Ciaro
Start Free Trial
LEGAL

Security

Last updated: April 22, 2026

Defense in Depth

Multiple layers of security controls protect your data at every level — network, application, and data.

Encryption Everywhere

AES-256 at rest, TLS 1.3 in transit. Your campaign data and fraud intelligence are always encrypted.

Privacy by Design

Sensitive data is masked before leaving the browser. We collect only what's needed for fraud detection.

SOC 2 Type II readiness in progress

Infrastructure designed against SOC 2 Type II controls with continuous monitoring and audit-ready logging. Independent attestation target: Q3 2026.

Threat Intelligence

Shared fraud intelligence database updated in real-time across all protected properties.

Regular Audits

Annual penetration testing, quarterly vulnerability scans, and continuous dependency monitoring.

Infrastructure Security

  • Cloud Hosting: Deployed on enterprise-grade cloud infrastructure with automatic failover and geographic redundancy
  • Network Security: DDoS protection, Web Application Firewall (WAF), and intrusion detection systems
  • Access Control: Role-based access with mandatory multi-factor authentication for all team members
  • Monitoring: 24/7 automated monitoring with real-time alerting for anomalies and potential security incidents

Application Security

  • Secure Development: All code undergoes peer review, static analysis, and automated security testing before deployment
  • Dependency Management: Continuous monitoring and automated patching of third-party dependencies
  • API Security: Rate limiting, authentication tokens, and request validation on all API endpoints
  • Data Isolation: Strict tenant isolation ensures your data is never accessible to other customers

Data Protection for PPC Campaigns

What We Protect

  • Google Ads credentials: OAuth tokens are encrypted and stored separately from application data, with automatic rotation
  • Campaign performance data: Encrypted at rest with access restricted to your authenticated team members
  • Fraud detection data: IP addresses and device fingerprints used for fraud analysis are hashed after 90 days
  • Session replay data: Sensitive form fields are masked at the browser level before data reaches our servers

Tracking Script Security

Ciaro's JavaScript snippet is designed with security as a priority:

  • Served over HTTPS with Subresource Integrity (SRI) hashes
  • Asynchronous loading — zero impact on your page's render performance
  • Under 5KB gzipped — minimal footprint
  • No access to cookies, localStorage, or sessionStorage of your domain
  • Automatic masking of password fields, credit card inputs, and fields marked as sensitive

Incident Response

Our incident response process includes:

  • Detection: Automated monitoring detects anomalies within minutes
  • Response: On-call security team responds within 1 hour of detection
  • Notification: Affected customers are notified within 72 hours per GDPR requirements, or sooner if required by applicable law
  • Post-Mortem: Every incident receives a root cause analysis and remediation plan

Compliance & Certifications

  • SOC 2 Type II — readiness in progress, audit target Q3 2026 (no current attestation)
  • GDPR compliant (see our GDPR page)
  • CCPA compliant
  • Google Ads API Partner compliance
  • ISO 27001 (in progress)

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly to security@ciaro.click. We acknowledge reports within 24 hours and aim to resolve critical issues within 72 hours. We do not pursue legal action against good-faith security researchers.

Contact

For security questions or current audit/readiness status, contact security@ciaro.click.