Adfinia. ← Back to adfinia.com
Legal · Trust & Security

Trust & Security

Version1.0 (draft)
Last updated2026-05-16
Posture summaryPre-SOC 2; ISO-27001-aligned
Disclosuresecurity@adfinia.com (planned)
This is a working draft, pending external legal review. The controls listed below reflect the security posture currently deployed in production. SOC 2 status, the bug-bounty programme details, and the disclosure email are pending external counsel and vendor onboarding; the page will be updated as each becomes live. For an attestation in writing, write to support@adfinia.com with subject "Security".

Posture summary

Adfinia is built on a small set of principles: encrypt everything in motion and at rest, isolate tenants in the database engine rather than at the app layer, audit every administrative action, and disclose what we can publish.

Live TLS 1.2+ everywhere Live Tenant RLS in Postgres Live Audit log on admin paths Live Encrypted backups In progress SOC 2 Type I In progress Independent pen-test 2026 H2 Planned Public bug bounty

The page below details each area. Where a control is in progress, we say so honestly — security claims are easier to write than to prove, and we'd rather over-deliver on the controls we already have than over-promise on ones we don't.

Network & TLS

Every external endpoint terminates TLS 1.2 or higher (1.3 preferred when the client supports it). HTTP requests are 301-redirected to HTTPS. Certificates are managed automatically via Let's Encrypt with cert-manager; renewal happens 30 days before expiry and is monitored.

  • Cipher policy. Modern profile only — no TLS 1.0/1.1, no RC4, no 3DES.
  • HSTS. Strict-Transport-Security with max-age=63072000; includeSubDomains; preload on every public response.
  • Public surfaces. adfinia.com, console.adfinia.com, admin.adfinia.com, docs.adfinia.com, keycloak.adfinia.com, api.adfinia.com.
  • Internal traffic. Service-to-service traffic inside the Kubernetes cluster uses mTLS via the platform's service mesh; not exposed to the public internet.

Encryption at rest

Customer Data is encrypted at rest at the storage layer:

  • Postgres — AES-256 via AWS EBS encryption on the underlying volumes. Database-level transparent encryption is on by default.
  • ClickHouse (analytics) — AES-256 on the underlying EBS volumes.
  • Object storage — S3 server-side encryption (SSE-KMS) with customer-isolated KMS keys for Enterprise tenants on request.
  • Backups — encrypted in place; cross-region replication uses encrypted snapshots only.
  • Secrets — Kubernetes Secrets sealed with the cluster's KMS provider; no plaintext secrets in Git.

Customer-managed encryption keys (CMEK) are available on the Enterprise tier; the KMS key is provisioned in the Customer's account and grants are auditable on both sides.

Tenant isolation & RBAC

Tenant isolation is enforced by the database engine — not by the application code alone.

Every table that holds Customer Data carries a tenant_id column and a row-level-security (RLS) policy. The connecting role's current_setting('app.tenant_id') is bound to the authenticated tenant; the policy gates every SELECT, INSERT, UPDATE, and DELETE. A bug in the application layer cannot leak rows across tenants because the engine refuses them.

Within a tenant, role-based access control (RBAC) maps Adfinia users to roles (Owner, Admin, Marketer, Analyst, Auditor, ReadOnly) with granular permissions enforced both server-side (every endpoint checks scope) and client-side (UI hides actions the role cannot perform — but the server is the source of truth).

For Adfinia personnel, production access is least-privilege and time-bound; every administrative session is recorded.

Audit logging

Adfinia maintains an append-only audit log of administrative and high-risk actions:

User actions

Per-tenant audit log

Authentication events, permission changes, integration credentials, campaign sends, AI invocations. Retained per the tier's retention schedule, surfaced in the Customer's /settings/audit-log page.

Admin actions

Platform-wide audit log

Tenant CRUD, plan changes, force-unlock of Sovereign cooldown, content-moderation overrides, billing adjustments. Retained 7 years. Visible only to Adfinia super-admins; immutable.

Infrastructure

Cluster-level audit

Kubernetes API audit, IAM role assumption, KMS key use, S3 bucket access. Forwarded to a dedicated, write-only log sink in the EU region. Retained 13 months hot, archived to cold storage thereafter.

Tamper-evidence

Hash-chained entries

Each entry includes the hash of the previous entry. Tampering with any single entry invalidates every subsequent hash. Customers can request a signed extract for forensic review.

Vulnerability management

We run a layered defence on the supply chain:

  • Dependency scanning on every PR and every base-image rebuild. Critical-severity findings block merge until remediated or explicitly accepted with an expiry.
  • Container image attestation — every image carries an SBOM and an attestation. Production deployments admit only signed images from our internal registry.
  • Weekly base-image rebuilds against the upstream distroless / Bitnami images we depend on; new CVEs in upstream packages do not have to wait for a release window.
  • Annual third-party penetration test (next scheduled 2026 H2). Findings are categorised under CVSS, with a published mitigation timeline; the executive summary is shareable on request under NDA.
  • Continuous secret scanning on every commit; rotation of any matched secret is mandatory before merge.

Resilience & backups

  • Primary region: eu-north-1 (Stockholm). Backup region: eu-west-1 (Ireland). See /legal/regions for the regional table.
  • Postgres point-in-time recovery — 30 days, validated by automated restore test once per quarter.
  • ClickHouse — full backups daily, encrypted, retained 30 days; incremental every 6 hours.
  • Object storage — versioned with 30-day soft-delete retention; cross-region replication for Enterprise tenants on request.
  • DR drill — full disaster-recovery rehearsal at least annually; recovery-point objective 1 hour, recovery-time objective 4 hours.

Certifications & attestations

Adfinia operates against ISO-27001-aligned controls today and is in the run-up to formal certifications. Each line below carries an honest status:

  • ISO 27001 — control framework adopted; external audit scheduled 2026 H2.
  • SOC 2 Type I — readiness assessment complete; audit underway with a Big-4 firm; report expected 2026 Q4. Status: in progress.
  • SOC 2 Type II — observation window starts on Type I issuance; report expected 2027 Q3.
  • PCI DSS — out of scope. Adfinia does not handle cardholder data — payment is delegated to Stripe (a PCI Level-1 provider).
  • HIPAA — not a covered entity, not a business associate. Customers handling PHI should not upload PHI to Adfinia until we publish a BAA-ready offering.
  • UAE PDPL registration — registration with the UAE Data Office in progress.

Bug bounty & coordinated disclosure

We invite security researchers to look for vulnerabilities in Adfinia. Until the public bug-bounty programme launches (planned Q4 2026), please report findings privately via the coordinated-disclosure channel:

How to report a vulnerability

Email support@adfinia.com with subject "Security disclosure". Include a clear reproduction, the affected URL or endpoint, and your preferred attribution name. A dedicated security@adfinia.com address with a published PGP key is planned for Q3 2026.

We acknowledge receipt within 2 business days, triage within 5, and aim to remediate Critical findings within 30 days. We do not pursue legal action against good-faith researchers who comply with our coordinated-disclosure policy (no exfiltration of Customer Data, no denial-of-service, no social engineering of staff).

PGP key fingerprint will be published here once the dedicated address goes live.