ZuckerBot

Security

You're connecting a live Meta ad account — the thing that spends real money. Here's exactly how ZuckerBot protects that access, in specifics rather than promises.

Your Meta token, encrypted at rest

Every Meta access token is stored encrypted with AES-256-GCM (authenticated encryption — each value carries its own integrity tag, so tampering is detectable). Tokens are decrypted server-side only, at the exact moment a Meta API call needs them, and are re-encrypted at every write. There is no code path that returns a decrypted token to the browser.

Decrypt at point of use

The plaintext token exists only in server memory for the duration of the Meta API call it's needed for — never persisted in the clear, never sent to the client.

Per-tenant isolation

Each customer's tokens and data are scoped to their own account. One customer's connection is never visible to another.

Key held outside the database

The encryption key lives in the platform's secret store (environment/secret manager), not in the database — so a database dump alone cannot decrypt any token.

Encrypted everywhere it's stored

The same encryption applies across every place a token can live; existing records were migrated so no plaintext token remains at rest.

Your ad spend can't run away

Access & transport

What we don't claim

We're a new product built by a solo developer. We don't claim a SOC 2 report, a third-party penetration test, or any certification we haven't done — because we haven't done them yet. What's on this page is what's actually implemented today. If that changes, this page will say so.

Found something?

If you believe you've found a security issue, email support@zuckerbot.ai with the details and we'll respond quickly. Please don't publicly disclose until we've had a chance to fix it.