End-to-End Encryption
All data encrypted in transit with TLS 1.3 and at rest using AES-256. Your data is protected at every step.
Security & Compliance
Enterprise-grade security you can trust
When you integrate ChatAds into your AI applications, you're trusting us with your business. We take that responsibility seriously with security built into every layer of our platform.
Core Protection
Multi-layered security at every level
From infrastructure to application, we implement defense in depth to protect your data.
PCI DSS Compliant
We never store, process, or transmit card data. Payments handled entirely by Stripe, a PCI Level 1 provider.
API Key Security
Cryptographically secure API keys with team-level isolation. Keys are hashed and never stored in plain text.
Audit Logging
Every significant action — billing changes, API key creation, permission updates — is logged with full context for compliance and investigations.
Webhook Verification
All webhooks are cryptographically signed. Payloads are verified to prevent tampering and replay attacks.
Tenant Isolation
Row-level security ensures complete data separation. Your data is never accessible to other customers.
Data Protection
Your data, your control
We believe you should always have full control over your data. That's why we've built comprehensive data protection into our platform.
- Data Export: Export your data anytime in standard formats
- Right to Delete: Request complete data deletion at any time
- Minimal Collection: We only collect what's necessary for service
- No Data Selling: We never sell, rent, or trade your information
- Encrypted Backups: All backups encrypted with strict access controls
Secure Database
Row-level security policies enforce strict tenant isolation at the database level.
Audit Logging
Complete visibility into every action
Every significant action in your account is logged with full context, giving you a complete audit trail for compliance and security investigations.
All billing events with timestamps and user context
Payment method changes with metadata
Plan upgrades and downgrades tracked
API key creation, rotation, and revocation
Team member access and permission changes
Fraud alerts and security events
Access Control
Granular role-based permissions
Four distinct roles let you control exactly who can do what in your team. Every action is enforced at the database level with row-level security.
| Permission | Owner | Admin | Member | Viewer |
|---|---|---|---|---|
| API Keys | ||||
| View/Copy Keys | ✓ | ✓ | ✓ | — |
| Create/Revoke Keys | ✓ | ✓ | — | — |
| Team Management | ||||
| Invite/Remove Members | ✓ | ✓ | — | — |
| Update Team Settings | ✓ | ✓ | — | — |
| Delete Team | ✓ | — | — | — |
| Manage Billing | ✓ | — | — | — |
| Configuration | ||||
| Edit Rules & Affiliate Keys | ✓ | ✓ | ✓ | — |
| Use API Explorer | ✓ | ✓ | ✓ | — |
All roles can view usage metrics, billing, team settings, keyword rules, and team members. Only modifying these resources requires elevated permissions.
Advanced Protection
Defense in depth
Multiple layers of security controls work together to protect your account and data.
Fraud Detection
Stripe Radar monitors transactions in real-time. Automatic account suspension after repeated payment failures or chargebacks protects against abuse.
Input Validation
Multi-layer validation with Pydantic models, SQL injection prevention, XSS pattern detection, and strict request size limits protect against malicious input.
Role-Based Access
Team owners control sensitive operations like billing and API keys. Members have appropriate read-only access with granular permission controls.
Security Headers
Content Security Policy, HSTS, X-Frame-Options, and X-Content-Type-Options headers protect against common web vulnerabilities.
Secrets Management
All credentials stored in secure environment variables, never in code. Sanitized logging ensures secrets never appear in logs or error messages.
Rate Limiting
Intelligent rate limiting on all endpoints with fail-closed behavior. Payment operations have stricter limits to prevent card testing attacks.
Your role in security
Security is a shared responsibility. Help keep your account secure:
- Protect API Keys: Never expose keys in client-side code
- Enable MFA: Add multi-factor authentication to your account
- Monitor Usage: Review logs for unexpected activity
- Stay Updated: Keep SDKs current with latest versions
Responsible disclosure
Found a vulnerability? We appreciate security researchers who help us improve.
team@getchatads.com- Acknowledgment within 48 hours
- Regular updates on investigation
- No legal action for good-faith research
- Credit for researchers (with permission)