Skip to content

§ LEGAL · Security

Security

Effective: 2026-04-19

Last updated: 2026-04-19

Fairlead operates the connection layer between publishers, advertisers, and the programmatic exchange. Because we process bid request data, targeting attributes, and event signals on behalf of our customers — and because auction integrity depends on strict data isolation — security is foundational to every architectural decision we make.

This page describes how we protect your data, what guarantees we provide, and how you can verify our practices.

Encryption

At Rest

All sensitive data — API keys, targeting configurations, event records, and publisher inventory data — is encrypted using AES-256-GCM before being written to storage. We use authenticated encryption, which provides both confidentiality and integrity verification. Any tampering with encrypted data is detected and rejected.

In Transit

All communications between your application, the Fairlead API, and exchange infrastructure use TLS 1.3. We do not support older TLS versions.

Per-Tenant Key Isolation

Each workspace’s data is encrypted with a unique data encryption key (DEK). DEKs are themselves encrypted by a key encryption key (KEK) managed through hardware security modules. A compromise of one workspace’s DEK cannot expose data belonging to any other workspace.

Key rotation is automatic and transparent. When a KEK is rotated, all associated DEKs are re-encrypted without service interruption or action required on your part.

Data Isolation and Exchange Integrity

Publisher and Advertiser Isolation

Publisher inventory data and advertiser targeting configurations are stored in isolated namespaces with independent access controls. Auction participants cannot access each other’s bidding logic, floor price configurations, or performance data. Bid responses are validated before being incorporated into auction results.

Bid Data Privacy

Fairlead processes bid request data solely to run the auction and return ad decisions. We do not:

  • Share raw bid request data between competing advertisers
  • Use bid data to build behavioral profiles of end users for any purpose beyond the auction
  • Retain bid-level data beyond the retention period required for billing reconciliation and fraud detection

No Cross-Tenant Data Leakage

Auction results, impression data, and event signals are scoped strictly to the workspace that owns them. Aggregated reporting does not expose data at a granularity that could reveal individual counterparty strategies or performance.

Credential Management

API Keys

API keys are never logged, stored in plaintext, or accessible through the dashboard in full form. The dashboard displays only masked prefixes for identification. Full key values cannot be retrieved after initial issuance.

When an API key is revoked, it is immediately invalidated across all exchange infrastructure. Revocation propagates within seconds through our caching layer.

Principle of Least Privilege

Infrastructure components receive only the permissions required for their specific function. The event collector has no access to targeting data. The auction engine has no access to billing records. No single compromise can expose the full data surface.

Infrastructure

Deployment

Fairlead Cloud runs on Google Cloud Platform using Cloud Run for compute with automated deployments, rolling updates, and instant rollback. Infrastructure is provisioned through infrastructure-as-code with full audit trails. All infrastructure changes require peer review and are logged immutably.

Network Isolation

The exchange engine, database layer, and cache tier are deployed in isolated network segments with no direct internet access. All access to storage is mediated through the Fairlead API layer, which enforces authentication, authorization, and rate limiting. Database access requires mutual TLS authentication.

Secrets Management

Infrastructure secrets — database credentials, internal service tokens, exchange signing keys — are managed through a dedicated secrets manager with automatic rotation. Secrets are injected at runtime and never stored in source code, configuration files, or container images.

Monitoring and Incident Response

We maintain 24/7 automated monitoring for anomalous bid patterns, unusual event volumes, and potential data exposure events. Our incident response process includes immediate key rotation capabilities and customer notification within 24 hours of confirmed incidents.

Penetration Testing

We conduct regular third-party penetration testing of the Fairlead API surface and exchange infrastructure. Critical and high findings are addressed within 48 hours; medium findings within 30 days.

Compliance

SOC 2 Type II

We are pursuing SOC 2 Type II certification. The audit will cover the Security, Availability, and Confidentiality trust service criteria. Once certified, we will make our SOC 2 report available to Enterprise customers under NDA upon request.

GDPR

Fairlead supports GDPR compliance through:

  • Data residency: EU data residency option ensures bid request and event data remains within the European Union
  • Right to erasure: Customer data can be deleted through the API or dashboard at any time. Deletion is permanent and irreversible.
  • Deletion API: A programmatic deletion API allows customers to fulfill erasure requests from end users
  • Data processing agreement: Available for customers who require a DPA for their compliance documentation

Advertising Regulations

The exchange operates in accordance with applicable advertising regulations. Customers are responsible for ensuring their targeting parameters and creative content comply with applicable laws, including COPPA, CCPA, and local equivalents. The Acceptable Use Policy defines prohibited advertising categories.

Audit Logging

All security-relevant events are captured in an immutable audit log, including:

  • API key creation and revocation
  • Workspace configuration changes
  • Auction rule and floor price modifications
  • Team member access changes
  • Dashboard login events
  • Data export operations

Audit log retention varies by plan tier (7 days for Free, 30 days for Growth, 90 days for Scale, configurable for Enterprise). Audit logs are available through the dashboard and API.

Responsible Disclosure

If you discover a security vulnerability in Fairlead, please report it to security@fairlead.dev. We ask that you:

  • Provide sufficient detail for us to reproduce the issue
  • Allow reasonable time for us to address the vulnerability before public disclosure
  • Do not access or modify data belonging to other customers

We commit to acknowledging reports within 24 hours and providing an initial assessment within 72 hours. We do not pursue legal action against researchers who follow responsible disclosure practices.