Security Overview
Last updated: 13 June 2026
A practical overview of Lorikeet security, infrastructure, payment handling and responsible disclosure.
This page gives a practical overview for teachers and schools. Detailed procurement or security questionnaires can be sent to [email protected].
1. Hosting and infrastructure
Lorikeet uses modern hosted services for delivery, authentication, database, payments and AI generation. Current services may include Netlify, Supabase, Stripe and AI API providers such as OpenAI or OpenRouter.
2. Authentication and access
- Account authentication is handled through Supabase-backed auth flows.
- Billing and payment card handling is managed by Stripe.
- Administrative access should be limited to people who need it to support and operate the service.
3. Data protection practices
- HTTPS is used for traffic between browsers and Lorikeet.
- Payment card data is not stored by Lorikeet.
- Users are encouraged to minimise student personal information in prompts.
- Environment variables are used for service secrets rather than hardcoding keys in the frontend.
4. Incident response
If we identify a security incident affecting user information, we will investigate, take steps to contain it and notify affected users where required by law or appropriate in the circumstances.
5. Responsible disclosure
If you believe you have found a security issue, please email [email protected] with enough detail for us to investigate. Please do not access, modify, delete or disclose other users' data.