Trust Center

Security & Compliance

Your data security is our top priority. Learn about the measures we take to protect your information and maintain compliance with global standards.

Certifications & Compliance

SOC 2 Type II

Annual audits verify our security controls meet the highest standards for data protection and availability.

GDPR Compliant

Full compliance with the EU General Data Protection Regulation. Data subject rights fully supported.

CCPA Compliant

California Consumer Privacy Act compliance with full transparency and consumer rights support.

ISO 27001

Information security management system certified to international standards.

Live compliance status
StandardStatusTarget / Audit cycle
GDPRCompliantOngoing — self-attested; reviewed quarterly
CCPACompliantOngoing — self-attested; reviewed quarterly
SOC 2 Type IIIn progressAudit completion target Q3 2026
ISO 27001In progressStage 2 audit target Q4 2026
HIPAANot applicableWe do not process PHI by design
PCI-DSSNot applicableCard data handled exclusively by Stripe (PCI Level 1)

Status reviewed monthly. For procurement teams: detailed scope, current Letter of Engagement with our auditor, and SOC 2 readiness gap analysis available under NDA — request from [email protected].

Transparency & transparency artifacts

Specifics on testing, where your data lives, who else touches it, and how to report a vulnerability.

🛡️

Penetration test summary

Last test: Q1 2026 by a CREST-certified independent firm. Scope: public API, dashboard, beacon ingestion, billing surface.

Findings: 0 critical, 0 high, 2 medium (both remediated within 30 days). 4 informational items addressed in the same release window.

Full report available under NDA. Request from [email protected].

🌍

Data residency

🇩🇪EU primaryFrankfurt — Hetzner
🇪🇺EU backupHelsinki — replicated DB
🇺🇸US (opt-in)Available for US-bound enterprise on request

EU customer data does not leave the EU by default. SCCs are in place for any sub-processor handling EU data outside the EEA.

📋

Sub-processor registry

The authoritative, current sub-processor list (Hetzner/AWS, Stripe, Postmark, Sentry, Cloudflare) — with purpose, data accessed, and region for each — is maintained in one place to prevent drift.

View sub-processor list →
🐛

Vulnerability disclosure program

Security researchers are welcome. We commit to acknowledging reports within 48 hours, no legal action for good-faith research within scope, and recognition in our hall of fame.

  • Email: [email protected]
  • PGP key: available on /.well-known/security.txt
  • Out of scope: DoS, social engineering, physical attacks

Enterprise-Grade Security

We implement multiple layers of security to ensure your data is protected at every level.

  • Encryption EverywhereTLS 1.3 in transit, AES-256 at rest
  • Access ControlsRole-based access with multi-factor authentication
  • Regular Penetration TestingThird-party security assessments quarterly
  • 24/7 MonitoringReal-time threat detection and response
  • DDoS ProtectionEnterprise-level protection via Cloudflare
HighAvailability Target
LowDetection Latency
AuditedSecurity Controls

Advertising Platform API Usage

MyClickShield integrates with the Google, Meta and Microsoft advertising APIs solely to provide click fraud protection to the authenticated advertiser. We never sell or share API data with third parties.

Google Ads API

OAuth scope: https://www.googleapis.com/auth/adwords

Purpose: Detect invalid clicks and help advertisers reduce wasted ad spend.

Services called:

  • CustomerService.listAccessibleCustomers — list authorized Google Ads accounts during OAuth setup.
  • GoogleAdsService.searchStream — read ENABLED campaigns so we know where to apply IP exclusions.
  • CampaignCriterionService.mutate — add / remove negative IP_BLOCK criteria on campaigns. Every mutation is reversible from the dashboard.
  • ConversionAdjustmentUploadService.uploadConversionAdjustments — upload RETRACTION adjustments for flagged clicks (opt-in).

User control: Every automated action is configurable, reversible, and auditable from the MyClickShield dashboard. The user may revoke OAuth consent at any time. We do not read or modify ad content, budgets, billing, targeting, or keywords.

Meta Marketing API

Permissions: ads_management, ads_read, business_management

Purpose: Filter invalid traffic from Facebook and Instagram advertising campaigns.

Services used:

  • Read campaign metadata and performance insights for the authenticated advertiser.
  • Create and manage Custom Audiences to exclude invalid traffic from retargeting.
  • Send invalid traffic events via the Meta Conversions API for reporting.

User control: The user can review every exclusion and disable automated actions at any time from the MyClickShield dashboard.

Microsoft Advertising API

OAuth scope: https://ads.microsoft.com/msads.manage

Purpose: Protect Microsoft Ads campaigns from invalid traffic.

Services used:

  • Read campaign metadata and performance data.
  • Manage Negative Site Lists and IP exclusions for protected campaigns.
  • Upload offline conversion adjustments for user-flagged invalid clicks.

User control: All changes are logged, reversible, and disabled by default until the user explicitly opts in.

Data retention & deletion: API data retrieved from Google, Meta and Microsoft is retained only as long as the customer has an active account. Upon account deletion, all API tokens are revoked and associated data is permanently deleted within 30 days. Customers can request earlier deletion by contacting [email protected].

Data Lifecycle & Storage

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). OAuth refresh tokens and API credentials are stored in an encrypted secrets store and never exposed in logs or error messages.

Storage

Customer data is stored in isolated database tables with strict row-level access controls. Production databases are backed up daily and backups are encrypted with separate keys.

Retention

Click-level data is retained for the duration of the subscription plus a grace period of 30 days. Aggregated, non-identifiable statistics may be retained for longer for product analytics.

Deletion

Account deletion requests are processed within 30 days. Upon deletion, OAuth tokens are revoked, personal data is removed, and API connections to advertising platforms are terminated.

Infrastructure & Data Centers

AWS & Google Cloud

Multi-cloud infrastructure with automatic failover and geographic redundancy across US and EU regions.

Global Edge Network

300+ edge locations via Cloudflare for low-latency fraud detection worldwide.

Data Residency Options

Choose where your data is stored. EU-only processing available for European customers.

Policies & Documentation

Privacy Policy

How we collect, use, and protect your personal data.

Terms of Service

Service agreement, acceptable use, and legal terms.

Data Processing Agreement

GDPR-compliant DPA for enterprise customers.

Have Security Questions?

Our security team is available to answer your questions and provide additional documentation for your compliance requirements.

Contact Security Team Request Compliance Docs