TRUECLICKS' STANCE ON SECURITY

Customer trust and data security are critical to everything we do at TrueClicks.

Secure and private by default

We believe you have the right to know where your (client’s) data is stored, how it’s managed, and how it’s used.

At TrueClicks, protecting customer data is a fundamental priority. Privacy and security are embedded in every aspect of our platform and supporting infrastructure. Earning and keeping the trust of our users is our top priority, and we continually look for ways to expand and improve the security of TrueClicks as the product evolves.

Privacy & GDPR

When it comes to personal data, we exclusively process the data of TrueClicks users and nobody else’s. We process our users’ work email, name, and behavior in the app. No more, no less. Please find all details about how we handle personal data in our privacy notice.

The other and most important type of data we process is advertising data from Google Ads and Microsoft Advertising. None of this data (such as impressions, clicks, cost, conversions, etc.) contains personally identifying information (PII), so it’s GDPR/CCPA compliant by nature.

Access to advertising platforms

TrueClicks needs access to your (clients’) Google Ads and/or Microsoft Advertising data to perform its functionality. Using Google’s and Microsoft’s OAuth authentications, we do not store or have access to any logins to these systems.

TrueClicks will also never appear in the ad accounts' change history, nor as a user or manager in the ad account. Everything goes through your existing login(s).

Additionally, users can revoke TrueClicks' access to the advertising platforms at any time upon request or by using Google’s third-party apps & services page and the Microsoft Defender for Cloud Apps portal. Of course, doing so will make it impossible for TrueClicks to provide its functionality.

Advertising data held on TrueClicks’ servers is intentionally limited to strictly what is required for functionality. TrueClicks leverages the API of the advertising platforms to retrieve the required data.

Your (clients’) advertising data is kept for only 30 days on our servers for debugging purposes. After that, we permanently delete this data. The only data we keep as long as you use TrueClicks is the data we generate ourselves: scores, alerts, recommendations, etc.

Product security
SSO & 2FA

SAML Single Sign-on (SSO) allows you to authenticate users in your systems without requiring them to create and enter additional login credentials for TrueClicks.
If your TrueClicks subscription costs more than $15,000/year, we offer SSO free of charge upon request (for one domain).
For lower plans, you can purchase SSO as an add-on for $1,500/year per email domain (e.g., @trueclicks.com and @trueclicks.de would be two email domains).

Permissions

You can set and update permission levels for each TrueClicks user. Permissions can be set to show only ad accounts they also have access to in Google and Microsoft Ads (private access) and to allow for additional permissions such as viewing all accounts, (un)linking advertising accounts, inviting/removing other team members, and editing the billing settings (in case of payment by credit card or SEPA direct debit).

Password and Credential Storage

Your password is encrypted and never stored in our database in a readable/unencrypted format. You are responsible for choosing a strong password and keeping it secret.

Uptime

We have an uptime of 99.9% or higher. You can check our past 90 days' stats at status.trueclicks.com

Network and application security

Regional Data Hosting and Storage

All TrueClicks services and data are hosted in Microsoft Azure facilities in Europe. As you would expect, Azure meets the highest standards in infrastructure security, physical security, customer data protection, and compliance, including ISO 27001 and SOC 2 Type 2.

Failover and DR

TrueClicks was built with disaster recovery in mind. Our infrastructure and data are spread across two Microsoft Azure availability zones and will continue to work should any one of those data centers fail.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their jobs. TrueClicks is served 100% over HTTPS. To protect access to cloud services, we enforce SAML Single Sign-On (SSO), 2-factor authentication (2FA), and strong password policies on BitBucket, Google, and Microsoft Azure.

Pentests and Vulnerability Scanning

TrueClicks uses third-party security tools to scan for vulnerabilities continuously. Our dedicated security team responds to issues raised. Once a year, we engage third-party security experts to perform detailed penetration tests on the TrueClicks application and infrastructure. 

Incident Response

TrueClicks implements a protocol for handling security events which includes escalation procedures, rapid mitigation, and post-mortem. All employees are informed of our policies

Additional Security features
Training

All employees complete Security and Awareness training annually.

Policies

TrueClicks has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Confidentiality

All employee contracts include a confidentiality agreement.

PCI Obligations

All automated payments (credit cards and SEPA direct debit) made to TrueClicks go through our partner, Stripe. Details about their security setup and PCI compliance can be found on Stripe’s security page.

Common Security Vulnerabilities

SQL and Other Injection Techniques

All input from customers or any external system is considered untrusted, and must pass a whitelist before being inserted into a database or other system.

Cross-Site Scripting

All input data from users is escaped to prevent XSS exploits. We also continuously run automated security scanners targeting this specific vulnerability.

Authentication / Session Management

All authentication credentials are forced to transmit in an encrypted manner over SSL, and cookies are only accessible securely.

Cross-Site Request Forgery

CSRF tokens are required on all forms in Unbounce’s app. An automated scanner that targets this specific vulnerability audits this prevention.

Transport Layer Protection

All communication between the customer browser and the TrueClicks app is encrypted using industry-standard SSL. We regularly review the cipher suites and protocols used in the SSL communication, so older browsers may stop working. This ensures that attackers cannot downgrade SSL communications by using an obsolete or insecure cipher suite.