Skip to content
Maddict Docs

Security & compliance

Security is built into Maddict at every layer — from how you sign in to how the database answers a query. This page summarises the controls that protect your account and your agency’s data.

Account security

Section titled “Account security”
  • Invite-only access. There is no public sign-up; you join only via an invitation. Public self-service registration is disabled.
  • Strong passwords. A 12-character minimum is enforced, and passwords are never stored in plain text.
  • Time-limited links. Invitation and recovery links expire, and re-issuing one refreshes the window.
  • Self-service recovery that doesn’t reveal whether an email has an account.

Authorisation and isolation

Section titled “Authorisation and isolation”
  • Membership-authoritative access — every request is checked against your active agency membership.
  • Role-based permissions — your role governs what you can do, enforced server-side.
  • Tenant isolation via row-level security — the database confines every read and write to your own tenant. See Tenant data isolation.
  • Entitlement gating — markets, segments, features, and quotas are checked on the server, so out-of-plan actions are refused, not just hidden.

Platform hardening

Section titled “Platform hardening”
  • HTTP security headers — including a content security policy, clickjacking protection (frame denial), MIME-sniffing protection, a referrer policy, a permissions policy, and HSTS.
  • Secured data proxy — the external audience data source is reached only through Maddict’s authenticated, tenant-aware proxy.
  • Immutable audit trail — significant actions are recorded in an append-only audit log that can’t be edited or deleted.

Accountability

Section titled “Accountability”
  • The audit log provides an immutable who-did-what-and-when record of administrative actions.
  • Individual accounts (rather than shared logins) keep actions attributable — see the guidance in Team management.

Your part in keeping things secure

Section titled “Your part in keeping things secure”

Security is shared. You can help by:

  • Using a strong, unique password and a password manager.
  • Signing out on shared devices.
  • Removing teammates promptly when they leave (admins).
  • Handling exported data responsibly and on a need-to-know basis.
  • Reporting anything suspicious to your agency admin or support.

Reporting a security concern

Section titled “Reporting a security concern”

If you believe you’ve found a vulnerability or a security problem, please contact security@maddict.com (or support) with the details. Please don’t share the issue publicly until it’s been addressed.

Next

Section titled “Next”
Tenant data isolationThe cornerstone of multi-tenant security.
Audit logThe immutable record of actions.