Hosting, database, file storage — all Australia.
Encrypted in transit + at rest
TLS 1.3 in transit. Postgres-level AES-256 at rest. Documents in Supabase Storage with short-lived signed URLs only.
Verifiable health
Our health endpoint is public: /api/health. If we're running, you can see it.
Sub-processors
Who processes your data
We list every third party that touches user data, what they do, and where they sit. This list updates whenever a processor is added, removed, or replaced.
Supabase
Australia · Sydney (ap-southeast-2)Database (PostgreSQL), auth, file storage
Stripe
AU entity (Stripe Payments Australia Pty Ltd)Payment processing (first-week rent only)
Anthropic
United States · processed under DPAAI applicant screening (advisory only)
Cloudinary
United States · processed under DPAProperty image hosting + transformation
Upstash
United States · regional RedisRate-limit token store (no personal data)
Cross-border processors (Anthropic, Resend, Cloudinary, Upstash) operate under data processing agreements that meet Australian Privacy Principle 8 obligations. The full terms are linked from our Privacy Policy.
Security contact
Found a vulnerability?
Email security@lettr.com.au with a description, reproduction steps, and your assessment of impact. We aim to acknowledge within two business days and ship a fix within seven days for high-severity issues. Our disclosure norms and full scope are documented in the repository.
Last updated 19 May 2026 (post cycle-3 audit · live commit 850202d). If this page is out of date relative to the codebase, email security@lettr.com.au.