Security and data handling
Data residency, encryption, audit logs, SSO, SOC 2 status, and your rights to access, delete, and export your data.
Data residency
All customer data is stored in Australia (AWS ap-southeast-2, Sydney region). Workspaces cannot be moved to another region after creation. If you need data stored in a different region, contact us before signing up.
Encryption
- At rest: AES-256-GCM. All data, including connector tokens and model outputs, is encrypted at rest.
- In transit: TLS 1.3 for all API and browser traffic.
- OAuth tokens: connector OAuth tokens and BYOMM API keys are encrypted with per-tenant keys. A compromised token from one workspace cannot be used to decrypt another.
What Acera Labs reads from your ad platforms
When you connect an ad platform, Acera Labs requests read access to campaign performance data (spend, impressions, clicks, conversions) and write access to budget and bid settings. We request only the minimum scopes needed.
We do not read your billing or payment information from ad platforms. We do not access your creative assets unless you connect a creative tool (Canva, Adobe CC, Figma) and explicitly use that feature.
Write-back scope
When you approve a recommendation, Acera Labs sends a targeted API call to the relevant ad platform to implement the specific change. It does not have standing write access to everything in your account. Each write is logged with the approving user, timestamp, and the exact API call made.
Bring your own AI
Customers on the Enterprise plan can supply their own LLM API credentials (Anthropic, OpenAI, AWS Bedrock, or Google Vertex). When configured, Acera Labs routes all agent prompts through your account. Your prompts and outputs do not pass through Acera Labs infrastructure and are not used for any purpose by Acera Labs.
Opt-in privacy
Privacy-affecting features are opt-in by default. Acera Labs does not enable analytics, third-party sharing, or any training-data contribution without explicit consent. The default stance is that your data is yours and stays yours.
You can review and change your privacy settings at any time in Settings then Privacy.
Audit logs
Every significant action in the platform is written to an append-only audit log:
- Connector authorisations and disconnections
- Recommendation approvals and reversals
- Threshold changes
- User role changes and team membership changes
- SSO configuration changes
- Data export and deletion requests
The audit log is visible in Settings then Audit Log. It is exportable as JSON at any time.
SSO
SAML 2.0 and OIDC are available on the Enterprise plan. Tested providers include:
- Okta
- Azure AD (Microsoft Entra ID)
- Google Workspace
- OneLogin
SSO is configured in Settings then SSO. Once SSO is enforced, password-based login is disabled for all users in the workspace.
Team permissions
Three roles control what users can do:
| Role | Can approve recommendations | Can change connectors | Can change thresholds | Can manage team |
|---|---|---|---|---|
| Owner | Yes | Yes | Yes | Yes |
| Approver | Yes | No | No | No |
| Viewer | No | No | No | No |
Owners can promote or demote users at any time from Settings then Team.
SOC 2
Type 1 was completed in March 2026. Type 2 observation is running through 31 December 2026. The Type 2 report will be available to Enterprise customers on request once the observation period closes.
Your data rights
You may exercise the following rights at any time by emailing security@aceralabs.com.au:
- Access: receive a full export of all data Acera Labs holds about your workspace
- Deletion: request permanent deletion of your workspace and all associated data. Deletion is irreversible and completes within 30 days.
- Export: download your data in JSON format at any time from Settings then Audit Log
We respond to all data rights requests within five business days.
Reporting a vulnerability
If you discover a security vulnerability, please email security@aceralabs.com.au. We ask for responsible disclosure and commit to acknowledging receipt within 24 hours.