Trust

Security at ROASmind

Effective 1 June 2026 · Last updated 1 June 2026

1. Our Commitment to Security

At ROASmind, we take the security of your data and your connected ad accounts seriously. This page describes the security measures we implement to protect your information and the responsible disclosure process for reporting vulnerabilities.

2. Infrastructure Security

2.1 Hosting

  • Frontend:Hosted on Vercel's global CDN with automated DDoS protection
  • Backend: Hosted on Railway with isolated container environments
  • Database: Hosted on Supabase (AWS ap-southeast-2), with encryption at rest and automated backups
  • File Storage: Supabase Storage with access-controlled buckets (private and public buckets separated by data sensitivity)

2.2 Encryption

  • All data in transit is encrypted using TLS 1.2 or higher
  • All data at rest is encrypted using AES-256 encryption via Supabase/AWS
  • User passwords are hashed using bcrypt with appropriate cost factor — plaintext passwords are never stored
  • OAuth tokens (Meta, Google, LinkedIn) are stored encrypted in the database and never exposed to the frontend

2.3 Network Security

  • CORS policies restrict API access to authorised origins only
  • All API endpoints require authenticated JWT tokens (except public endpoints)
  • Rate limiting is applied to authentication endpoints to prevent brute-force attacks
  • Environment variables and secrets are never exposed in frontend code or version control

3. Authentication Security

  • User sessions are managed via JWT (JSON Web Tokens) with expiry enforcement
  • Passwords must meet minimum strength requirements
  • OAuth 2.0 is used for all ad platform connections (Meta, Google, LinkedIn) — ROASmind never receives or stores your ad platform passwords
  • OAuth state parameters are signed with a server-side secret to prevent CSRF attacks on OAuth flows

4. Ad Account Security

When you connect your Meta, Google Ads, or LinkedIn account to ROASmind:

  • We request only the minimum permissions required to manage campaigns on your behalf
  • OAuth access tokens and refresh tokens are stored encrypted in our database
  • Tokens are transmitted only over encrypted connections
  • You can revoke ROASmind's access to your ad accounts at any time from the Settings page, or directly from Meta Business Manager, Google Account settings, or LinkedIn Campaign Manager
  • We do not share your OAuth tokens with any third party

5. Payment Security

  • Payment processing is handled entirely by Razorpay, a PCI-DSS compliant payment processor
  • ROASmind never receives, stores, or processes your card number, CVV, or full payment credentials
  • All payment pages and flows are handled directly by Razorpay's secure infrastructure
  • Razorpay webhook signatures are verified before processing any payment events

6. Data Access Controls

  • Access to production infrastructure is restricted to authorised personnel only
  • User data is logically isolated — users can only access their own brands, campaigns, and data
  • Feature access is enforced at the API level based on subscription plan
  • BYOK (Bring Your Own Key) API keys on the Pro plan are stored encrypted

7. Third-Party Security

We work with reputable third-party service providers, all of whom maintain their own security programmes:

ProviderSecurity Standard
SupabaseSOC 2 Type II, ISO 27001
VercelSOC 2 Type II
RailwaySOC 2 compliant
AnthropicEnterprise security programme
OpenAISOC 2 Type II
RazorpayPCI-DSS Level 1
ResendSOC 2 Type II

8. Vulnerability Disclosure (Responsible Disclosure Policy)

We welcome responsible security researchers who wish to report vulnerabilities in ROASmind. If you discover a security issue, please report it to us before making it public.

How to Report

Email: defy@houseofnamus.com
Subject line: [SECURITY] Vulnerability Report — ROASmind

Please include:

  • A clear description of the vulnerability
  • Steps to reproduce the issue
  • The potential impact
  • Any supporting evidence (screenshots, logs, proof-of-concept)

Our Commitments

  • We will acknowledge your report within 72 hours
  • We will investigate and provide a status update within 7 business days
  • We will not take legal action against researchers who act in good faith
  • We will credit researchers (if they wish) in our acknowledgements upon resolution

Scope — In Scope

  • roasmind.houseofnamus.com (frontend)
  • API at the backend domain
  • OAuth connection flows
  • Authentication and session management

Scope — Out of Scope

  • Third-party services (Supabase, Razorpay, Meta, Google, LinkedIn, etc.)
  • Denial of service attacks
  • Social engineering attacks
  • Physical security attacks
  • Spam or phishing

9. Incident Response

In the event of a security incident affecting user data:

  • We will investigate and contain the incident promptly
  • Affected users will be notified within 72 hours of confirmed impact, in accordance with the DPDP Act 2023 and GDPR requirements
  • We will provide details of what happened, what data was affected, and what steps we have taken
  • We will report significant incidents to applicable regulatory authorities as required by law

10. User Responsibilities

Security is a shared responsibility. To keep your account secure:

  • Use a strong, unique password for your ROASmind account
  • Do not share your login credentials with anyone
  • Regularly review your connected ad accounts from Settings → Connected Accounts
  • Revoke ROASmind's access to any ad account you no longer wish to manage through the Platform
  • Log out from shared or public devices
  • Contact us immediately at defy@houseofnamus.com if you suspect unauthorised access to your account

11. Contact

For security concerns, vulnerability reports, or any security-related questions:

House of Namus — ROASmind
Email: defy@houseofnamus.com
Website: roasmind.houseofnamus.com