§ 14 · Controls register

Built to be
audited, not
whispered about.

Security is not a marketing surface. This page is where we write down what we actually do so that you — and your compliance team, and the advertising platforms we work with — can check our work.

§ 15

Transport

TLS 1.2+ everywhere

All traffic — public, internal, and webhook — is served over HTTPS with HSTS preloaded.

Automatic cert rotation

Certificates are issued and renewed automatically by the platform. No manual touchpoints.

§ 16

Identity

Google OAuth for humans

Account sign-in is delegated to Google. No passwords are stored on our servers.

Scoped OAuth for platforms

Google Ads, Meta Ads, and TikTok Ads integrations use per-user OAuth with minimum required scopes. Tokens are rotatable from each platform at any time.

Short-lived service tokens

Service-to-service calls between our web, API, and worker use short-lived signed tokens. No long-lived API keys in flight.

§ 17

Storage

Encrypted at rest

Postgres volumes and object storage are encrypted at rest with platform-managed keys.

Managed secrets

OAuth client secrets, platform API keys, and encryption keys live in Google Cloud Secret Manager with tight IAM bindings.

Isolated environments

Production, staging, and development run on separate projects with separate credentials and separate ad accounts.

§ 18

Access

Least-privilege by default

Engineers get the minimum access required to do their job. No standing production admin rights.

Audit logging

Every mutation on a campaign, asset, lead, or account is recorded with actor, timestamp, and diff.

Quarterly review

Roles, service accounts, and third-party integrations are reviewed every quarter and trimmed on the same schedule.

§ 19

Operations

Backups with drills

Postgres is backed up continuously with point-in-time recovery. Restore drills are run on a cadence, not left as theory.

Dependency monitoring

Supply-chain vulnerabilities are tracked via automated scanners. Critical issues are patched within 72 hours.

Incident playbook

A written runbook describes the first 60 minutes of any security incident. We publish post-mortems for anything user-visible.

§ 20

Responsible disclosure

Found something broken? Tell us first.

If you discover a vulnerability, please email security@signalbench.io with a description, reproduction steps, and — if you have one — a proof of concept. We commit to a first acknowledgement within 24 hours and a remediation plan within seven days.

We do not run a cash bounty program yet but we gratefully credit researchers in our security acknowledgements with their permission.

§ 14 · Controls register

Built to be
audited, not
whispered about.

Security is not a marketing surface. This page is where we write down what we actually do so that you — and your compliance team, and the advertising platforms we work with — can check our work.

§ 15

Transport

TLS 1.2+ everywhere

All traffic — public, internal, and webhook — is served over HTTPS with HSTS preloaded.

Automatic cert rotation

Certificates are issued and renewed automatically by the platform. No manual touchpoints.

§ 16

Identity

Google OAuth for humans

Account sign-in is delegated to Google. No passwords are stored on our servers.

Scoped OAuth for platforms

Google Ads, Meta Ads, and TikTok Ads integrations use per-user OAuth with minimum required scopes. Tokens are rotatable from each platform at any time.

Short-lived service tokens

Service-to-service calls between our web, API, and worker use short-lived signed tokens. No long-lived API keys in flight.

§ 17

Storage

Encrypted at rest

Postgres volumes and object storage are encrypted at rest with platform-managed keys.

Managed secrets

OAuth client secrets, platform API keys, and encryption keys live in Google Cloud Secret Manager with tight IAM bindings.

Isolated environments

Production, staging, and development run on separate projects with separate credentials and separate ad accounts.

§ 18

Access

Least-privilege by default

Engineers get the minimum access required to do their job. No standing production admin rights.

Audit logging

Every mutation on a campaign, asset, lead, or account is recorded with actor, timestamp, and diff.

Quarterly review

Roles, service accounts, and third-party integrations are reviewed every quarter and trimmed on the same schedule.

§ 19

Operations

Backups with drills

Postgres is backed up continuously with point-in-time recovery. Restore drills are run on a cadence, not left as theory.

Dependency monitoring

Supply-chain vulnerabilities are tracked via automated scanners. Critical issues are patched within 72 hours.

Incident playbook

A written runbook describes the first 60 minutes of any security incident. We publish post-mortems for anything user-visible.

§ 20

Responsible disclosure

Found something broken? Tell us first.

We do not run a cash bounty program yet but we gratefully credit researchers in our security acknowledgements with their permission.

Built to beaudited, notwhispered about.

Transport

TLS 1.2+ everywhere

Automatic cert rotation

Identity

Google OAuth for humans

Scoped OAuth for platforms

Short-lived service tokens

Storage

Encrypted at rest

Managed secrets

Isolated environments

Access

Least-privilege by default

Audit logging

Quarterly review

Operations

Backups with drills

Dependency monitoring

Incident playbook

Responsible disclosure

Built to beaudited, notwhispered about.

Transport

TLS 1.2+ everywhere

Automatic cert rotation

Identity

Google OAuth for humans

Scoped OAuth for platforms

Short-lived service tokens

Storage

Encrypted at rest

Managed secrets

Isolated environments

Access

Least-privilege by default

Audit logging

Quarterly review

Operations

Backups with drills

Dependency monitoring

Incident playbook

Responsible disclosure

Built to be
audited, not
whispered about.

Built to be
audited, not
whispered about.