Security

Last updated: March 25, 2026

At YEpsilon, security is foundational — not an afterthought. We handle sensitive business data including CRM records, ad platform credentials, and campaign performance metrics. This page describes the security measures we implement to protect your data.

1. Infrastructure Security

YEpsilon's infrastructure is built on trusted, enterprise-grade providers:

• Backend: Hosted on Railway with automatic TLS, isolated containers, and private networking.
• Frontend: Hosted on Vercel's edge network with automatic HTTPS and DDoS protection.
• Database: MongoDB Atlas with encryption at rest (AES-256), automated backups, network isolation, and SOC 2 Type II compliance.
• Cache/Queues: Upstash Redis with TLS encryption, password authentication, and data persistence.

2. Data Encryption

In Transit

All data transmitted between your browser and YEpsilon, and between YEpsilon and third-party services, is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints with no exceptions.

At Rest

All database storage is encrypted at rest using AES-256 via MongoDB Atlas's built-in encryption. OAuth tokens for your connected ad platforms and CRM systems are additionally encrypted using AES-256-GCM with a dedicated encryption key before being stored, providing an extra layer of protection beyond database-level encryption.

3. Authentication and Access Control

• User Authentication: Managed by Clerk, providing enterprise-grade authentication with support for multi-factor authentication (MFA), single sign-on (SSO), and secure session management.
• API Authentication: All API requests require a valid Bearer token. Tokens are verified on every request using Clerk's backend verification.
• Platform Connections: Third-party platforms (Google Ads, LinkedIn, Meta, HubSpot, etc.) are connected exclusively via OAuth 2.0 with scoped permissions. We never ask for or store your third-party passwords.
• Token Refresh: OAuth tokens are proactively refreshed before expiration to maintain secure, uninterrupted service.

4. API Security

• Rate Limiting: All API endpoints are rate-limited to prevent abuse and brute-force attacks.
• Security Headers: We use helmet.js to set comprehensive HTTP security headers including Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security.
• CORS: Cross-origin requests are restricted to authorized domains only.
• Input Validation: All user inputs are validated and sanitized before processing to prevent injection attacks.
• Error Handling: Internal errors return generic messages to clients. Detailed error information is logged server-side only and never exposed to end users.

5. AI and LLM Data Handling

YEpsilon uses large language models (Google Gemini, OpenAI GPT-4) for campaign strategy generation, ad copy creation, and optimization recommendations. Our approach to LLM security:

• We send only contextual and anonymized data to LLM providers — never raw personal identifiable information (PII).
• LLM interactions are stateless — providers do not retain your data between requests.
• We do not use your data to train or fine-tune any language models.
• LLM-generated content goes through our review pipeline before deployment to your ad accounts.

6. Ad Platform Credential Security

Your advertising platform credentials receive special protection:

• OAuth tokens are encrypted with AES-256-GCM using a dedicated encryption key separate from the database encryption.
• We request only the minimum OAuth scopes necessary to operate (principle of least privilege).
• Tokens are proactively refreshed on a regular cycle to prevent expiration issues.
• You can revoke access at any time by disconnecting the platform in YEpsilon or revoking permissions directly in the ad platform.

7. Monitoring and Incident Response

• All API access is logged for audit purposes.
• Optimization actions are recorded in an immutable audit log with timestamps and action details.
• Anomaly detection runs before each optimization cycle to identify irregular patterns.
• Spend safety monitors enforce daily budget caps to prevent runaway ad spend.
• We maintain incident response procedures for prompt detection, containment, and resolution of security events.

8. Compliance

YEpsilon is designed with compliance in mind:

• GDPR: We support data access, correction, deletion, and portability requests.
• CCPA: California residents can exercise their privacy rights as described in our Privacy Policy.
• Google API Services: We comply with Google's API Services User Data Policy and Limited Use requirements.
• SOC 2 Alignment: Our infrastructure providers (MongoDB Atlas, Clerk, Vercel) maintain SOC 2 compliance, and our practices align with SOC 2 trust service criteria.

9. Responsible Disclosure

We value the work of security researchers. If you discover a security vulnerability in YEpsilon, we encourage responsible disclosure. Please report vulnerabilities to:

Email: security@yepsilon.ai

We will acknowledge receipt within 48 hours and work to resolve verified vulnerabilities promptly. We will not pursue legal action against researchers who follow responsible disclosure practices.

10. Contact

For security-related questions or concerns, contact us at:

Email: security@yepsilon.ai
Website: https://yepsilon.ai