Adfynx LogoAdfynx

Security

Detailed information about Adfynx security architecture, access controls, credential protection, and security operations.

Security Architecture

Network Security

  • All data transmission uses TLS 1.2 or higher encryption
  • API endpoints protected by rate limiting to prevent abuse
  • Production environment completely isolated from development/testing
  • Database only allows connections from application servers, not exposed to public internet

Application Security

  • Input validation and output encoding to prevent injection attacks
  • CSRF protection and secure session management
  • Passwords hashed using industry-standard algorithms (bcrypt/Argon2)
  • Sensitive operations require re-authentication

Credential & Key Management

Meta Access Token Protection

This is the most critical part of our security architecture, as Access Tokens are the keys to your Meta account.

Storage Method

  • Access Tokens encrypted at application layer using AES-256 before database storage
  • Encryption keys stored in separate key management service (AWS KMS)
  • Encryption keys rotated regularly (every 90 days)

Access Control

  • Tokens only briefly decrypted in memory when calling Meta API
  • Decrypted tokens never written to logs, sent to frontend, or stored on disk
  • Only authorized backend services can decrypt tokens

Revocation & Rotation

  • You can disconnect anytime in Adfynx platform, we immediately delete stored tokens
  • You can also revoke authorization directly in Meta account settings, tokens become invalid immediately
  • We support automatic token refresh when needed

Leak Prevention

  • All logs and error reports automatically sanitized before recording, removing tokens, keys, and other sensitive info
  • Development and testing environments use mock data, no access to production tokens
  • Code review process ensures no accidental commits of sensitive information to version control

Internal Access Control

Least Privilege Principle

We strictly limit who can access production data and systems:

Role Separation:

  • Developers: Can access development and testing environments, cannot directly access production database
  • Operations Engineers: Can access production infrastructure, but require two-factor authentication (2FA)
  • Support Staff: Only access necessary account information through restricted admin interface, cannot access raw database

Production Access Audit

  • All production environment access is logged (who, when, what they did)
  • Audit logs are immutable and regularly reviewed
  • Abnormal access patterns trigger automatic alerts

Employee Security

  • All employee accounts require two-factor authentication (2FA)
  • Regular security awareness training
  • Departing employee access revoked on departure date

Vulnerability Management

Dependency Scanning

  • Automated tools scan third-party dependencies for known vulnerabilities
  • Critical vulnerabilities fixed within 24 hours, medium within 3 days

Code Review

  • All code changes require review by at least one other engineer
  • Security-related changes require additional security review

Security Monitoring & Response

Real-time Monitoring

  • Application performance and error monitoring
  • Database query monitoring and anomaly detection
  • Login failures, abnormal API calls, and other security event alerts

Incident Response Process

  1. Detection: Automatic alerts or user reports
  2. Assessment: Determine incident nature and impact scope (Sev1/Sev2/Sev3)
  3. Containment: Isolate affected systems, prevent further damage
  4. Eradication: Fix vulnerabilities or remove threats
  5. Recovery: Restore normal service
  6. Post-mortem: Analyze root cause, improve processes

Customer Notification

  • Sev1 (data breach, complete service outage): Notify within 24 hours
  • Sev2 (partial functionality affected): Notify within 3 business days
  • Sev3 (minor impact): Explain in next regular update

Data Backup & Recovery

Backup Strategy

  • Daily automatic database backups
  • Backup data encrypted in storage
  • Backup retention period: 30 days

Disaster Recovery

  • Recovery Time Objective (RTO): 4 hours for critical services
  • Recovery Point Objective (RPO): 24 hours maximum data loss
  • Recovery process tested quarterly to ensure effectiveness
  • Multi-region deployment capability for enhanced resilience

Verifiable Statements

  • We provide account activity logs; you can view recent login records and API calls in account settings
  • We log all internal production environment access; audit logs retained for 12 months
  • We support revoking Meta connection anytime; tokens immediately deleted from our system
  • Our infrastructure providers (Vercel, Railway, Supabase) all provide DDoS protection and auto-scaling
  • We use AES-256 encryption to store Meta Access Tokens; keys managed separately

Frequently Asked Questions

A: We implement least privilege principles and role separation. Production data access requires two-factor authentication (2FA), all access is logged and audited. We regularly review access logs, and abnormal behavior triggers alerts.

Last updated: December 19, 2025

Adfynx - AI-Powered Ad Insights