Private Beta · limited spots. Signups get discounted lifetime pricing after trial.Claim your spot →
Skip to content
Security & Trust

How we keep
your clients' data safe.

NuDash holds the access tokens and campaign data for every ad account you connect. We take that responsibility seriously, and we think you deserve to see exactly how. Here is every security measure we run - no marketing, no asterisks.

See the measures →Report a vulnerability
Last reviewed April 2026 · Daily automated review during beta
Your data stays in your workspace

Workspace isolation

Every table that stores your data - connections, ad accounts, campaigns, reports, branding, members - is scoped by workspace at the database layer. Row-level security policies enforce that no request from one workspace can read or write another workspace's rows, no matter what the caller claims.

What this means
  • Postgres row-level security on every tenant table
  • Service-role writes are pre-checked against workspace ownership
  • Separate anon key (read-only, RLS-gated) and service-role key (server-only)
State parameters are verified, not trusted

OAuth integrity

When you connect Meta, Google, LinkedIn, TikTok or GA4, the OAuth state blob carries your workspaceId - but the callback does not trust it. We verify the caller's authenticated Supabase session actually owns that workspace before writing any token. This closes the classic OAuth confused-deputy class of attack where a crafted /connect link could otherwise route a victim's ad-account token into an attacker's workspace.

What this means
  • Every /api/auth/* and /api/organic/* callback checks session vs. state
  • Workspace-ownership mismatch is always rejected
  • Rejections are logged for audit review
We never touch your ad platform password

Tokens encrypted at rest

When you connect an ad platform, we receive an OAuth token - never your password. That token is stored encrypted in our database, used only to read your campaign data, and can be revoked by you at any time from either NuDash Settings or the ad platform itself. We use the narrowest OAuth scopes each platform allows for the reporting surface we actually need.

What this means
  • Least-privilege OAuth scopes per platform
  • Tokens encrypted at rest in Supabase
  • Revoke from NuDash or from the ad platform - both work
TLS everywhere, no exceptions

Transport security

Every request in and out of NuDash is TLS-encrypted, including to our infrastructure providers. We never put access tokens, workspaceIds or account identifiers in URL query strings where they could leak via referrer headers, browser history or server logs. Sensitive handoffs between OAuth callbacks and the connect UI use httpOnly cookies instead of URL params.

What this means
  • HTTPS enforced end to end
  • httpOnly handoff cookies for post-OAuth token passing
  • No sensitive values in URL parameters
Security is a cadence, not a milestone

Recurring security reviews

A weekly security-events digest is emailed to admin (Mondays, automated cron) covering sign-ins, OAuth rejections, rate-limit hits, severity counts and OAuth rejection reasons. New or modified API routes are reviewed manually for missing session guards, workspaceId-from-client trust, SSRF in outbound fetches, and insecure OAuth state parsing. Findings are either fixed on the spot or surfaced as a dated issue.

What this means
  • Weekly security-events digest via cron
  • Manual code review on new API routes
  • Every commit to main is in scope
We only collect what the product needs

Minimum data, transparent use

We collect campaign data from platforms you connect, account metadata (workspace, user, role), branding assets you upload, and technical request logs for security and performance. We do not use your data to train models, sell lists, profile users across customers, or serve ads. We do not use third-party analytics or tracking cookies on the product surface.

What this means
  • No model training on your data
  • No third-party tracking cookies
  • POPIA-compliant data handling (South African users)
Found something? Tell us.

Responsible disclosure

If you believe you've discovered a security vulnerability in NuDash, we ask that you report it to us privately so we can fix it before it's exploited. Email security@nudash.co.za with reproduction steps and your preferred contact method. We acknowledge reports within 48 hours, commit to triage within five business days, and will credit researchers who ask to be credited once a fix ships.

What this means
  • security@nudash.co.za - PGP on request
  • 48-hour acknowledgement, 5 business-day triage
  • Public credit on request once the fix lands
What we don't do

Some guarantees are worth stating plainly.

  • ×We do not store your ad platform passwords - we only ever receive OAuth tokens.
  • ×We do not sell, rent, or share your advertising data with third parties.
  • ×We do not use your data to train AI models.
  • ×We do not allow cross-workspace reads, even for our own team.
  • ×We do not put access tokens in URL parameters.
  • ×We do not rely on obscurity for any of the above.
Sub-processors

Who we rely on, and why.

We use a small set of infrastructure partners, each chosen for their own security posture. We name them here so you can review what you're trusting by extension.

Supabase
Authentication, database, storage. SOC 2 Type 2. Hosted in EU.
Their security page →
Vercel
Application hosting and edge CDN. SOC 2 Type 2.
Their security page →
Anthropic
AI insights via Claude API. Data is not used to train models.
Their security page →
Resend
Transactional email delivery only. No marketing lists.
Their security page →
BETA · LIMITED SPOTS

Questions about security?
We'd rather answer them.

Email security@nudash.co.za for anything - vulnerability disclosure, compliance questionnaires, sub-processor lists for legal review, or just a conversation about how we handle your clients' data. Real humans read it.

No credit card · 14-day trial · Cancel any time
Lifetime
Discounted beta pricing
14d
Free trial
4
Ad platforms
25
Beta spots