Security & Compliance

Enterprise-grade security built into every layer

At Advine.ai, security isn't an afterthought—it's foundational to everything we build. We implement industry-leading security practices to protect your data and advertising accounts.

Data Encryption

All data encrypted in transit (TLS 1.3) and at rest (AES-256). Your API tokens are encrypted using industry-standard algorithms.

OAuth Security

We use OAuth 2.0 for all platform connections. We never see or store your advertising platform passwords.

Access Controls

Role-based access control (RBAC) with 6 permission levels. Row-level security on all database tables.

Infrastructure

Hosted on SOC 2 compliant infrastructure (Supabase + Vercel). Regular security audits and penetration testing.

Data Protection

What We Access

When you connect an advertising platform, we request read-only access to:

  • Campaign performance metrics (impressions, clicks, conversions, spend)
  • Campaign names and settings
  • Ad group and keyword data
  • Account structure information

We do NOT access or store:

  • Payment information or credit card details
  • Personal data of your customers
  • Billing addresses or financial records
  • Any data not essential for monitoring

How We Store Data

  • Campaign Metrics: Stored for 90 days by default (configurable)
  • OAuth Tokens: Encrypted with AES-256-GCM before storage
  • User Data: Hashed passwords, encrypted sensitive fields
  • Logs: Retained for 30 days for debugging and security

Data Deletion

You can delete your account and all associated data at any time. Upon deletion:

  • All personal data is permanently removed within 30 days
  • OAuth tokens are immediately revoked
  • Campaign data is anonymized or deleted per your preference
  • Backups are purged according to our retention schedule

Compliance

GDPR Compliance

We are fully compliant with the General Data Protection Regulation (GDPR):

  • Data Processing Agreements (DPA) available on request
  • Right to access, correct, and delete your data
  • Data portability - export your data anytime
  • Explicit consent for data processing
  • Appointed Data Protection Officer (DPO)
  • Regular privacy impact assessments

Google API Services Compliance

Our use of Google APIs complies with Google API Services User Data Policy, including Limited Use requirements:

  • Data used only for providing monitoring services
  • No data sharing with third parties for advertising
  • No human access to your Google data without explicit permission
  • Transparent disclosure of scopes requested

SOC 2 Type II

Our infrastructure provider (Supabase) is SOC 2 Type II certified, ensuring:

  • Security controls are in place and operating effectively
  • Regular independent audits
  • Continuous monitoring and improvement
  • Incident response procedures

Application Security

Authentication

  • Secure password hashing (bcrypt with salt)
  • Optional two-factor authentication (2FA)
  • Session management with secure cookies
  • Automatic session expiration
  • Protection against brute force attacks

API Security

  • Rate limiting on all endpoints
  • API key authentication for programmatic access
  • Request signing and validation
  • CORS configuration for web security
  • Input validation and sanitization

Monitoring & Logging

  • Real-time error tracking with Sentry
  • Comprehensive audit logs for security events
  • Automated anomaly detection
  • 24/7 uptime monitoring
  • Regular security scanning

Vulnerability Reporting

We take security vulnerabilities seriously. If you discover a security issue, please report it responsibly:

  1. Email us at security@advine.ai
  2. Include detailed steps to reproduce the issue
  3. Allow us 90 days to investigate and fix before public disclosure
  4. We'll acknowledge your report within 24 hours

We do not currently offer a bug bounty program but deeply appreciate responsible disclosure.

Third-Party Services

We carefully vet all third-party services we use:

  • Supabase - Database and authentication (SOC 2 certified)
  • Vercel - Hosting and edge functions (SOC 2 certified)
  • Sentry - Error tracking (GDPR compliant)
  • PostHog - Privacy-first analytics (GDPR compliant)

Data Residency

Your data is stored in secure data centers:

  • Primary region: EU (Frankfurt) for European customers
  • Backups: Encrypted and replicated across multiple regions
  • No data transferred outside EU without explicit consent

Incident Response

In the unlikely event of a security incident:

  • We'll notify affected users within 72 hours
  • Provide detailed information about the incident
  • Outline steps taken to prevent recurrence
  • Offer support and remediation assistance

Contact

For security-related questions or concerns:

Last updated: February 3, 2026

We continuously update our security practices. Check back regularly for updates.