Security & access
Roles, credentials, and boundaries for internal operators. This does not replace your company-wide information security policy.
Identity
Human access to the admin console uses corporate SSO where integrated. Service accounts are provisioned by platform ops and rotated on a fixed schedule.
OAuth & ad platform tokens
- Refresh tokens are encrypted at rest; decryption only on worker nodes.
- Scopes follow least privilege; new scope requests need security review.
- Revocation: disconnect in UI and confirm in the ad platform’s linked accounts screen.
Data classification
Treat campaign metrics and customer lists as confidential unless labeled otherwise. Do not paste production IDs into public tickets or chat.
Incident response
Suspected credential leak: rotate keys immediately, notify ops via the internal security channel, and reference the runbook ID in your CMDB.