OnlineAIAds
Security & trust

Built secure from day one.

Security isn't a roadmap item for OnlineAIAds— it's a starting condition. Here's exactly how we protect your data, who can see it, and what happens when something goes wrong.

TL;DR

We never sell your data. We use TLS 1.2+, encryption at rest, parameterized queries (no SQL injection), a 10-layer defense chain on every form, full audit logging, and we honor GDPR and CCPA rights for every user regardless of where they live.

10-layer request defense on every form

Every state-changing API request runs through ten independent checks before reaching the database: content-type, body size cap, origin allowlist, per-IP + global rate limit, JSON parse, strict schema validation, disposable-email block, honeypot, time-trap, and CAPTCHA when configured. A single failed check rejects the request and writes an audit row.

SQL injection is impossible by design

We use Drizzle ORM exclusively for database access. Every query is parameterized — there is no path from user input to raw SQL anywhere in the codebase.

TLS 1.2+ in transit, encryption at rest

All traffic to and from our domains uses TLS 1.2 or higher with strict transport security (HSTS) enabled. Sensitive fields and provider credentials are encrypted at rest in our Postgres database.

Secrets never touch the codebase

API keys, OAuth tokens, and database credentials live in environment variables on the hosting platform. They are never committed to source control. Our git history is scanned regularly to confirm this.

Audit log on every rejected request

When a defense layer rejects a request, we write a row to a security_events table recording the event type, IP, country, and user agent. We review patterns weekly and adjust thresholds. Logs are retained for 90 days.

Defense headers on every page

HSTS (2-year, includeSubDomains, preload), X-Frame-Options DENY (anti-clickjacking), X-Content-Type-Options nosniff, strict Content-Security-Policy with an explicit allowlist for tracker domains, restrictive Permissions-Policy. No X-Powered-By header is sent.

How your data is handled

Where it's stored

All customer data is stored in the United States on infrastructure provided by Neon (managed Postgres) and Vercel (hosting and CDN). If you use OnlineAIAds from the EU or UK, data is transferred to the US under standard contractual safeguards.

Who can access it

Access to production data is restricted to a small set of team members under principle of least privilege. We do not allow customer support to view your campaign data unless you explicitly grant access in a support session.

What we never do

We do not sell your data. We do not rent it. We do not share it with advertisers, data brokers, or any third party except the small set of service providers we need to actually run the product. We do not train our AI models on your campaign data, ad copy, or briefs without your explicit opt-in.

Compliance posture

We honor GDPR and CCPA rights for every user regardless of location. That means you can request access, correction, deletion, or export of your data anytime by emailing hello@onlineaiads.com. We typically respond within 24 hours.

We are a small team and do not currently hold SOC 2 or ISO 27001 certifications. As we scale and customer needs evolve we plan to pursue these. In the meantime, our actual security architecture is documented in detail above and in our Privacy Policy.

Sub-processors

These are the only third parties we share data with. Each is engaged for a specific purpose and is contractually required to protect data only for that purpose. See our Privacy Policy for the full breakdown.

  • Stripe
    Payments and subscription management
  • Clerk
    User authentication (when product launches)
  • Neon
    Managed Postgres database (US region)
  • Vercel
    Web hosting and CDN
  • Microsoft Clarity
    Anonymous session analytics
  • OpenAI
    AI ad copy generation via API

Found a security issue?

Please report it to hello@onlineaiads.com with the subject line "Security report." We acknowledge reports within within 24 hours, US business days. Please do not disclose the issue publicly until we've had a reasonable opportunity to investigate and fix.