Lejar

Security & Trust

Facts on this page checked against our production deployment and each vendor's own page on 7 July 2026.

1. How your data is protected today

Lejar holds your business's financial records, so we would rather describe exactly what protects them than speak in generalities. This is what is running in production right now, not something planned:

  • Encrypted in transit and at rest. Every connection to Lejar uses TLS. Supabase, our database provider, encrypts all data at rest with AES-256.
  • An append-only ledger. Once a journal entry posts, it cannot be edited or deleted. Corrections happen through new entries, and every posting is captured in an audit log that even our own service accounts cannot alter or erase.
  • Access control enforced by the database, not just the app. Row-level security in Postgres keeps every organisation's records isolated: a member of one organisation cannot read another organisation's data, even if the application code above it had a bug.
  • The AI only drafts. It never posts on its own. Every AI-generated entry, whether from a scanned receipt, a bank statement, or a request in Ask lejar, waits in a review queue. Nothing reaches your ledger until you approve it.
  • Field-level encryption of your most sensitive details. Bank account numbers and DuitNow IDs carry an additional layer of application-level encryption, on top of the at-rest encryption above, scoped to each organisation.
  • A record of security events. Sign-ins and account changes are written to an append-only security-events log that your organisation's owners and admins can review.
  • Optional two-factor sign-in. Any member can turn on TOTP two-factor authentication for their account.

2. Where your data lives

Your organisation's database, file storage, and authentication run on Supabase infrastructure in the ap-southeast-1 (Singapore) AWS region. Under Malaysia's PDPA, storing and processing data outside Malaysia is permitted with your consent, which you give by using the service. See the Privacy Policy for the full list of where each subprocessor below runs.

3. Subprocessors

We use a small, disclosed set of infrastructure providers to run Lejar. This is the same list named in the Privacy Policy, gathered here with each vendor's compliance posture.

VendorRoleData it receivesCompliance postureTerms
SupabaseDatabase, authentication, and file storageYour organisation's ledger, contacts, invoices, uploaded documents, and account credentialsSOC 2 Type II; ISO/IEC 27001:2022Data Processing Addendum
VercelApplication hostingApplication code execution, environment secrets, and request logsSOC 2 Type 2; ISO 27001:2022; PCI DSS v4.0 (SAQ-D)Data Processing Addendum
AnthropicAI document processing (receipt and statement extraction, Ask lejar chat)Document content and chat prompts you submit to an AI featureSOC 2 Type I and II; ISO 27001:2022; ISO/IEC 42001:2023. Does not train on your content.Data Processing Addendum
CloudflareAI gateway routing and Workers AI embeddingsLLM request and response payloads passing through the gateway, and embedding input textISO 27001:2022; ISO 27701:2019; SOC 2 Type II. Does not train on your content.Data Processing Addendum
ResendTransactional email delivery (invoices and statements)Recipient name and email, and the invoice or statement PDF's contentSOC 2 Type IIData Processing Addendum
AirwallexBilling and payment processingBilling email and your organisation's legal name. Card details go directly to Airwallex and never touch our servers.PCI DSS Service Provider Level 1; SOC 1 Type 2; SOC 2 Type 1 and 2; ISO/IEC 27001Security & compliance
GoogleWebsite analytics and "Sign in with Google"Site usage and analytics events; OAuth sign-in identity (name, email, profile)ISO/IEC 27001 (Google Analytics product family)Data Processing Terms

Airwallex does not publish one canonical Data Processing Agreement URL, so the link above is their security and compliance hub instead. We are requesting a signed DPA copy directly from their account team.

4. Your rights under the PDPA

  • Access and export. Export your organisation's accounting data yourself at any time from Settings. No request or wait required.
  • Correction. Email us to correct inaccurate personal data we hold about you.
  • Erasure. Delete your organisation directly from Settings. This removes its records from our live systems immediately; copies in infrastructure backups fade out on their own rolling schedule.
  • AI-memory transparency. See exactly what Lejar's AI has learned about your organisation, and delete any of it, in Settings. It is private to your organisation and included in your data export.
  • Breach notification. If we become aware of a personal data breach affecting you, we are committed to notifying Malaysia's Personal Data Protection Commissioner within 72 hours of becoming aware, consistent with the Data Breach Notification Guideline, and to notifying you directly where the breach is likely to cause you significant harm.

Full detail on what we collect and why is in the Privacy Policy.

5. Report a vulnerability

Found a security issue? Email security@lejar.ai. Security researchers and automated scanners can also read our machine-readable disclosure policy at /.well-known/security.txt (RFC 9116).

6. What we don't do yet

We would rather tell you what is still in progress than let this page imply we have covered everything. This is what is not true yet:

  • We have not undergone an independent security certification (SOC 2, ISO 27001) or a third-party penetration test. Our subprocessors above are certified; we have not certified our own controls.
  • Two-factor authentication (TOTP) is available today, but it is optional: we do not yet require it to sign in.
  • A strict, nonce-based Content-Security-Policy actively blocks unauthorised scripts across the signed-in app (login, your dashboard, and every organisation's workspace). Two areas stay in report-only mode a little longer: the billing and checkout pages, while we validate our payment provider's script and connection origins against a real transaction, and our public marketing pages, while we gather more real-world signal before enforcing there too.

See also the Privacy Policy and the Terms of Service.