All client data is logically segregated on a per-profile and per-team basis at both the application and database layer.
Every database query is scoped by an internal profile and team ID, meaning queries cannot return data belonging to another client.
Your data is only accessible to your authenticated users, any partners or agencies you have explicitly granted access to, and AdLabs staff under our least-privilege access policy.
In transit: TLS 1.2+ for all client-facing endpoints (web app, API, MCP server). All internal service-to-service traffic stays within our private VPC.
At rest: All databases, object storage, caches, and backups are encrypted using AES-256 with AWS KMS-managed keys. Secrets such as API tokens and OAuth refresh tokens are stored in AWS Secrets Manager and are never exposed to the frontend or to other tenants.
AdLabs is an officially audited Amazon Advertising and SP-API solution provider. Our most recent Amazon Developer Data Security Assessment was conducted by PwC and passed in December 2025.
AdLabs staff access to internal admin tooling requires multi-factor authentication (TOTP-based MFA). Access to AWS infrastructure requires MFA on all IAM users, and direct database access in production is restricted to a small named group of engineers. All access is audited.
All production data is stored and processed in AWS us-east-2 (Ohio, USA). Backups are retained within the same region under the same encryption controls.
AdLabs operates AWS CloudTrail across our environment for operational and risk auditing. Logs are retained, integrity-protected, and available for incident investigation.
AdLabs commits to notifying affected customers of any confirmed security incident within 48 hours of confirmation, with follow-up reports as the investigation progresses.
Upon written offboarding request, AdLabs will revoke all OAuth tokens, deactivate user access, and delete client data from production systems within 30 days. Encrypted backups containing residual data age out per our standard rotation (30 days), after which all copies are destroyed. Written confirmation of deletion is available on request.
Sub-processor | Purpose |
|---|---|
Amazon Web Services (AWS) | Hosting, compute, storage, database, encryption |
Google Cloud (Firebase) | User authentication and MFA |
Stripe | Billing and subscription management |
Sentry | Application error monitoring |
Gleap | In-app support and feedback |
For a detailed security questionnaire response or additional compliance documentation, please contact us at Team@AdLabs.App
