Security Architecture

Security is not a feature.
It's the product.

GravityAds exists because letting AI agents directly modify ad accounts is dangerous. Our entire architecture is designed around the principle: AI proposes, humans approve, systems audit.

Controlled Execution Pipeline

Every platform write follows a strict lifecycle: draft → preflight validation → risk scoring → human approval → execution → observation → feedback capture. No agent can skip a step.

  • 12-state action lifecycle with immutable transitions
  • Preflight validates scope, budget, and entity existence
  • Risk scoring blocks high-impact changes from auto-execution
  • Rollback plans generated before every execute

Credential Isolation

Platform credentials (OAuth tokens, developer tokens) are never stored in GravityAds databases. They're held as encrypted Secret Refs in cloud Secret Manager.

  • OAuth tokens → Secret Manager encrypted references
  • Token exchange happens server-side only
  • Frontend never sees raw auth codes or refresh tokens
  • Key rotation without service interruption

Triple-Layer Redaction

All API responses pass through three redaction layers before reaching any client — MCP or Portal.

  • Layer 1: Platform response stripping (raw API fields)
  • Layer 2: PII redaction (emails → hashes, IDs → masked)
  • Layer 3: Output schema validation (only declared fields pass)

Audit Ledger

Every operation — read or write — produces an immutable audit record with the original request, transformed output, and platform response.

  • Complete request/response capture per tool call
  • Usage metering with cost attribution per tenant
  • Exportable audit logs (Quant + Enterprise plans)
  • Stripe usage reporting for transparent billing

Scope & Entitlement Enforcement

GravityAds enforces scope checks at three levels: token scope (OIDC), plan entitlement, and control-plane role policy.

  • 6 scope levels: read → draft → approve → execute → admin → ops
  • 5 roles: viewer, optimizer, approver, tenant_admin, gravity_ops
  • Plan-based feature gating (workbench, quant, audit, SSO)
  • Rate limiting per tenant × operator × operation

Infrastructure Security

Designed for Cloud Run with minimal attack surface.

  • Stateless workers — no persistent credentials in memory
  • JWKS/OIDC token verification (issuer + audience + expiry)
  • Tenant isolation via allow-list and control-plane checks
  • SOC 2 Type II roadmap underway

SOC 2 Type II Roadmap

We're actively working toward SOC 2 Type II certification. Our architecture already implements the controls required for trust services criteria. Contact us for our current compliance documentation.

Questions about security?

We're happy to walk through our security architecture with your team.

Get Started