NarratorHQ← Back to home

Security

NarratorHQ handles sensitive data — OAuth tokens, ad account access, and client performance metrics. Here is exactly how we protect it.

Encrypted token storage

All OAuth tokens and API access tokens are encrypted at rest using AES-256-GCM with unique initialisation vectors per token. Plain-text credentials are never written to disk or logged.

HTTPS everywhere

All traffic between your browser, our servers, and third-party APIs is encrypted in transit using TLS 1.2 or higher. We enforce HTTPS with HSTS headers.

Read-only API access

NarratorHQ requests only the minimum OAuth scopes required — analytics.readonly for GA4 and the Google Ads API reporting scope. We cannot write to or modify your ad accounts or analytics properties.

Row-level access control

Every database query is scoped to the authenticated user's agency. It is not possible to read or modify another agency's clients, reports, or connections — this is enforced at the database level, not just in application code.

Isolated data storage

Your data is stored in a dedicated Supabase (PostgreSQL) instance hosted on AWS. Each agency's data is logically isolated with row-level security policies enforced by the database engine.

No data sold or shared

We do not sell your data or your clients' data to any third party. Data accessed from Google, Meta, or other platforms is used solely to generate reports on your behalf and for no other purpose.

Token rotation

When Google issues a refreshed access token, we automatically store the updated token and discard the old one. Refresh tokens are re-encrypted on update.

Data deletion on request

You can disconnect any platform integration at any time — this permanently deletes the stored token. Deleting your account deletes all agency data, client data, reports, and stored tokens within 24 hours.

Google API Services — Limited Use

NarratorHQ's use and transfer to any other app of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

  • Google data is accessed with read-only scopes only
  • Google data is used exclusively to generate client reports — no other purpose
  • Google data is never sold, used for advertising, or shared with third parties
  • Google data is never used to train machine learning models
  • Access can be revoked at any time from within the app or from myaccount.google.com/permissions

Infrastructure

Database

Supabase (PostgreSQL) on AWS

Hosting

Vercel (edge network)

Authentication

Supabase Auth (JWT, secure cookies)

Payments

Stripe (PCI-DSS compliant)

Email delivery

Resend

Token encryption

AES-256-GCM

Transport security

TLS 1.2+, HSTS enforced

Access control

Row-level security (Postgres RLS)

Responsible disclosure

If you discover a security vulnerability in NarratorHQ, please report it responsibly by emailing cameron@narratorhq.com. We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. We do not currently operate a bug bounty programme but we are grateful for responsible disclosure.