Your data, protected at every layer
Security is built into our platform from the ground up — not bolted on as an afterthought. Here's how we keep your campaigns, creatives, and data safe.
Built on three pillars
Our security program is structured around three core areas, each with dedicated processes, tooling, and oversight.
Encryption in transit and at rest, strict retention policies, and privacy controls that give you ownership of your data throughout its lifecycle.
Hardened servers, network segmentation, DDoS mitigation, and geographically distributed infrastructure with redundancy at every layer.
Role-based access controls, audit logging, incident response procedures, and regular penetration testing by independent security firms.
Standards we uphold
We maintain compliance with the frameworks and industry standards that matter to advertisers, publishers, and their legal teams.
- Lawful basis for all data processing
- Data subject access and deletion requests honored
- Data processing agreements available for all clients
- EU-based data processing when required
- Privacy-by-design in product development
- Consumer data opt-out mechanisms
- Do-not-sell signal handling
- Transparent data collection disclosures
- Adapted for evolving US state privacy laws
- Independent audit of security controls
- Covers availability, confidentiality, and processing integrity
- Continuous monitoring against control criteria
- Audit reports available under NDA
- Registered Consent Management Platform support
- Transparency & Consent string processing
- Vendor-level consent enforcement
- Publisher consent signal passthrough
- Certified Against Fraud (CAF) program participant
- Brand Safety Certified
- Inventory Quality Guidelines (IQG) compliant
- ads.txt and sellers.json fully supported
- Pre-bid and post-bid traffic analysis
- Bot and non-human traffic filtering
- Domain spoofing prevention
- Continuous monitoring of impression quality
How we handle your data
From the moment data enters our platform to the point it's purged, every step is governed by strict policies and technical controls.
Encryption everywhere
All data is encrypted both in transit and at rest. External connections require TLS, and internal service-to-service communication uses mutual authentication. Stored data — including creatives, campaign configurations, and reporting records — is encrypted using industry-standard algorithms with keys managed through a dedicated key management service.
- TLS enforced on all public endpoints — no plaintext fallback
- Mutual TLS for internal service mesh communication
- Encryption at rest for all databases and object storage
- Automated key rotation on a regular schedule
- Separate encryption keys per tenant for isolated data boundaries
Data retention & minimization
We only collect what's needed for campaign delivery and reporting, and we don't keep it longer than necessary. Retention periods are defined by data type, and expired records are automatically purged. You can request early deletion of your account data at any time.
- Defined retention schedules per data category
- Automated purge jobs enforce retention limits
- Impression-level logs aggregated and anonymized after the retention window
- Account deletion removes all associated creatives, campaigns, and reports
- No secondary use of data beyond the stated purpose
User consent & privacy controls
We integrate with industry consent frameworks so that ad serving respects the choices users have made through publisher consent interfaces. When a consent signal indicates restrictions, the platform adjusts targeting, tracking, and data collection accordingly — in real time, at the impression level.
- IAB TCF consent string processing for every bid request
- Global Privacy Control and Do-Not-Sell signal handling
- Consent-aware targeting — restricted signals are dropped before auction
- Publisher-configurable consent passthrough
- No fingerprinting or covert identification techniques
Hardened from edge to origin
Our platform runs on infrastructure designed for high availability and defense in depth, with strict access controls at every layer.
- Geographically distributed edge nodes across multiple regions
- DDoS mitigation at the network edge with automatic traffic scrubbing
- Network segmentation between ad serving, data processing, and storage layers
- Immutable infrastructure — servers are replaced, not patched in place
- Automated vulnerability scanning on every deployment
- Regular third-party penetration testing with remediation tracking
- Redundant systems with automated failover for all critical services
- Role-based access control (RBAC) with least-privilege defaults
- Multi-factor authentication required for all platform accounts
- SSO integration via SAML and OIDC for enterprise clients
- Session management with configurable timeout and device binding
- Comprehensive audit logs for all administrative actions
- IP allowlisting available for enterprise accounts
- API tokens scoped to specific permissions with expiration dates
Continuous visibility
We monitor every layer of the platform in real time, with centralized logging and alerting that keeps our operations team informed before issues escalate.
- Application performance monitoring across all services
- Infrastructure health checks with sub-minute polling intervals
- Uptime monitoring for public endpoints and internal dependencies
- Traffic anomaly detection based on baseline deviation
- Automated alert escalation with severity-based routing
- CDN edge health monitoring across all geographic regions
- Real-time dashboards for ad serving latency and error rates
- Centralized log aggregation across all services and infrastructure
- Structured logging with correlation IDs for request tracing
- Tamper-resistant audit logs stored independently of application data
- Automated log analysis for security event detection
- Configurable retention periods per log category
- Access logs for all API calls, dashboard logins, and configuration changes
- Log exports available for enterprise clients on request
Vendor & third-party security
Our security posture extends beyond our own systems. We evaluate, monitor, and hold accountable every vendor and sub-processor that handles data on our behalf.
Every vendor undergoes a security review before onboarding. We assess their data handling practices, certifications, incident history, and contractual obligations. Vendors that handle sensitive data must meet the same standards we apply internally.
We maintain a current list of sub-processors and notify clients of changes. Each sub-processor is bound by data processing agreements that mirror our own commitments, including breach notification requirements and data minimization obligations.
Open-source dependencies are scanned for known vulnerabilities on every build. Critical patches are applied promptly, and we maintain a software bill of materials for auditing purposes. Dependency updates are tested before promotion to production.
When something goes wrong
We maintain a documented incident response plan with defined roles, escalation paths, and communication protocols. Here's the process.
