How we protect your data
A short, honest list of the controls in place today and the ones we are actively building. If a control is in flight, we say so.
Encryption at rest
All persisted data is encrypted with keys managed in AWS KMS. OAuth tokens carry a workspace-scoped encryption context so cross-tenant decryption is impossible by construction.
Encryption in transit
TLS 1.2 or higher on every public surface. HSTS preloaded on the marketing and app domains. No plaintext fallback anywhere in the request path.
Tenant isolation
App-layer isolation enforced through a single workspace context helper that every server action passes through. Postgres row-level security is on the roadmap for v1.1.
OAuth-only platform connections
We never ask for ad-platform passwords. Every connection is a scoped OAuth token, refreshable, revocable from inside the product or from the platform itself.
SOC 2 Type I in progress
Evidence collection started during Week 4 of our launch sprint. Auditor engagement is scheduled; we will publish the report once available.
Audit logs
Every connect, disconnect, member invite, role change, and billing event is recorded and exportable from Settings. Logs are append-only and retained for one year.
Role-based access control
Four roles per workspace: owner, admin, member, viewer. Sensitive surfaces (billing, integrations, danger zone) are gated by role on every request.
MFA support
Time-based one-time password (TOTP) MFA is available through AWS Cognito for any account. Required for workspace owners by Day 60 after launch.
Responsible disclosure
Found something concerning? Email security@overads.io. We acknowledge reports within one business day and aim to triage within three.