Admaxxer is a self-hosted ads manager that holds high-trust credentials — ad platform access tokens that can spend money. Security is our top engineering priority.
Every Meta and Google ad-platform token is encrypted with AES-256-GCM before it touches the database. The data encryption key is derived from SESSION_SECRET using scrypt with per-record salts. Plaintext tokens exist only in memory for the duration of an outbound API call and are never written to log output, error reports, or backups.
User sessions are managed via signed, HTTP-only cookies (or JWT bearer tokens for API clients). Passwords are hashed with bcrypt. Optional TOTP-based 2FA is available on all paid plans.
All public endpoints are rate-limited per IP and per account. The AI agent enforces additional per-workspace token quotas to prevent runaway costs and protect the underlying LLM provider.
Meta long-lived tokens expire after 60 days. Admaxxer monitors expires_at on every sync and proactively notifies the workspace owner 7 days before expiry. Expired tokens are automatically disabled and the integration enters a safe paused state — never silent-failing.
The adSyncLogs table records every metric sync, AI-initiated mutation, and manual workspace action with actor, timestamp, target object, and result. Logs are append-only and retained for 12 months.
All data access goes through workspace-scoped queries. There is no cross-workspace endpoint in the application, and database row-level checks defend against parameter tampering.
All payment data (card numbers, CVCs) is handled exclusively by Stripe — a PCI DSS Level 1 service provider. Admaxxer never sees raw card data; we store only the Stripe customer/subscription identifiers.
A central log scrubber strips known-secret patterns (token prefixes, refresh tokens, Stripe keys) before any log line leaves the process. Errors that include request bodies are sanitized at the source.
Email security@admaxxer.com. We acknowledge within 24 hours and aim to triage within 72 hours. We do not currently offer cash bounties but will credit reporters in our security changelog.