← Adsynth

Security & Responsible Disclosure Policy

Effective: 1 January 2026 · Version 2026-01-01

Prebo Digital takes the security of the Adsynth platform (“Service”) seriously. Because the Service connects to advertising and analytics accounts via OAuth, we welcome reports from security researchers and treat good-faith research as authorised under this policy.

1. How we protect data

  • Encryption in transit (TLS) and encryption of stored credentials at rest.
  • Role-based access control and tenant isolation between organisations.
  • Rate limiting, security headers (CSP, HSTS), and CSRF protections.
  • Least-privilege OAuth scopes — we request only what a connected feature needs.

2. Reporting a vulnerability

Email info@prebodigital.co.za with the subject line “Security”. Please include enough detail to reproduce the issue (affected URL/endpoint, steps, and impact). We aim to acknowledge reports within 5 business days and to keep you updated as we investigate and remediate.

3. Good-faith guidelines (safe harbour)

If you make a good-faith effort to comply with this policy during your research, we will:

  • Not pursue or support legal action against you for accidental, good-faith violations; and
  • Work with you to understand and resolve the issue promptly.

You agree to:

  • Avoid privacy violations, data destruction, and interruption or degradation of the Service.
  • Only access or modify data that belongs to you or a test account you control.
  • Not exfiltrate data, and to delete any incidentally accessed data after reporting.
  • Give us reasonable time to remediate before any public disclosure.

4. Out of scope

Reports limited to the following are generally out of scope: volumetric denial-of-service, social engineering of our staff or users, physical attacks, and findings from automated scanners without a demonstrated, exploitable impact. Issues in third-party platforms (e.g. Google, Meta) should be reported to those providers.

5. Data breach notification

If a personal-information breach occurs, we will notify affected customers and the Information Regulator (South Africa) as required by POPIA (and other applicable law) without undue delay.