AdsPing

Legal

Security

How we protect customer accounts and the conversion events we forward to advertising platforms.

Last updated: April 16, 2026

AdsPing forwards conversion events from our customers’ websites to advertising platforms such as Meta, TikTok, and Google. The security of those events — and of the customer accounts that configure them — is core to the Service. This page summarises the controls we operate; full contractual commitments live in the Terms of Service and the Data Processing Agreement.

1. Encryption

  • In transit — all traffic to AdsPing endpoints (web app, API, ingestion) is served over TLS 1.2 or higher. HTTP requests are redirected to HTTPS. Outbound calls to advertising platforms use the platform’s required HTTPS endpoints.
  • At rest — databases, object storage, and backups are encrypted at rest using AES-256 provided by the underlying cloud provider.
  • Direct identifiers — email, phone, and other direct identifiers used for advertiser-side matching are hashed with SHA-256 before they are forwarded, in line with each platform’s Conversions API requirements.

2. Access control

  • Production access is restricted to a small number of engineers, granted on a need-to-know basis and reviewed periodically.
  • All employee accounts require single sign-on with multi-factor authentication. Customer accounts support strong passwords and we recommend customers protect their email mailbox accordingly.
  • Administrative actions on production systems are logged and retained for audit.

3. Application security

  • Code changes are peer-reviewed and pass automated checks before being deployed. Dependencies are monitored for known vulnerabilities and updated on a regular cadence.
  • We follow OWASP guidance for common web application risks (injection, XSS, CSRF, broken access control) and apply input validation and parameterised queries throughout the platform.
  • OAuth tokens issued by advertising platforms are stored encrypted and used only to forward events that the customer has explicitly configured.

4. Infrastructure

  • AdsPing runs on hyperscale cloud providers (AWS / GCP) that hold independent certifications including ISO 27001 and SOC 2.
  • Network access to production services is restricted by firewall and security-group rules; only the ports required for the Service are exposed publicly.
  • Backups of the primary database are taken daily and retained for 30 days. Restore procedures are tested periodically.

5. Data retention and minimisation

AdsPing retains the minimum data necessary to operate the Service. Per-event Personal Data is forwarded to the destinations the customer has connected and is not retained beyond the windows described in the Privacy Policy. Direct identifiers are hashed before forwarding and are not stored in plaintext.

6. Subprocessors

AdsPing uses a small number of vetted subprocessors (cloud hosting, email delivery, error monitoring, billing). The current list is published in the Privacy Policy. Each subprocessor is bound by data-protection terms consistent with the DPA.

7. Incident response

AdsPing maintains an incident response process covering detection, containment, eradication, and recovery. In the event of a Personal Data Breach affecting Customer Data, we notify affected customers without undue delay and within 72 hours of becoming aware of the breach, as set out in the DPA.

8. Responsible disclosure

If you believe you have found a security vulnerability in AdsPing, please email [email protected] with a description of the issue and steps to reproduce. Please do not publicly disclose the issue until we have had a reasonable opportunity to investigate and remediate. We will acknowledge reports within two business days.

9. Contact

Security questions: [email protected]
Data-protection questions: [email protected]