Data Security

A2 GTM is a B2B platform that handles sensitive customer data — including OAuth tokens for ad platforms, prospect lists, and campaign content. This page summarizes the controls we use to protect that data and how to report security issues. For full data-handling details, see our Privacy Policy.

Encryption

• In transit: All connections to A2 GTM use TLS 1.2 or higher with modern cipher suites. HTTP requests are redirected to HTTPS. HSTS is enabled with a one-year max-age.
• At rest: Customer data, OAuth tokens, and backups are encrypted with AES-256, using keys managed by our cloud provider's key-management service. Each tenant's data is logically isolated.
• Secrets: Third-party API tokens, OAuth refresh tokens, and integration credentials are stored in a managed secret store separate from the primary database, with envelope encryption and audit logging on every read.

Access Control

• Customer-facing. Access to your A2 GTM workspace requires authentication. We support sign-in with email/password, Sign in with Google, and (TODO_SSO: enterprise SSO via SAML/OIDC — currently in development). All sign-in events are logged.
• Role-based access. Workspaces support roles (Owner, Admin, Member, Viewer) so customers can scope access by responsibility.
• Multi-factor authentication. MFA is supported on all account types and is required for Owner and Admin roles on enterprise plans.
• Internal access. Production data access is restricted to a minimal set of named engineers. Access is granted via short-lived, role-based credentials, requires MFA, and is logged for audit. Standing access to customer data is denied by default; on-call elevation is time-bound and reviewed monthly.
• Least privilege. Production services run with the minimum permissions needed; service-to-service authentication uses short-lived credentials.

Monitoring and Logging

• Application, infrastructure, and authentication events are centralized in a tamper-evident log store with restricted query access.
• Anomaly alerts (failed logins, unusual API call rates, unexpected administrative actions) are routed to the on-call team.
• Logs are retained for 13 months and then deleted. PII is scrubbed from error reports before transmission to our error-monitoring vendor.

Incident Response

• We maintain an incident-response runbook covering detection, triage, containment, eradication, recovery, and post-incident review.
• An on-call engineer is available 24/7 for production incidents.
• Notification. Where a personal-data breach is likely to result in a risk to data subjects, we will notify affected customers without undue delay and, where required by GDPR, within 72 hours of becoming aware. We will provide the categories of data affected, likely consequences, mitigation steps taken, and a contact for further information.
• Post-incident reviews are blameless and produce action items tracked to closure.

Vendor and Subprocessor Security

• We perform a security review of every subprocessor before use, covering certifications, data-handling practices, sub-subprocessors, breach history, and incident-response capability.
• Each subprocessor is bound by a Data Processing Agreement (DPA) restricting use of customer data to delivering services to A2 GTM.
• Our current subprocessor list is published in the Privacy Policy, Section 6.

Software Development Lifecycle

• Code changes go through peer review before merging to the main branch.
• Continuous integration runs static analysis, dependency vulnerability scanning, and the test suite on every change.
• Production deployments are automated and audit-logged. Manual production access is restricted and logged.
• Dependency updates are reviewed regularly; critical security patches are prioritized.

Backups and Disaster Recovery

• Primary databases are backed up at least daily; point-in-time recovery is available within the retention window.
• Backups are encrypted with the same standard as the primary store and retained for 35 days.
• We test restoration procedures periodically.

Certifications and Compliance Status

We do not claim certifications we do not hold. Updates will be posted here as they are achieved.

Vulnerability Disclosure

If you believe you have discovered a security vulnerability in A2 GTM, please report it to us responsibly:

• Email [email protected] with a description, reproduction steps, and any supporting material.
• TODO_PGP_KEY: publish PGP fingerprint here, or remove this line.
• Please give us a reasonable opportunity to investigate and fix the issue before public disclosure (target: 90 days, faster for high-severity findings).
• Do not access, modify, or delete data that does not belong to you. Do not run automated scans that degrade service. Do not perform social-engineering or physical attacks.
• Acting in good faith under this policy, we will not pursue legal action against you for your research and will work with you on disclosure.

We acknowledge reports within 3 business days and provide a status update within 10 business days.

Customer Responsibilities

Security is shared. To keep your data safe:

• Use a strong, unique password and enable MFA on your account.
• Use the role-based access controls to grant the minimum access each user needs.
• Review and revoke connected third-party integrations you no longer use.
• Report suspected account compromise immediately to [email protected].
• Do not upload data you are not authorized to share, and do not upload regulated data (e.g., PHI, payment card data, government IDs) to A2 GTM.

Contact

Security issues and vulnerability reports: [email protected]
Privacy and data-subject requests: [email protected]
Legal notices: [email protected]

ACE Financials Technology
2647 Narnia Way, Suite 101
Land O Lakes, FL 34638, United States