Security

Last updated: 19 May 2026

AdsIQ connects to the accounts you use to run your business — ad platforms, ecommerce platforms, and analytics tools. The data you trust us with is sensitive, and we treat it that way. This page describes how we protect it.

Infrastructure

Cloud provider

Google Cloud Platform — US regions. Cloud Run for application servers, Cloud SQL for transactional data, managed analytics for reporting workloads.

Network isolation

Database access restricted to authenticated service accounts inside a private VPC. No direct database access from the public internet.

Secret management

Access tokens, API keys, and signing secrets stored in Google Secret Manager with versioning, IAM-controlled access, and audit logging.

Backups

Daily automated backups with point-in-time recovery enabled.

Encryption

In transit — all data exchanged with the Service is encrypted using TLS 1.2 or higher.
At rest — all persistent storage uses AES-256 encryption via Google Cloud's managed keys.
Tokens — third-party access tokens are stored encrypted at rest. Tokens are never logged in plaintext.
Sessions — JWT-based session tokens delivered via httpOnly, Secure, SameSite cookies.

Access controls

Customer access — role-based access controls within your AdsIQ organization. Admins can grant or revoke access at the brand and feature level. AdsIQ end users sign in via Google OAuth or magic-link email; there are no end-user passwords.
Account lockout — user accounts are locked after ten (10) consecutive failed login attempts and require an out-of-band reset.
Internal access — production data access is restricted to a small number of named engineers, gated by SSO with mandatory two-factor authentication. Access is reviewed at least quarterly.
Personnel offboarding — access for terminated personnel or contractors is revoked within 24 hours of termination across all production systems, cloud IAM, source control, and third-party tooling.
Audit logging — administrative actions, integrations granted or revoked, and data exports are logged to a tamper-evident audit trail. Security-relevant events are retained for at least 12 months.

Vulnerability management

Continuous scanning — production dependencies are scanned on every push via GitHub Dependabot and pip-audit; container images are scanned on each build by Google Artifact Registry's vulnerability scanner. Scanning cadence is well within Amazon SP-API DPP §2.7's "at least every 30 days" requirement.
Remediation SLAs — critical-severity vulnerabilities are remediated within 7 days; high-severity vulnerabilities within 30 days.
Penetration testing — independent third-party penetration testing is conducted at least every 365 days.
Anti-malware — endpoint anti-malware with auto-updating definitions is deployed on all workstations and servers with production access.

Data retention and deletion

You may request deletion of your account at any time. We complete deletion within 30 days of a verified request, except where retention is required by law (e.g., billing records).
You may revoke any connected-platform integration at any time through your account settings or through the platform's permissions page. Revocation stops further data syncs.
Aggregated, anonymized analytics may be retained indefinitely for Service improvement.
Non-PII data is retained for no longer than 18 months unless retention is legally required (Amazon SP-API DPP §1.7).

Amazon Selling Partner data

AdsIQ is a registered Amazon Selling Partner API (SP-API) public developer application operated by Excite Foundry Ltd, and we handle all connected Amazon Selling Partner data in accordance with Amazon's Data Protection Policy (DPP) for developers. The Amazon data we ingest — limited to the Brand Analytics, Inventory and Order Tracking, Selling Partner Insights, and Finance and Accounting roles — is used solely for the stated purpose of the application: advertising performance attribution, true-ROAS calculation, and search-query insights for the seller who authorised the connection. AdsIQ does not request PII-restricted roles and does not store buyer-identifying information (buyer name, address, email, or phone). All Amazon data is encrypted in transit using TLS 1.2 or higher, and encrypted at rest in Cloud SQL (PostgreSQL) using Google-managed KMS keys. Aggregated reporting data is retained for a rolling 90-day window to power historical comparisons; when a seller revokes authorisation, all associated raw and aggregate records are purged within 7 days.

AdsIQ's controls are designed to meet the requirements of the Amazon Selling Partner API Data Protection Policy.

Asset inventory & sub-processor governance

Asset inventory — we maintain and update at least quarterly an inventory of systems that store, process, or transmit Amazon Information (DPP §2.3).
Sub-processor risk assessments — sub-processors are assessed at least annually for security posture and confirmed to maintain controls at least as strict as our own (Amazon SP-API Acceptable Use Policy §4.7). The current list is published at ads-iq.com/subprocessors.
API credential rotation — application API keys and LWA client secrets are rotated at minimum every 12 months (DPP §1.4).
Annual senior-management risk review — Excite Foundry Ltd's senior management reviews the information security risk assessment annually (DPP §1.6).

Vulnerability disclosure

If you believe you've discovered a security vulnerability in AdsIQ, please email security@ads-iq.com with a description, steps to reproduce, and any proof-of-concept. We will acknowledge receipt within two business days and provide a status update within seven business days. We ask that you give us a reasonable opportunity to remediate before any public disclosure.

Incident response

We maintain a documented Security Incident Response Plan reviewed at least every six (6) months. In the event of a confirmed or reasonably suspected security incident affecting customer data or Amazon Information, we will:

Contain the incident, rotate affected credentials, and preserve evidence.
Notify Amazon within 24 hours (via security@amazon.com) of any Security Incident affecting Amazon Information, per Amazon SP-API DPP §1.6.
Notify the UK ICO within 72 hours where the breach is likely to result in a risk to the rights and freedoms of data subjects, per UK GDPR Article 33.
Notify affected customers and data subjects without undue delay and within timeframes required by applicable law.
Produce a post-incident summary including root cause and remediation steps within 5 business days of closure.

An Incident Management Point of Contact (IMPOC) is designated and maintained per DPP §1.6.

Contact

Security questions: security@ads-iq.com
Privacy questions: privacy@ads-iq.com
General contact: hello@ads-iq.com

AdsIQ is operated by Excite Foundry Ltd, a company registered in England and Wales. Registered office: 85 Great Portland Street, London, W1W 7LT, United Kingdom.