AdMind connects to your advertising data with the strictest security standards — read-only access, end-to-end encryption, and multi-tenant isolation baked into every layer of the architecture.
DATA PROTECTION
Six security principles built into every layer — from the database to the API to the browser.
All OAuth tokens and credentials are encrypted at rest using AES-256-GCM before being written to the database. Keys are never stored alongside data. In transit, everything runs over TLS 1.3.
AdMind connects to your ad platforms with read-only OAuth scopes. We cannot create, modify, or delete campaigns, budgets, or any platform resource without an explicit future write-back feature you opt into.
We never ask for or store your platform passwords. Authentication is handled entirely through official OAuth 2.0 flows with Google and Meta. Tokens can be revoked from your platform settings at any time.
Every database query is scoped to a workspaceId and adAccountId. It is architecturally impossible for one workspace's data to appear in another's. Isolation is enforced at the query layer, not just the UI.
No platform usernames, passwords, or API keys are ever stored. Only encrypted OAuth access tokens are persisted — and only the tokens required for the read-only scopes you explicitly authorised.
All OAuth flows are protected by cryptographically random state tokens validated on callback. HttpOnly, SameSite cookies prevent cross-site request forgery throughout the authentication lifecycle.
AI & DATA
AI analysis is performed on aggregated performance metrics only. Credentials, identifiers, and audience data never leave your account.
No AI training on your data. AdMind uses Anthropic's Claude API. Anthropic's API usage policy does not use API inputs or outputs to train models. Your campaign data is never used to improve AI models.
INFRASTRUCTURE
Built on best-in-class cloud infrastructure providers, each with industry-standard security certifications.
Application deployed on Vercel's global edge network with automatic HTTPS, DDoS mitigation, and zero-downtime deployments. SOC 2 Type II certified.
Database hosted on DigitalOcean Managed PostgreSQL with encryption at rest, automated daily backups, and private networking between application and database.
Async sync jobs processed via Inngest's durable function platform. Each sync stage runs in an isolated Vercel invocation with its own 5-minute timeout budget.
All traffic routes through Cloudflare's network for DNS resolution, DDoS protection, and SSL termination before reaching Vercel's edge.
PLATFORM CONNECTIONS
You authorise AdMind through the official OAuth consent screen on Google or Meta. We never see your login credentials — only the access token the platform issues.
Google Ads: adwords (read-only metrics). Meta: ads_read and read_insights only. We request the narrowest scopes possible to perform analytics.
Access tokens are immediately encrypted with AES-256-GCM before storage. The encryption key is separate from the database and rotated periodically.
Disconnect any account from AdMind Settings, or revoke access directly in your Google or Meta account settings. Disconnecting deletes all synced data for that account.
COMPLIANCE & YOUR RIGHTS
AdMind handles advertising performance data — not personal data of your customers. We have no access to, and do not process, the personal information of your ad platform's end users.
Users have the right to access, correct, or delete their data at any time. Disconnecting an ad account from Settings triggers immediate deletion of all associated synced data.
We do not sell, share, or rent user data to any third party for commercial purposes. Ad metrics synced to AdMind are used exclusively to provide the AdMind service.
We sync only the campaign metrics required to power the analytics features. Raw ad creative content, audience lists, and customer data from your platforms are never accessed.
Delete your AdMind account and all workspace data — including every synced metric, analysis, and recommendation — is permanently purged within 30 days.
We use Vercel (hosting), DigitalOcean (database), Inngest (jobs), and Anthropic (AI). Each processes only the minimum data required for their function.
Application and database are hosted in US-East data centres. If you require EU data residency, contact us — this is on our roadmap for enterprise customers.
TECHNOLOGY STACK
Every component in the AdMind stack is open-source, auditable, and widely adopted in production at scale.
We're happy to answer technical due diligence questions or walk through our security architecture in detail.