Ambit

Your clients' data deserves enterprise-grade protection

When agencies connect client ad accounts, trust is everything. Here's how Ambit protects that trust.

Security by design

Not bolted on. Built in from the first line of code.

OAuth-Only Connections

We never store ad platform passwords. Every connection uses OAuth 2.0 tokens issued by the platform itself. Revoke access from the platform at any time.

Row-Level Security

Every database query is scoped to the requesting user's organization and permissions. Users can only access data they're authorized to see — enforced at the database layer, not just the UI.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API tokens are stored encrypted and never exposed in application logs.

Column-Level Visibility

Control exactly which data columns each client user can see. Hide raw costs, markup amounts, or any sensitive field — per client, per user role.

Revocable Report Links

Shared report URLs are tokenized with optional expiration dates. Revoke access to any shared link instantly from the dashboard.

Role-Based Access Control

Four permission levels (admin, manager, member, client) with organization-scoped access. Superadmin role for agency owners managing multiple organizations.

Passwordless Login

Sign in with a magic link sent to your email — no password to remember, phish, or leak. Traditional password login is available too, with secure reset flows.

How we handle your data

What we collect

Aggregate campaign performance metrics only: spend, impressions, clicks, conversions, and conversion value. We do not collect personally identifiable information (PII) from ad platform audiences.

How data is synced

Data syncs daily via secure API calls to each ad platform. A 7-day rolling backfill catches attribution lag and late-arriving conversions. A weekly 30-day audit catches invalid traffic adjustments.

Where data is stored

All data is stored in Supabase (PostgreSQL) with row-level security policies. Infrastructure runs on AWS in the US-East region. Backups are automated and encrypted.

Data retention

Campaign data is retained as long as your account is active. If you cancel, your data is preserved for 30 days, then permanently deleted. You can request immediate deletion at any time.

Questions about security?

We're happy to discuss our security practices in detail. Reach out to our team.

Contact Us Start Free Trial