Security
Read-only access to your Meta ad data. AES-256-GCM encryption at rest. SOC 2 Type II infrastructure across the stack. Zero write operations to your ad account — ever.
How Your Data Flows
Your ad data follows a strict, auditable path. We fetch metrics in real-time and never store raw campaign data permanently.
Access & Permissions
We request the minimum scope required: ads_read. This permission cannot create, modify, or delete anything in your ad account. It's enforced by Meta at the API level.
Encryption & Storage
Your Meta access token is the most sensitive piece of data we handle. It's encrypted with AES-256-GCM before storage and decrypted only in-memory when making API requests to Meta.
Meta returns access token via OAuth
EAABs...xxxxx (plaintext, in memory only)
Encrypted with AES-256-GCM
256-bit key + unique IV per token + authentication tag
Stored as ciphertext in Supabase
iv:authTag:encrypted... (never plaintext)
Key separation
Encryption key stored in Vercel environment variables. Database hosted on Supabase. Compromising either one alone is insufficient to read tokens.
Row-Level Security
Supabase RLS policies ensure users can only access their own data. Enforced at the database level.
No Plaintext Secrets
All sensitive values (tokens, API keys) are encrypted or hashed. Nothing sensitive stored in plain text.
Tamper Detection
GCM authentication tags detect any tampering with encrypted data. Modified ciphertext fails decryption.
Authentication
SharpMatter uses passwordless authentication exclusively. No password database means no password breaches. Every authentication method uses modern, proof-based security.
One-time use email links via Supabase Auth. No password to remember, phish, or brute-force. Links expire after use.
Standard OAuth 2.0 with PKCE for connecting your Meta ad account. We never see your Meta password. Token scoped to ads_read only.
For AI clients like Claude Desktop. Full OAuth 2.1 with PKCE, dynamic client registration, and 1-hour access tokens with 30-day refresh rotation.
Managed by Supabase Auth with secure HTTP-only cookies. Sessions are server-validated on every request. Sign out terminates all active sessions.
Infrastructure
We don't operate any self-hosted servers. Every component of our infrastructure runs on SOC 2 Type II certified platforms with TLS 1.3 encryption in transit.
Application hosting, edge functions, and deployment infrastructure.
Database, authentication, and row-level security enforcement.
AI analysis via Claude. Your data is not used to train models.
All data in transit encrypted via TLS 1.3
Every connection between your browser, our servers, Meta's API, and Anthropic's API is encrypted with TLS 1.3. No exceptions.
Data Retention & Deletion
We retain only what's necessary, for as long as it's necessary. You can delete your data at any time.
Meta Access Tokens
60-day expiry
Tokens expire per Meta's policy. Encrypted at rest. Destroyed immediately on disconnect or account deletion.
Conversation History
User-controlled
Delete individual conversations or all history anytime from the chat interface. Permanently removed from database.
Business Context
User-controlled
Optional business context you provide (AOV, margins, targets). Editable and deletable from settings.
Error Logs
30-day auto-cleanup
Anonymized error logs for debugging. Automatically purged after 30 days by scheduled cleanup.
Account Deletion
On request
Full account deletion removes all data: tokens, conversations, context, preferences. Meta data deletion callback also implemented per Meta platform requirements.
Compliance
We designed SharpMatter with privacy regulations and platform requirements in mind — not as an afterthought.
Connection Methods
Whether you use our built-in chat or connect via MCP, the same security posture applies. Both methods are read-only, encrypted, and OAuth-protected.
Web application at sharpmatter.ai
Works with Claude Desktop and others
FAQ
No. SharpMatter requests only the ads_read permission from Meta. This is a read-only scope — we can never create, edit, pause, or delete campaigns, ad sets, or ads. Our Meta App Review was approved with this scope specifically verified.
Your Meta access token is encrypted with AES-256-GCM and stored in Supabase (hosted on AWS). Campaign metrics are fetched in real-time from Meta's API and are not permanently stored — they're cached briefly for performance, then discarded. Conversation history is stored in Supabase and is deletable anytime.
You can disconnect your Meta account from SharpMatter at any time via the Connect page. This immediately deactivates our access. You can also revoke access directly from Meta's Business Settings under Business Integrations. Both methods are instant.
Account deletion removes all your data: encrypted Meta tokens are destroyed, conversation history is deleted, business context is cleared, and your profile is removed. We also implement Meta's data deletion callback, so Meta can request deletion of your data independently.
Yes. We never store plaintext tokens. Every Meta access token is encrypted with AES-256-GCM using a 256-bit key before it touches the database. The encryption key is stored as an environment variable in Vercel, separate from the database. Tokens are decrypted in-memory only when making API calls to Meta.
No. Your Meta ad data is never sold, shared, or used to train AI models. The only third-party services that process your data are: Anthropic (Claude, for AI analysis — governed by their enterprise terms), Supabase (database hosting), and Vercel (application hosting). All three maintain SOC 2 Type II certification.
We access campaign performance metrics: spend, impressions, clicks, conversions, CPM, CPC, CPA, ROAS, and similar aggregate advertising data. We do not access personal information about the people who see or interact with your ads, your payment methods, or any data from your Facebook/Instagram personal profiles.
SharpMatter itself does not hold a standalone SOC 2 certification. However, our entire infrastructure stack — Vercel (hosting), Supabase (database), and Anthropic (AI) — are all SOC 2 Type II certified. We do not operate any self-hosted servers, so your data is always on certified infrastructure.
We're happy to answer any questions from your security or legal team. We can also provide additional documentation for your internal review process.