Security

Built to be audited.
Not whispered about.

Security is not a marketing surface. This page is where we write down what we actually do so that you — and your compliance team, and the ad platforms we work with — can check our work.

Control group

Transport

TLS 1.2+ everywhere

All traffic — public, internal, and webhook — is served over HTTPS with HSTS preloaded.

Automatic cert rotation

Certificates are issued and renewed automatically by the platform. No manual touchpoints.

Control group

Identity

Google OAuth for humans

Account sign-in is delegated to Google. No passwords are stored on our servers.

Scoped OAuth for platforms

Google Ads, Meta Ads, and TikTok Ads integrations use per-user OAuth with minimum required scopes. Tokens are rotatable from each platform at any time.

Short-lived service tokens

Service-to-service calls between our web, API, and worker use short-lived signed tokens. No long-lived API keys in flight.

Control group

Storage

Encrypted at rest

Postgres volumes and object storage are encrypted at rest with platform-managed keys.

Managed secrets

OAuth client secrets, platform API keys, and encryption keys live in Google Cloud Secret Manager with tight IAM bindings.

Isolated environments

Production, staging, and development run on separate projects with separate credentials and separate ad accounts.

Control group

Access

Least-privilege by default

Engineers get the minimum access required to do their job. No standing production admin rights.

Audit logging

Every mutation on a campaign, asset, lead, or account is recorded with actor, timestamp, and diff.

Quarterly review

Roles, service accounts, and third-party integrations are reviewed every quarter and trimmed on the same schedule.

Control group

Operations

Backups with drills

Postgres is backed up continuously with point-in-time recovery. Restore drills are run on a cadence, not left as theory.

Dependency monitoring

Supply-chain vulnerabilities are tracked via automated scanners. Critical issues are patched within 72 hours.

Incident playbook

A written runbook describes the first 60 minutes of any security incident. We publish post-mortems for anything user-visible.

Responsible disclosure

Found something broken?

Found something broken? Tell us first.

If you discover a vulnerability, please email security@signalbench.io with a description, reproduction steps, and — if you have one — a proof of concept. We commit to a first acknowledgement within 24 hours and a remediation plan within seven days.

We do not run a cash bounty program yet but we gratefully credit researchers in our security acknowledgements with their permission.

Security

Built to be audited.
Not whispered about.

Security is not a marketing surface. This page is where we write down what we actually do so that you — and your compliance team, and the ad platforms we work with — can check our work.

Control group

Transport

TLS 1.2+ everywhere

All traffic — public, internal, and webhook — is served over HTTPS with HSTS preloaded.

Automatic cert rotation

Certificates are issued and renewed automatically by the platform. No manual touchpoints.

Control group

Identity

Google OAuth for humans

Account sign-in is delegated to Google. No passwords are stored on our servers.

Scoped OAuth for platforms

Google Ads, Meta Ads, and TikTok Ads integrations use per-user OAuth with minimum required scopes. Tokens are rotatable from each platform at any time.

Short-lived service tokens

Service-to-service calls between our web, API, and worker use short-lived signed tokens. No long-lived API keys in flight.

Control group

Storage

Encrypted at rest

Postgres volumes and object storage are encrypted at rest with platform-managed keys.

Managed secrets

OAuth client secrets, platform API keys, and encryption keys live in Google Cloud Secret Manager with tight IAM bindings.

Isolated environments

Production, staging, and development run on separate projects with separate credentials and separate ad accounts.

Control group

Access

Least-privilege by default

Engineers get the minimum access required to do their job. No standing production admin rights.

Audit logging

Every mutation on a campaign, asset, lead, or account is recorded with actor, timestamp, and diff.

Quarterly review

Roles, service accounts, and third-party integrations are reviewed every quarter and trimmed on the same schedule.

Control group

Operations

Backups with drills

Postgres is backed up continuously with point-in-time recovery. Restore drills are run on a cadence, not left as theory.

Dependency monitoring

Supply-chain vulnerabilities are tracked via automated scanners. Critical issues are patched within 72 hours.

Incident playbook

A written runbook describes the first 60 minutes of any security incident. We publish post-mortems for anything user-visible.

Responsible disclosure

Found something broken?

Found something broken? Tell us first.

We do not run a cash bounty program yet but we gratefully credit researchers in our security acknowledgements with their permission.

Built to be audited.Not whispered about.

Transport

TLS 1.2+ everywhere

Automatic cert rotation

Identity

Google OAuth for humans

Scoped OAuth for platforms

Short-lived service tokens

Storage

Encrypted at rest

Managed secrets

Isolated environments

Access

Least-privilege by default

Audit logging

Quarterly review

Operations

Backups with drills

Dependency monitoring

Incident playbook

Found something broken?

Built to be audited.Not whispered about.

Transport

TLS 1.2+ everywhere

Automatic cert rotation

Identity

Google OAuth for humans

Scoped OAuth for platforms

Short-lived service tokens

Storage

Encrypted at rest

Managed secrets

Isolated environments

Access

Least-privilege by default

Audit logging

Quarterly review

Operations

Backups with drills

Dependency monitoring

Incident playbook

Found something broken?

Built to be audited.
Not whispered about.

Built to be audited.
Not whispered about.