Our response team is on-call around the clock and follows a structured playbook for every severity level, from minor anomalies to critical service disruptions.
Detection & Alerting
Automated monitoring detects anomalies in traffic patterns, error rates, and system health. Alerts are routed to the on-call response team immediately.
Triage & Assessment
The response team classifies severity, identifies affected systems, and determines scope. Stakeholders are notified according to the severity level.
Containment & Fix
Affected systems are isolated to prevent spread. The engineering team implements a fix or rolls back the change, and verifies the resolution before restoring service.
Review & Disclosure
A post-mortem documents root cause, timeline, and preventive measures. Affected clients are notified with a plain-language summary and action items.
Business continuity & disaster recovery
Ad serving is time-sensitive and interruptions cost money. Our continuity and recovery plans are designed to keep campaigns running even when components fail.
Disaster recovery
Our disaster recovery program covers everything from single-server failures to full regional outages. Recovery procedures are documented, regularly tested, and designed to restore service as quickly as possible with minimal data loss.
- Multi-region active deployment with automated failover
- Database replication across geographically separated zones
- Recovery procedures tested on a regular schedule through live drills
- Defined recovery time and recovery point objectives for each service tier
- Creative assets stored redundantly with cross-region replication
- Runbooks maintained for all critical failure scenarios
Backup strategy
Backups run continuously and are stored separately from production systems. We verify backup integrity through regular restore tests, ensuring that recovery from backup is not just theoretical but proven.
- Continuous database backups with point-in-time recovery
- Backups encrypted and stored in an isolated environment
- Regular restore tests to verify backup integrity and completeness
- Backup retention aligned with data classification policies
- Campaign configuration and creative metadata backed up independently
Organizational security
Technology alone isn't enough. Our security program includes the people, processes, and culture needed to operate a trustworthy platform.
All employees complete security awareness training during onboarding and on a recurring basis. Engineering teams receive additional training on secure coding practices and common vulnerability patterns.
Team members with access to production systems or customer data undergo background verification. Access is not granted until checks are complete and cleared.
Every code change goes through peer review and automated security scanning before deployment. Critical changes require additional review from the security team. Dependencies are audited on every build.
Access is provisioned based on role and revoked immediately on departure or role change. Privileged access is reviewed periodically, and dormant accounts are automatically disabled.
Responsible disclosure program
We value the work of security researchers and welcome reports of potential vulnerabilities in our platform.
Report a vulnerability
If you believe you've found a security vulnerability in our platform, we want to hear about it. We investigate all reports promptly and work with researchers to resolve confirmed issues before public disclosure.
- Submit your findings through the contact form, selecting "Technical Support" as the subject
- Include a clear description of the vulnerability, steps to reproduce, and potential impact
- Allow reasonable time for investigation and remediation before any public disclosure
- Do not access, modify, or delete data belonging to other users during testing
We aim to acknowledge reports promptly and provide regular updates throughout the investigation process. We credit researchers in our security advisories when a fix is published, unless they prefer to remain anonymous.
Security FAQ
Answers to the questions we hear most often from security and compliance teams during vendor evaluations.
Can we get a copy of your SOC 2 report?
Yes. Our SOC 2 Type II report is available to current and prospective clients under a mutual non-disclosure agreement. Contact our team through the form on the homepage and reference "SOC 2 report request" in the subject. We typically deliver the report within a few business days of executing the NDA.
Do you support security questionnaires?
Yes. We regularly complete industry-standard security questionnaires including SIG, CAIQ, and custom vendor assessment forms. If you have a questionnaire you'd like us to complete, send it through the contact form and our security team will coordinate the response. For common frameworks, we can often return completed questionnaires promptly as we maintain pre-filled responses.
Where is our data stored geographically?
Our infrastructure spans multiple regions across North America, Europe, and Asia-Pacific. Campaign data is processed in the region closest to the end user for performance reasons. For clients with data residency requirements, we can configure processing to stay within specific geographic boundaries. Contact our team to discuss your specific needs.
How quickly do you notify clients of a data breach?
We are committed to notifying affected clients without undue delay and within the timeframes required by applicable regulations. Our incident response plan includes specific communication templates and escalation procedures for data breach scenarios. Notifications include the nature of the breach, categories of data affected, and steps we're taking to mitigate the impact.
Do you provide a Data Processing Agreement?
Yes. We offer a standard Data Processing Agreement (DPA) that covers GDPR, CCPA, and other applicable privacy regulations. The DPA outlines our obligations as a data processor, including data security measures, sub-processor management, and breach notification procedures. Our standard DPA is available upon request and can be customized for enterprise clients with specific requirements.
What happens to our data if we terminate our account?
Upon account termination, we provide a grace period during which you can export your data. After the grace period, all account data — including creatives, campaign configurations, and reporting data — is permanently deleted from our systems and backups according to our retention schedule. We provide written confirmation of deletion upon request.
Do you perform regular penetration testing?
Yes. We engage independent third-party security firms to conduct penetration tests on a regular basis. The scope covers our public-facing applications, APIs, and internal infrastructure. Findings are triaged by severity, remediated, and verified. Executive summaries of recent penetration test results are available to enterprise clients under NDA.
How do you handle encryption key management?
Encryption keys are managed through a dedicated key management service with hardware-backed security. Keys are never stored alongside the data they protect. We enforce automated key rotation on a regular schedule, and key access is restricted to the specific services that require it. Key usage is logged and auditable.
Questions about our security practices?
Our team is available to discuss security requirements, provide compliance documentation, or walk through our infrastructure in detail.