1. Our Security Commitment
At Adstriq, security is not an afterthought — it is a foundational principle built into every layer of our architecture. We apply a defense-in-depth strategy with multiple independent security barriers, ensuring that no single point of failure can compromise customer data.
2. Multi-Tenant Data Isolation
Every customer's data is isolated at the database level using PostgreSQL Row-Level Security (RLS) with 79 enforcement policies across 28 tables. Each query is automatically filtered by tenant ID, injected via cryptographically signed JWT claims. This ensures that even in the unlikely event of an application-level bug, one tenant can never access another tenant's data.
3. Encryption
All data is encrypted in transit using TLS 1.3 (HTTPS and WSS). Our .app and .dev domains are in Google's HSTS Preload list, making HTTP downgrade attacks impossible. Authentication cookies are encrypted at rest using AES-GCM 256-bit encryption. Database storage uses Supabase's built-in encryption at rest.
4. Authentication & Authorization
We use ES256 (asymmetric) JSON Web Tokens for all authentication — the stronger standard compared to HS256. Device authentication uses HttpOnly, Secure, SameSite cookies, making tokens immune to XSS theft. Dashboard login is protected by Cloudflare Turnstile anti-bot verification. All API inputs are validated with Zod schemas before reaching the database.
5. Infrastructure Security
Adstriq runs on Cloudflare's global edge network (330+ cities) with built-in DDoS protection and our API proxy provides centralized rate limiting, body size guards, and a device blocklist enforced at the edge. All server-side IPs are injected via CF-Connecting-IP (unspoofable), preventing IP address forgery.
6. Security Headers
All Adstriq services enforce a comprehensive set of security headers: Content-Security-Policy (strict, no unsafe-eval), HSTS with preload, X-Frame-Options (DENY), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and Permissions-Policy (restricted camera, microphone, geolocation).
7. Access Control & Audit
Every write operation generates an immutable audit log entry with timestamp, user ID, tenant ID, action type, and entity reference. Audit logs are append-only and retained for 90 days in hot storage and 1 year in cold storage, in compliance with ISO 27001 A.5.28. Sensitive data is never logged — only entity IDs and action metadata.
8. Supply Chain & CI/CD Security
All dependencies are pinned and audited automatically. Our CI pipeline runs pnpm audit as a hard gate — builds with high or critical vulnerabilities are blocked from merging. All GitHub Actions use SHA-pinned versions to prevent supply chain attacks. Source maps are stripped from production builds.
9. Vulnerability Reporting
We welcome responsible security research. If you discover a vulnerability, please report it to security@adstriq.com. We commit to acknowledging reports within 48 hours and providing a resolution timeline within 5 business days. Our /.well-known/security.txt file provides machine-readable reporting instructions per RFC 9116.