AML AdvertisingML Start advertising
Security

Security posture

AdvertisingML handles consumer contact information and consent metadata for delivery to advertisers in regulated verticals. The controls below describe the security baseline applied to that data across our infrastructure, the contractual protections we maintain with sub-processors, and our breach notification commitments.

Encryption in transit

All consumer-facing properties, advertiser-facing APIs, and internal service-to-service traffic use TLS 1.2 or higher with modern cipher suites. HSTS is enforced on all consumer-facing properties. TLS certificates are issued by recognized certificate authorities and renewed automatically before expiry.

Encryption at rest

Production data stores encrypt consumer contact information at rest using AES-256. Backup snapshots are encrypted with separate keys. Encryption keys are managed through a dedicated key management service with access logged and reviewed.

Access controls

Production system access requires multi-factor authentication. Access to consumer PII is restricted to a minimal set of operational personnel with documented business need; all PII access events are logged with user, query, and timestamp. Production access reviews are conducted quarterly.

Network and infrastructure

Production infrastructure runs on hardened Linux hosts with restricted ingress firewalls. Administrative access is gated behind a bastion with key-based authentication and IP allow-listing. Public services are behind a WAF that filters common attack patterns.

Sub-processors

Sub-processors with access to consumer PII are bound by data processing agreements meeting GDPR Article 28 standards (where EU consumers are involved) and equivalent contractual protections under U.S. comprehensive privacy laws. Current sub-processor categories include: hosting infrastructure, transactional email service, lead validation services, consent capture (ActiveProspect TrustedForm), and analytics.

Compliance roadmap

AdvertisingML is preparing for SOC 2 Type II audit. Interim controls are aligned with the SOC 2 trust services criteria for security, availability, and confidentiality. Audit timeline and report availability will be published on this page when finalized.

Vulnerability disclosure

We welcome responsible disclosure of security issues. Report findings to security@advertisingml.com with reproduction steps. We acknowledge reports within two business days, investigate in good faith, and credit reporters on request after resolution. We commit to not pursuing legal action against researchers who report in good faith and within the scope of this policy.

Breach notification

In the event of an incident involving unauthorized access to consumer PII, we will:

  • Notify affected advertisers within 72 hours of confirmation;
  • Notify affected consumers and applicable regulators in accordance with applicable state and federal breach notification statutes (typically within the timeframes specified by each statute, often 30 – 60 days);
  • Provide identity protection services to affected consumers where required by law or warranted by the nature of the exposure;
  • Publish a post-incident summary on this page when investigation is complete and disclosure does not impede ongoing response.

Contact

Security inquiries: security@advertisingml.com