IT & Data Security, Privacy & Compliance

Last Updated: November 2025

Executive Summary

At Adnami, trust is the currency of our business. We process high-impact advertising data for leading global brands, and we understand that the security, integrity, and availability of our platform are paramount.

This document outlines the technical and organizational measures (TOMs) Adnami implements to protect client data. Our security architecture is built on a "Cloud Native" and "Zero Trust" philosophy, leveraging the world-class capabilities of Microsoft Azure combined with strict internal governance aligned with ISO 27001 standards.

1. Security Governance & Compliance

1.1 Framework Alignment

Adnami’s Information Security Management System (ISMS) is designed to align with ISO/IEC 27001 standards. Our security policies are reviewed annually by executive management, with our Chief Technology Officer (CTO) holding ultimate accountability for information security.

1.2 GDPR & Privacy

Adnami operates strictly under the General Data Protection Regulation (GDPR). Our specific role and responsibilities depend on the context of the data processing:

  • Data Processor (Ad Delivery): We act as a Data Processor when delivering ads on publisher pages. In this capacity, we process data on behalf of our clients (advertisers and agencies) strictly to deliver and measure advertising campaigns. For details, please refer to our Services Privacy Policy.
  • Data Controller (Client Services): We act as a Data Controller for data related to our direct clients (e.g., user logins, campaign setup configurations, billing details) and visitors to our corporate website. For details on how we handle this information, please refer to our General Privacy Policy.
  • Privacy by Design: All new product features undergo a privacy review to ensure data minimization principles are met.
  • IAB TCF: As a transparent vendor in the AdTech ecosystem, Adnami is a registered member of the IAB Transparency and Consent Framework. We respect consent strings and ensuring valid legal basis before processing data.

1.3 Personnel Security

  • Screening: Adnami conducts thorough background verifications on all employees prior to hiring, including checks of professional history and references, to ensure high standards of integrity.
  • Training: All employees undergo mandatory security awareness training upon hire and annually thereafter. This training covers phishing, password hygiene, and data handling procedures.
  • Confidentiality: Confidentiality is a mandatory contractual obligation for all employees. Our standard employment agreement includes strict clauses requiring full confidentiality regarding company operations, client data, and trade secrets, effective both during and after employment. Additionally, all intellectual property rights developed during employment are contractually assigned to Adnami.

2. Infrastructure & Network Security

2.1 Cloud-Native Architecture

Adnami utilizes Microsoft Azure (Europe Regions) as our primary cloud provider. We do not manage physical servers; instead, we utilize Platform-as-a-Service (PaaS) and Serverless architectures. This reduces our attack surface by offloading physical and OS-level security to Microsoft, a Tier-1 provider with ISO 27001, SOC 2 Type II, and FedRAMP certifications.

2.2 Network Defense

  • Perimeter Protection: Our infrastructure is protected by Azure-native firewalls and Akamai services, providing DDoS protection and traffic filtering.
  • Segmentation: Production, Staging, and Development environments are strictly logically isolated. Customer data never resides in non-production environments.
  • Vulnerability Management: We utilize automated cloud infrastructure scanning within the Azure ecosystem to detect misconfigurations.

2.3 Encryption

We enforce encryption throughout the data lifecycle:

  • Data in Transit: All public web traffic and internal service communication is encrypted via TLS 1.2+ (HTTPS).
  • Data at Rest: All databases (Azure SQL) and storage containers are encrypted using AES-256 standards.
  • Key Management: Cryptographic keys and secrets are managed via Azure Key Vault. Sensitive fields (such as names, emails, or passwords) utilize Column-Level Encryption, ensuring that data remains unreadable even to database administrators without specific decryption privileges.

3. Access Control & Identity Management

3.1 Identity Provider (IdP)

We utilize Microsoft Entra ID (formerly Azure AD) as our centralized identity provider.

  • Single Sign-On (SSO): Access to all corporate tools and production environments is federated through Entra ID.
  • Productivity Suite: Employee email, file storage, and collaboration tools are hosted on Microsoft 365, secured directly by Entra ID.
  • Third-Party Integration: We maintain a managed Google Workspace integration, federated with Entra ID, strictly to facilitate secure Single Sign-On (SSO) for third-party SaaS applications that rely on Google OAuth authentication.

3.2 Least Privilege & Zero Trust

Adnami adheres to the Principle of Least Privilege. Default employee access is restricted to non-production systems.

  • Privileged Identity Management (PIM): Access to production databases and critical infrastructure is Just-In-Time (JIT). Engineers must request elevated access via Entra ID PIM.
    • Approval Workflow: Requests must be approved by a designated lead.
    • Time-Bound: Access is automatically revoked after a maximum of 8 hours.
    • Audit Trail: Every elevation request and approval is logged and auditable.

3.3 Offboarding

We maintain a strict offboarding process. Upon termination of employment, the user’s Entra ID account is disabled, immediately revoking access to all Adnami systems, code repositories, and data.

3.4 Endpoint Security

While Adnami promotes a flexible work environment, we enforce strict endpoint policies:

  • Encryption: All workstations (Windows/Mac) must have full-disk encryption enabled (BitLocker/FileVault).
  • Protection: Workstations leverage built-in enterprise-grade defense mechanisms (Microsoft Defender / XProtect).
  • Policy: Employees are contractually bound to adhere to strict password policies and device physical security protocols.

4. Application Security & Development

4.1 Secure Development Lifecycle (SDLC)

  • Code Review: All code changes require peer review and approval via Pull Requests before merging.
  • Separation of Duties: Developers cannot push code directly to production; deployments are automated via CI/CD pipelines to ensure consistency and testing.

4.2 Penetration Testing

Adnami engages an independent, third-party security firm to conduct a Penetration Test of our platform and infrastructure annually. Findings are triaged based on severity and remediated according to our internal SLAs.

5. Business Continuity & Disaster Recovery (BCDR)

5.1 Resilience Architecture

  • Infrastructure as Code (IaC): All Adnami systems, including our Ad Delivery engine and Management Platform, are fully defined as code. This ensures consistency and allows for the rapid redeployment of our entire infrastructure to a new Azure region in 30–60 minutes in the event of a catastrophic failure.
  • High Availability: The Ad Delivery engine is further architected for High Availability with active global geo-redundancy, designed to withstand regional outages with zero downtime.

5.2 Backups

  • Databases: We utilize Azure SQL automated backups with Point-in-Time Restore capabilities (14-day retention with minute-level granularity) and long-term monthly retention.
  • Storage: Critical file assets are stored in Geo-Redundant Storage (GRS), replicating data to a secondary region automatically.

5.3 Disaster Recovery Drills

We do not just plan for failure; we practice for it.

  • DR Committee: Our internal Disaster Recovery team meets quarterly to review risks and update plans.
  • Active Drills: We conduct Disaster Recovery Drills twice per year. These simulations test specific failure scenarios (e.g., database corruption, region failure) to ensure our team is ready to execute the recovery plan efficiently.

6. Vulnerability Disclosure

If you believe you have found a security vulnerability in an Adnami product, please contact us immediately at support@adnami.io. We practice responsible disclosure and ask that you provide us with a reasonable timeframe to remediate the issue before making it public.