Ad Superpowers
Security & Compliance

Enterprise-Grade
Security

Your data deserves the highest level of protection. We take security seriously from day one.

Compliance Framework

SOC 2 Ready

Controls Implemented

Security controls aligned with SOC 2 Type II requirements. Formal audit planned for 2026.

ISO 27001 Aligned

Framework Adopted

Information security management following international ISO 27001 standards.

GDPR Compliant

Fully Compliant

Full compliance with EU General Data Protection Regulation. Data subject rights fully supported.

EU Data Residency

EU Hosted

All data hosted exclusively within the European Union. No transfers outside EU.

Certification Roadmap

We're currently in beta and building our security foundation. As we grow, we're committed to obtaining formal certifications:

Now: SOC 2 & ISO 27001 controls implemented and operational
2026: Penetration testing by external security firm
2026: SOC 2 Type II audit initiation
End 2026: ISO 27001 certification

Technical Security Controls

Data Protection

  • AES-256 encryption for all OAuth tokens at rest
  • TLS 1.3 encryption for all data in transit
  • No ad data storage - we fetch on-demand, never cache permanently
  • Encrypted database connections with SSL certificates
  • API keys hashed with bcrypt - never stored in plain text

Access Control

  • OAuth 2.0 with minimal required scopes per platform
  • Two-factor authentication (2FA) available for all accounts
  • Read-only by default - write access requires explicit tools
  • Role-based access control (RBAC) for team accounts
  • Revoke access anytime from dashboard or platform side

Infrastructure

  • EU-based hosting on Railway (backend) and Vercel (frontend)
  • Supabase PostgreSQL with automatic backups in EU region
  • Upstash Redis for caching with EU data residency
  • DDoS protection via Cloudflare and provider firewalls
  • Automated vulnerability scanning in CI/CD pipeline

Monitoring & Audit

  • Comprehensive audit logs for all data access and changes
  • Real-time error tracking with Sentry for rapid response
  • Uptime monitoring with 5-minute intervals via UptimeRobot
  • Rate limiting to prevent abuse and ensure fair usage
  • Distributed tracing with OpenTelemetry for observability

AI & Data Privacy

Your Data is Never Used for AI Training

  • Claude (Anthropic) does not train on user conversations by default. MCP tool results are processed in-memory, then discarded.
  • Your credentials stay with you. OAuth tokens are encrypted and stored in our database, never shared with AI providers.
  • We never sell your data. Your advertising data is yours. We don't monetize it, share it, or use it for any purpose other than providing the service.
Read Full Data Privacy Documentation

For Agencies & Enterprise

If you're an agency managing client ad accounts or an enterprise with strict security requirements, we understand your needs:

What We Provide

  • Security documentation on request
  • Data Processing Agreement (DPA)
  • Vendor security questionnaire responses
  • Custom security reviews for Enterprise tier

Enterprise Features

  • SSO integration (SAML/OIDC)
  • Advanced audit logging
  • Dedicated support channel
  • Custom data retention policies
Request Security DocumentationView Enterprise Plans

Responsible Disclosure

Found a security vulnerability? We appreciate responsible disclosure and will work with you to address any issues promptly.

Report a Vulnerability

Related Resources

Privacy Policy

How we handle your data

Terms of Service

Service agreement

Data Privacy Docs

Technical documentation

Ready to work differently?

Stop drowning in dashboards
Start flying with insights

Join agencies saving 10+ hours per week with AI-powered ad insights.

Get Superpowers NowWatch Demo
Free forever plan available