Built secure from day one.
Security isn't a roadmap item for OnlineAIAds— it's a starting condition. Here's exactly how we protect your data, who can see it, and what happens when something goes wrong.
We never sell your data. We use TLS 1.2+, encryption at rest, parameterized queries (no SQL injection), a 10-layer defense chain on every form, full audit logging, and we honor GDPR and CCPA rights for every user regardless of where they live.
10-layer request defense on every form
Every state-changing API request runs through ten independent checks before reaching the database: content-type, body size cap, origin allowlist, per-IP + global rate limit, JSON parse, strict schema validation, disposable-email block, honeypot, time-trap, and CAPTCHA when configured. A single failed check rejects the request and writes an audit row.
SQL injection is impossible by design
We use Drizzle ORM exclusively for database access. Every query is parameterized — there is no path from user input to raw SQL anywhere in the codebase.
TLS 1.2+ in transit, encryption at rest
All traffic to and from our domains uses TLS 1.2 or higher with strict transport security (HSTS) enabled. Sensitive fields and provider credentials are encrypted at rest in our Postgres database.
Secrets never touch the codebase
API keys, OAuth tokens, and database credentials live in environment variables on the hosting platform. They are never committed to source control. Our git history is scanned regularly to confirm this.
Audit log on every rejected request
When a defense layer rejects a request, we write a row to a security_events table recording the event type, IP, country, and user agent. We review patterns weekly and adjust thresholds. Logs are retained for 90 days.
Defense headers on every page
HSTS (2-year, includeSubDomains, preload), X-Frame-Options DENY (anti-clickjacking), X-Content-Type-Options nosniff, strict Content-Security-Policy with an explicit allowlist for tracker domains, restrictive Permissions-Policy. No X-Powered-By header is sent.
How your data is handled
All customer data is stored in the United States on infrastructure provided by Neon (managed Postgres) and Vercel (hosting and CDN). If you use OnlineAIAds from the EU or UK, data is transferred to the US under standard contractual safeguards.
Access to production data is restricted to a small set of team members under principle of least privilege. We do not allow customer support to view your campaign data unless you explicitly grant access in a support session.
We do not sell your data. We do not rent it. We do not share it with advertisers, data brokers, or any third party except the small set of service providers we need to actually run the product. We do not train our AI models on your campaign data, ad copy, or briefs without your explicit opt-in.
Compliance posture
We honor GDPR and CCPA rights for every user regardless of location. That means you can request access, correction, deletion, or export of your data anytime by emailing hello@onlineaiads.com. We typically respond within 24 hours.
We are a small team and do not currently hold SOC 2 or ISO 27001 certifications. As we scale and customer needs evolve we plan to pursue these. In the meantime, our actual security architecture is documented in detail above and in our Privacy Policy.
Sub-processors
These are the only third parties we share data with. Each is engaged for a specific purpose and is contractually required to protect data only for that purpose. See our Privacy Policy for the full breakdown.
- StripePayments and subscription management
- ClerkUser authentication (when product launches)
- NeonManaged Postgres database (US region)
- VercelWeb hosting and CDN
- Microsoft ClarityAnonymous session analytics
- OpenAIAI ad copy generation via API
Found a security issue?
Please report it to hello@onlineaiads.com with the subject line "Security report." We acknowledge reports within within 24 hours, US business days. Please do not disclose the issue publicly until we've had a reasonable opportunity to investigate and fix.