Data Security

1. Encryption

1.1 Data in Transit

All data transmitted between your browser/plugin and our servers is encrypted using:

• TLS 1.3: The latest Transport Layer Security protocol
• HTTPS Everywhere: All connections use HTTPS with HSTS enabled
• Modern Cipher Suites: We use only strong, industry-standard ciphers
• Certificate Transparency: Our SSL certificates are publicly logged

1.2 Data at Rest

All stored data is encrypted using:

• AES-256: Industry-standard symmetric encryption for all database storage
• Field-Level Encryption: Sensitive fields (OAuth tokens, API keys) have additional encryption layers
• Encrypted Backups: All database backups are encrypted

1.3 Key Management

Encryption keys are managed securely with:

• Keys stored separately from encrypted data
• Regular key rotation policies
• Access to keys strictly limited to authorized systems

2. Infrastructure Security

2.1 Cloud Providers

We utilize trusted, security-certified cloud providers:

2.2 Network Security

• DDoS Protection: Built-in protection against distributed denial of service attacks
• Web Application Firewall: Protection against common web attacks (OWASP Top 10)
• Rate Limiting: API rate limiting to prevent abuse
• IP Allowlisting: Available for enterprise customers

2.3 Physical Security

Our cloud providers maintain enterprise-grade physical security:

• 24/7 security personnel and video surveillance
• Biometric access controls
• Environmental controls and fire suppression
• Redundant power and network connectivity

3. Application Security

3.1 Authentication & Authorization

• OAuth 2.0: Secure authentication via Google OAuth
• Session Management: Secure, short-lived sessions with proper invalidation
• Role-Based Access Control: Users only access resources they're authorized for
• API Key Security: Unique, randomly generated API keys with proper scoping

3.2 Secure Development

• Code Reviews: All code changes undergo security-focused peer review
• Dependency Scanning: Automated scanning for vulnerable dependencies
• Static Analysis: Automated code analysis for security issues
• Security Testing: Regular penetration testing and vulnerability assessments

3.3 WordPress Plugin Security

Our WordPress plugin follows security best practices:

• Nonce Verification: All forms and AJAX requests use WordPress nonces
• Capability Checks: Actions require appropriate user capabilities
• Data Sanitization: All input is sanitized and validated
• Output Escaping: All output is properly escaped to prevent XSS
• Prepared Statements: Database queries use prepared statements to prevent SQL injection

4. Data Protection

4.1 Google Ad Manager Access Security

Your Google Ad Manager access is managed securely:

• Access granted by adding parambhatia51@gmail.com as admin in your GAM account
• OAuth tokens encrypted with field-level encryption
• Automatic token refresh to minimize exposure window
• Tokens never exposed in logs or error messages
• Revoke access anytime by removing parambhatia51@gmail.com from your GAM account

4.2 API Key Protection

• API keys hashed for storage, only prefixes visible in UI
• Keys can be regenerated at any time
• Per-key usage tracking and rate limiting

4.3 Payment Security

Payment processing through Razorpay ensures:

• PCI DSS Level 1: Highest level of payment card security compliance
• Tokenization: Card numbers replaced with secure tokens
• No Card Storage: We never store full card numbers on our servers
• 3D Secure: Additional authentication layer for card payments

5. Monitoring & Incident Response

5.1 Security Monitoring

• Real-time Alerts: Automated alerts for suspicious activity
• Audit Logging: Comprehensive logs of all system actions
• Anomaly Detection: Monitoring for unusual patterns
• Log Retention: Security logs retained for investigation purposes

5.2 Incident Response

We maintain an incident response plan that includes:

• Defined roles and responsibilities
• Incident classification and severity levels
• Communication procedures
• Post-incident review and improvement

5.3 Breach Notification

In the event of a data breach affecting your personal information:

• We will notify affected users within 72 hours
• We will notify relevant authorities as required by law
• We will provide guidance on protective measures

6. Identity Verification

We implement identity verification measures to protect accounts:

• Google OAuth: Leverages Google's robust identity verification
• Domain Verification: Optional verification of domain ownership
• Account Recovery: Secure account recovery procedures
• Suspicious Activity: Additional verification for high-risk actions

7. Business Continuity

7.1 Data Backup

• Automated daily backups
• Point-in-time recovery capability
• Encrypted backup storage
• Regular backup restoration testing

7.2 Disaster Recovery

• Multi-region data replication
• Documented recovery procedures
• Regular disaster recovery drills
• High availability architecture

8. User Security Recommendations

We recommend the following security practices for our users:

• Keep your Google account secure with strong passwords and 2FA
• Regularly review connected applications in your Google account
• Keep your WordPress installation and all plugins up to date
• Use HTTPS on your WordPress site
• Regularly rotate API keys
• Review access logs and usage patterns
• Report any suspicious activity immediately

9. Security Contact

For security-related inquiries or to report vulnerabilities:

10. Compliance

NoAdCode is committed to meeting applicable security and privacy requirements:

• DPDPA 2023: Compliant with India's Digital Personal Data Protection Act
• CCPA/CPRA: Compliant with California privacy regulations
• GDPR: Aligned with EU data protection principles
• Google API Services: Compliant with Google API Services User Data Policy