Security Overview

Last updated: May 9, 2026

AdsUp.Pro is built and operated with security-first practices commensurate with the size of our team and the sensitivity of our customers' data. This page summarizes the technical and organizational measures we implement.

1. Encryption

  • At rest: all OAuth access and refresh tokens stored in our database are encrypted with AES-256-GCM, using a dedicated 256-bit encryption key managed separately from the data store. Encryption is applied via Prisma middleware at the persistence boundary.
  • In transit: all traffic between clients and AdsUp uses TLS 1.2 or higher, with HSTS enforced on production domains. Internal traffic between services within the Coolify-managed Docker network uses isolated, non-public networking.
  • Passwords: hashed with bcrypt with appropriate cost.
  • Payment data: handled by Stripe and (in Indonesia) Xendit. We never store full card numbers; only tokenized references and last-four digits.

2. Access Control

  • Per-business ownership scoping is enforced on every query, so a user can never read or modify another tenant's data via the API.
  • Production access is limited to a small number of authorized personnel and protected by SSH key authentication and MFA on supporting accounts.
  • The production database is bound to internal network interfaces only; no public PostgreSQL port is exposed to the internet.
  • Administrative routes (e.g. /admin/*) require server-side session checks and an explicit role flag.

3. Infrastructure

  • Hosting on dedicated Linux VPS infrastructure (Ubuntu 24.04) in the European Union (Frankfurt region).
  • Edge protection via Cloudflare (TLS termination, DDoS protection, WAF rules including geo-restriction for Restricted Jurisdictions).
  • Application orchestration via self-hosted Coolify with Traefik reverse proxy and isolated Docker networks.
  • UFW firewall on the host; only ports 22, 80, 443 (and Coolify management) exposed.
  • Automatic security updates for the host OS.

4. Backups & Disaster Recovery

  • Daily automated backups of the production database, with point-in-time-recovery capability where supported by the hosting provider.
  • Backup retention: 35-day rolling window. Customer-deletion requests propagate to backups within this window.
  • Recovery time objective (RTO): best-effort 24 hours.
  • Recovery point objective (RPO): best-effort 24 hours.
  • Backups are encrypted at rest and stored separately from the primary database.

These objectives are commitments of best effort, not contractual SLAs. Enterprise SLAs with stronger guarantees can be negotiated.

5. Application Security

  • Server-side input validation on POST/PATCH endpoints using Zod schemas;
  • SQL injection prevention via parameterized queries (Prisma);
  • CSRF protection via NextAuth cookie configuration and same-site session cookies;
  • HMAC signature verification on incoming Meta webhooks (X-Hub-Signature-256);
  • Rate limiting on public and resource-intensive endpoints;
  • SSRF protection on user-provided webhook URLs (no localhost, link-local, or private addresses);
  • Strict avoidance of eval(), Function(), and unsanitized dangerouslySetInnerHTML;
  • Secrets never embedded in AI prompts; tokens are referenced internally and scrubbed from logs.

6. Logging, Monitoring & Incident Response

  • Centralized error tracking via self-hosted GlitchTip (errors.adsup.pro);
  • Automated quality monitoring of AI chat responses every hour;
  • Real-time alerting to Telegram on production errors (rate-limited to avoid alert fatigue);
  • Incident-response process with documented escalation, customer-communication, and root-cause analysis steps;
  • Personal-data-breach notification within 72 hours of awareness, in accordance with GDPR Art. 33 and equivalent obligations.

7. AI Security

  • AI providers used under enterprise agreements that prohibit training on Customer Content;
  • Tokens, passwords, and full payment data are never sent to AI providers;
  • Prompt-injection mitigations including system-prompt isolation, output validation, and tool-call argument validation;
  • AI-generated content is presented for human review and approval before any external action;
  • Conversational AI is clearly disclosed as AI in compliance with California SB 1001 and EU AI Act transparency requirements.

8. Sub-processor Due Diligence

We select sub-processors who provide adequate guarantees of security under Applicable Data Protection Law and impose contractual obligations no less protective than ours. The current list is at /sub-processors.

9. Vulnerability Disclosure

We welcome reports from security researchers. To report a vulnerability:

  • Email security@adsup.pro with detailed reproduction steps.
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it.
  • Do not access, modify, or delete data belonging to other users.
  • Do not perform denial-of-service testing without prior written approval.

We commit to acknowledge reports within 5 business days. We do not currently run a public bug-bounty program; meritorious reports may be eligible for discretionary acknowledgment or bounty.

10. Compliance & Roadmap

  • GDPR / UK GDPR / Swiss revFADP / LGPD / UU PDP / CCPA-CPRA: aligned;
  • Cyber Liability and Errors & Omissions insurance: planned for Phase 1 of operations;
  • SOC 2 Type I / Type II: not yet achieved; targeted as the customer base grows to require it;
  • ISO 27001: future consideration.

Contact

security@adsup.pro · Adsup Pro LLC, State of Wyoming, U.S.A.

← Back to HomeTermsPrivacyDPASub-processors