Security Policy

Last updated: June 30, 2026

AdPilot AI treats the security of customer data as a first-class concern. This Policy summarizes the technical and organizational measures we apply, and how you can report security issues to us. This Policy is descriptive; it does not create warranties beyond those expressly set out in our Terms of Service.

1. Encryption

  • Data in transit is encrypted using TLS 1.2 or higher between your browser, our edge, and our backend services.
  • Data at rest is encrypted using industry-standard algorithms by our cloud providers (Supabase / Postgres and object storage).
  • Secrets and API keys are stored in encrypted secret stores and are never committed to source code.

2. Authentication and access control

  • Customer authentication supports email/password (with strong-password requirements) and Google OAuth.
  • Internal access to production systems is restricted to authorized personnel using multi-factor authentication and the principle of least privilege.
  • Database access is governed by row-level security policies so that each customer can access only their own records. Privileged operations are performed through audited security-definer functions.

3. Infrastructure and providers

  • Edge hosting and DDoS protection: Cloudflare.
  • Database, authentication and object storage: Supabase (managed Postgres).
  • AI inference: Google Gemini models (customer-provided API keys).
  • Payments: Razorpay (and, in future, Stripe).

Each provider is selected based on its security posture and contractual commitments.

4. Application security

  • Input validation and output encoding to mitigate injection and XSS.
  • CSRF protection on state-changing endpoints.
  • Per-user and per-IP rate limits on AI generation, account operations and public endpoints.
  • Webhook signature verification for payment events (HMAC-SHA256 with constant-time comparison).
  • Audit logging of security-relevant events.

5. Backups and disaster recovery

Our database provider performs regular automated backups. We periodically test restoration procedures and operate documented runbooks for incident response and recovery.

6. Incident response

We maintain an internal incident-response process covering detection, triage, containment, eradication, recovery and post-incident review. If we become aware of a personal-data breach that is likely to result in risk to affected individuals, we will notify the Data Protection Board of India and affected users without undue delay, as required by the DPDP Act and other applicable laws.

7. Responsible disclosure

We welcome reports from security researchers. To report a vulnerability, email security@adpilot.ai with:

  • A clear description of the issue and its impact.
  • Steps to reproduce, including any proof-of-concept.
  • Your contact information for follow-up.

Please:

  • Give us a reasonable time to investigate and remediate before any public disclosure.
  • Avoid privacy violations, destruction of data, and interruption or degradation of the Service.
  • Do not access, modify or exfiltrate data belonging to other users.

We will acknowledge valid reports within five business days. We do not currently operate a paid bug-bounty program but may, at our discretion, recognize researchers who report impactful, responsibly-disclosed issues.

8. No system is perfectly secure

No service can be guaranteed to be completely secure. We continuously work to improve our defenses, but you are responsible for using strong, unique passwords, enabling available protections on your account, and keeping your devices secure.