adstack
LoginRequest Demo
Security

Your data is your data

AdStack is built on the principle that agency data — client budgets, campaign performance, platform credentials — is highly sensitive. We take that seriously at every layer of the stack.

Security by design

Not bolted on after the fact.

Encryption at rest & in transit

All data is encrypted at rest using AES-256 and in transit using TLS 1.2+. Ad platform OAuth tokens are stored encrypted — never in plaintext.

Row-level security

Every organization's data is isolated at the database level using Postgres Row Level Security (RLS). One tenant can never query another's campaigns, clients, or platform credentials.

Passwordless authentication

AdStack uses magic-link email authentication. No passwords are stored — ever. Sessions are short-lived JWTs issued by Supabase Auth and verified on every request.

Scoped API access

Platform OAuth connections are scoped to read-only or minimum-required permissions. We never request write access beyond what the Ad Builder explicitly needs.

Automatic session expiry

User sessions expire automatically after a period of inactivity. Access tokens are short-lived and refresh tokens are rotated on every use.

Infrastructure security

AdStack runs on Supabase (Postgres on AWS) with daily automated backups, point-in-time recovery, and SOC 2 Type II certified infrastructure.

Responsible disclosure

We welcome security researchers. If you discover a vulnerability in AdStack, please report it to security@adstackhq.com. We will acknowledge your report within 24 hours, investigate, and ship a fix. We do not pursue legal action against good-faith researchers.

Report a vulnerability

Security questions

Do you store my ad platform passwords?

No. Platform connections use OAuth — you authenticate directly with each platform, and we receive a limited-scope access token. We never see or store your login credentials.

Can other AdStack customers see my data?

No. Every organization's data is isolated at the database level using Postgres Row Level Security. It is technically impossible for another tenant's queries to access your data.

Where is my data stored?

Data is stored in Supabase's hosted Postgres infrastructure on AWS. All data is stored in the US by default. Contact us if you have specific data residency requirements.

How do you handle a data breach?

We maintain an incident response plan. In the event of a breach affecting customer data, we will notify affected customers within 72 hours per GDPR requirements and publish a post-mortem.

Can I delete my data?

Yes. You can request full account deletion at any time by contacting support. All your data — campaigns, clients, platform credentials — will be permanently deleted within 30 days.

Have a security question not covered here?

Contact us