Your ad accounts and data are the lifeblood of your business. Here is how we protect them.
In Transit: All data transmitted between your browser and SpendFort is encrypted using TLS 1.3. All API calls to Google Ads and Meta Marketing APIs use HTTPS exclusively.
At Rest: Database encryption using AES-256. Sensitive credentials (API tokens, OAuth refresh tokens) are encrypted with separate application-level encryption keys stored in a dedicated secrets manager.
Read-Only by Default: SpendFort requests the minimum permissions needed. Campaign data is read for monitoring purposes only.
Auto-Pause is Opt-In: The campaign auto-pause feature requires explicit activation and can be disabled at any time. You retain full control over which campaigns can be paused.
No Data Storage: We do not store your raw ad performance data, creative assets, or audience information. We only store the metadata needed for monitoring: URLs, status codes, response times, and campaign identifiers.
Instant Revocation: You can disconnect your ad accounts at any time from SpendFort settings or directly from Google/Meta. Access is immediately revoked.
Application Hosting: Vercel's Edge Network with automatic DDoS protection, WAF, and geo-distributed CDN. SOC 2 Type II certified.
Database & Workers: Railway with managed PostgreSQL (encrypted, automated backups, point-in-time recovery). Redis for job queues with encrypted connections.
Payments: Stripe handles all payment processing. SpendFort never sees, stores, or transmits credit card numbers. Stripe is PCI DSS Level 1 certified.
Authentication: Google OAuth 2.0 with PKCE flow. Session tokens are cryptographically signed and expire after 30 days of inactivity.
Team Permissions: Role-based access control (Owner, Admin, Member) with the principle of least privilege.
Internal Access: Employee access to production systems requires MFA and is logged. Access is reviewed quarterly.
Application Monitoring: Sentry for real-time error tracking with automatic alerting.
Uptime Monitoring: We monitor our own infrastructure with the same rigor we apply to your pages. Our public status page shows real-time system health.
Incident Response: Documented incident response procedures with target detection-to-response times under 1 hour. We notify affected customers within 72 hours of any confirmed data breach, in compliance with GDPR requirements.
GDPR: We process EU/EEA data using Standard Contractual Clauses. Data Processing Agreements are available on request.
CCPA/CPRA: We do not sell personal information. California residents can exercise their rights via [email protected].
SOC 2: SOC 2 Type II certification is on our roadmap. Contact [email protected] for our current security questionnaire.
PCI DSS: Payment processing is fully delegated to Stripe (PCI Level 1). SpendFort qualifies as SAQ A.
If you discover a security vulnerability, please report it to [email protected]. We take all reports seriously and will respond within 48 hours. We will not take legal action against researchers who follow responsible disclosure practices.
Contact our security team at [email protected].