Ad Superpowers
Security & Compliance

Enterprise-Grade
Security

Your data deserves the highest level of protection. We take security seriously from day one.

Compliance Framework

SOC 2 Ready

Controls Implemented

Security controls aligned with SOC 2 Type II requirements. Formal audit planned for 2026.

ISO 27001 Aligned

Framework Adopted

Information security management following international ISO 27001 standards.

GDPR Compliant

Fully Compliant

Full compliance with EU General Data Protection Regulation. Data subject rights fully supported.

EU Data Residency

EU Hosted

All data hosted exclusively within the European Union. No transfers outside EU.

Certification Roadmap

We're committed to building a strong security foundation. As we grow, we're working towards formal certifications:

Now: SOC 2 & ISO 27001 controls implemented and operational
H2 2026: Penetration testing by external security firm
H2 2026: SOC 2 Type II audit initiation
2027: ISO 27001 certification

Technical Security Controls

Data Protection

  • AES-256 encryption for all OAuth tokens at rest
  • TLS 1.3 encryption for all data in transit
  • No ad data storage - we fetch on-demand, never cache permanently
  • Encrypted database connections with SSL certificates
  • API keys hashed with bcrypt - never stored in plain text

Access Control

  • OAuth 2.0 with minimal required scopes per platform
  • Two-factor authentication (2FA) available for all accounts
  • Read-only by default - write access requires explicit tools
  • Per-account access control for team plans - assign specific ad accounts to specific users
  • Revoke access anytime from dashboard or platform side

Infrastructure

  • EU-based hosting on Railway (backend) and Vercel (frontend)
  • Supabase PostgreSQL with automatic backups in EU region
  • Upstash Redis for caching with EU data residency
  • DDoS protection via Cloudflare and provider firewalls
  • Dependency audits with automated checks on each deployment

Monitoring & Audit

  • Comprehensive audit logs for all data access and changes
  • Real-time error tracking with Sentry for rapid response
  • Uptime monitoring with 5-minute intervals via UptimeRobot
  • Rate limiting to prevent abuse and ensure fair usage
  • Distributed tracing with OpenTelemetry for observability

AI & Data Privacy

Your Data is Never Used for AI Training

  • Claude (Anthropic) does not train on user conversations by default. MCP tool results are processed in-memory, then discarded.
  • Your credentials stay with you. OAuth tokens are encrypted and stored in our database, never shared with AI providers.
  • We never sell your data. Your advertising data is yours. We don't monetize it, share it, or use it for any purpose other than providing the service.
Read Full Data Privacy Documentation

For Agencies & Enterprise

If you're an agency managing client ad accounts or an enterprise with strict security requirements, we understand your needs:

What We Provide

  • Security documentation on request
  • Data Processing Agreement (DPA)
  • Vendor security questionnaire responses
  • Custom security reviews for Enterprise tier

Enterprise Features

  • Unlimited accounts and users
  • Advanced audit logging
  • Priority support via email
  • Custom integrations on request
Request Security DocumentationView Enterprise Plans

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure and will work with you to address any issues promptly.

Report a Vulnerability

Related Resources

Privacy Policy

How we handle your data

Terms of Service

Service agreement

Data Privacy Docs

Technical documentation

Ready to work differently?

Stop drowning in dashboards
Start flying with insights

Join agencies saving 10+ hours per week with AI-powered ad insights.

Get Superpowers NowWatch Demo
14-day free trial available