You Exported
Your Code.
But Who Owns
Your Infrastructure?
You built your company on someone else's server. Their API. Their patch schedule. Their definition of “private.”
When the platform changes architecture, suffers a breach, or sunsets a feature — you don't get a vote. You get a notification.
60-minute diagnostic • Written custody matrix • Fix roadmap included
In April 2026, 8M users learned that “private” was a UI label, not a permissions layer.
This wasn't a Lovable problem. It was a custody problem. When your infrastructure is controlled by a platform, you inherit their risk model — whether you agreed to it or not. Three incidents in 12 months is not bad luck. It is the cost of renting your foundation.
The Risk Category (Not the Body Count)
Source code exposure via misconfigured API. Free-tier access to paid projects.
Database credentials cached in client bundles. Visible in browser dev tools.
5 API calls from a free account accessed source code, DB credentials, and customer data.
What You Think You Own vs. What You Actually Own
Source Code
trappedYou exported the components. Not the build.
Your React files are in GitHub. But the build pipeline, deployment logic, environment injection, and platform-specific wrappers are generated by Lovable on every deploy. Change the platform, break the build.
Database
trappedYour schema is portable. Your data is not.
You can export table definitions. But row-level security policies, edge functions, connection pooling, and backup configs are tied to the platform-managed Supabase instance. You do not control the backup schedule.
API Secrets
at-riskSecrets injected at build time are not in your repo.
Stripe keys, webhook endpoints, and OAuth credentials are frequently injected during the platform build — not stored in code you control. If the platform rotates or leaks them, you find out when payments break.
Domain & DNS
ownedUsually yours. But check the fine print.
You bought the domain. But SSL certificates, CDN routing, and edge caching rules may be platform-managed. Move hosts and your cert chain breaks.
Hosting
trappedVercel is not independence.
You deploy to Vercel and feel free. But the build config, environment variables, preview branches, and edge routing are generated by the platform. Replicate that setup manually and you will miss 6 things.
Customer Data
at-riskYour users trust you. The platform controls the vault.
Customer data lives in a Supabase instance the platform provisioned. You may not have direct backup access, export rights, or the ability to enforce geographic data residency. That is a liability, not a feature.
Infrastructure Custody
The assessment that tells you exactly what you own, what you don't, and what it costs to fix it.
- 60-minute infrastructure diagnostic call
- Custody matrix (Owned / Trapped / At Risk)
- Risk heat map with severity scoring
- Prioritized fix list with cost estimates
- Extraction quote if you want full custody
- 14-day follow-up for questions
What You Avoid
Who Needs This Now
Pre-Series A with revenue
You have customers, no technical co-founder, and just realized your stack is a liability in the data room. You need a third-party architecture report before the first investor call.
Post-breach, pre-migration
You rotated credentials after the April exposure but have no idea what else is exposed. You need a complete inventory before you touch anything else.
Technical diligence in 90 days
The buyer's technical audit is coming. You need to know what custody gaps exist before they do — and a fix plan with real numbers.
FAQ
Everything you need to know about migrating from Lovable to Next.js
What exactly is an Infrastructure Custody Assessment?
A 60-minute diagnostic where we map every piece of your technical infrastructure — code, data, auth, APIs, hosting, secrets — and classify each as Owned, Trapped, or At Risk. You get a written report with a fix roadmap and cost estimate for full custody.
I already paid someone to migrate my site. Do I still need this?
Yes. 80% of DIY migrations leak credentials in environment files, break auth flows, or lose SEO equity. We audit what they missed. Migration is not the same as custody.
How is this different from a security audit?
A security audit looks for vulnerabilities in code you already own. Infrastructure Custody looks at whether you actually own the code in the first place. Most founders are shocked to discover their "exported" app still relies on 8-12 external services they cannot control.
Does this only apply to Lovable?
Currently we focus on Lovable, Bolt, v0, and Supabase-native stacks. The custody framework works for any no-code/low-code platform where you are not sure who owns what.
What do I get at the end?
A custody matrix (what you own vs. what the platform controls), a risk heat map, a prioritized fix list, and a quote for full infrastructure extraction if you want it. Most assessments pay for themselves by surfacing hidden vendor lock-in before it becomes a crisis.
What if the assessment shows I am fine?
Then you sleep better. The $299 fee is an insurance policy against a $50,000 surprise. If we cannot identify at least one critical custody gap, we refund the full fee.
Still have questions?
Book a technical assessment to discuss your specific needs
Book a Technical AssessmentThe Platform Won't Warn You Before It Breaks.
Due to inbound volume after the April exposure, assessment slots are limited to 5 founders this week.
Full refund if we cannot identify at least one critical custody gap. No questions asked.
Book Infrastructure Custody Assessment60 minutes • Written custody matrix • Full refund guarantee