Security Policy

Last Updated: December 10, 2025

At ChatAds, security isn’t an afterthought—it’s foundational to everything we build. We understand that when you integrate our platform into your AI applications, you’re trusting us with your business. Here’s how we earn that trust.

Infrastructure Security

Our infrastructure is built on enterprise-grade cloud platforms with security at every layer:

  • Encryption Everywhere: All data is encrypted in transit using TLS 1.3 and at rest using AES-256 encryption
  • Isolated Environments: Production, staging, and development environments are strictly separated with unique credentials
  • Access Controls: Role-based access control (RBAC) with multi-factor authentication required for all team members
  • Network Security: Firewalls, intrusion detection, and DDoS protection safeguard our infrastructure
  • Continuous Monitoring: 24/7 automated monitoring for security threats and anomalies
  • Secrets Management: All credentials stored in secure environment variables, never in code

Payment Security

We take payment security seriously and follow industry best practices:

  • PCI DSS Compliant: We never store, process, or transmit card data on our servers
  • Secure Payment Processing: All payments are handled through Stripe, a PCI Level 1 certified provider
  • Stripe Elements: Payment information is collected using Stripe Elements loaded directly from Stripe’s CDN—card numbers never touch our systems
  • Strong Customer Authentication: Full support for 3D Secure and SCA requirements for European customers
  • Masked Information: Only the last four digits of payment cards are ever displayed
  • Card Expiration Handling: Proactive notifications before cards expire to prevent service interruption

Data Protection

Your data deserves the highest level of protection:

  • Row-Level Security (RLS): Our database enforces strict tenant isolation at the query level—your data is completely separate from other customers
  • Minimal Data Collection: We only collect what’s necessary to provide our service
  • No Data Selling: We never sell, rent, or trade your personal information
  • Secure Backups: Encrypted database backups with strict access controls
  • Data Retention: Clear policies for data retention and secure deletion upon request
  • Data Export: You can export your data at any time via your account settings

API Security

Every API request is secured:

  • API Key Authentication: Unique, cryptographically secure API keys for each team
  • Webhook Signature Verification: All webhook payloads are cryptographically signed and verified to prevent tampering
  • Idempotent Operations: Critical operations are designed to handle retries safely without duplicate processing
  • Rate Limiting: Intelligent rate limiting protects against abuse and ensures fair usage
  • HTTPS Only: All API endpoints require encrypted connections—HTTP requests are rejected
  • Input Validation: Strict validation on all inputs to prevent injection attacks
  • Error Message Safety: Error responses are designed to be helpful without revealing internal system details

Transaction Integrity

We ensure your billing data is always accurate:

  • Atomic Transactions: Billing operations use database transactions to prevent partial updates
  • Duplicate Prevention: Idempotency keys prevent accidental double-charges
  • Audit Logging: Every billing event is logged with timestamps and user context
  • State Consistency: Automated reconciliation ensures local data matches payment provider records
  • Graceful Failure Handling: If a charge fails, the system safely recovers without data loss

Fraud Prevention

We actively monitor and prevent fraudulent activity:

  • Real-Time Monitoring: Automated systems detect unusual patterns and suspicious behavior
  • Velocity Checks: Protection against card testing and rapid-fire abuse attempts
  • Dispute Handling: Established procedures for investigating and responding to payment disputes
  • Account Protection: Multiple layers of defense against unauthorized access and privilege escalation
  • Authorization Checks: Every request verifies both authentication AND authorization—users cannot access other accounts’ data

Incident Response

We’re prepared for the unexpected:

  • Dedicated Response Team: Trained personnel ready to respond to security incidents
  • Established Procedures: Documented processes for detecting, containing, and recovering from incidents
  • Transparent Communication: We notify affected customers promptly if a security incident occurs
  • Continuous Improvement: Post-incident reviews drive ongoing security enhancements
  • Runbooks: Documented procedures for common security scenarios

Compliance & Standards

Our security practices align with industry standards:

  • GDPR Compliant: Full compliance with European data protection regulations, including data export and deletion rights
  • CCPA Compliant: California Consumer Privacy Act compliance for US users
  • SOC 2 Type II: Pursuing formal certification (in progress)
  • Regular Audits: Internal and external security assessments
  • Sequential Invoice Numbering: Compliant invoice generation for EU requirements
  • Data Retention Compliance: Financial records retained as required by tax regulations

Responsible Disclosure

We value the security research community. If you discover a security vulnerability, please report it responsibly:

Email: security@getchatads.com

We commit to:

  • Acknowledging receipt within 48 hours
  • Providing regular updates on our investigation
  • Not pursuing legal action against good-faith researchers
  • Crediting researchers who help us improve (with permission)

Your Role in Security

Security is a shared responsibility. Help keep your account secure:

  • Protect Your API Keys: Never expose API keys in client-side code or public repositories
  • Use Strong Passwords: Enable multi-factor authentication on your account
  • Monitor Usage: Regularly review your usage logs for unexpected activity
  • Stay Updated: Keep your integrations up to date with our latest SDK versions
  • Report Suspicious Activity: Contact us immediately if you notice unauthorized access

Questions?

Have questions about our security practices? We’re happy to discuss them.

Email: chris@getchatads.com

For detailed information about how we handle your data, see our Privacy Policy.

ChatAds is committed to maintaining the highest security standards. We continuously evaluate and improve our security posture to protect your data.