AdvisorPPC

Security & Safety

Nothing touches your ad account without your yes.

Your AI managers, powered by Claude, read and analyze your accounts freely. But every change, every ad, every budget, every word that goes out, waits for your approval first. That rule is built into how they work, not written in a policy.

  • Your approval on every action
  • Spending caps that fail closed
  • Credentials encrypted at rest

How a change ships

Your managers prepare.
You decide.

  1. Read

    Your manager studies your account, your spend, and your results. Reading is always safe. It changes nothing.

  2. Stage

    When it finds an improvement, it prepares the exact change as a draft, a dry-run you can inspect line by line.

  3. Your yes

    Approve

    You see what will change, what it costs, and why. Nothing moves until you approve it.

  4. Apply

    Only after your approval does the change go live, and it still passes the spending guardrails on the way out.

What is running today

Five safeguards, built in,
not bolted on.

Everything on this page is shipped and running now. Plain descriptions, no fine print.

Your approval, every time

Nothing is published, sent, or changed on an ad account until you explicitly approve it. Drafts and dry-runs are as far as a manager can go on its own. The final yes is always a human one, and it is always yours.

Applies to every outward action: ads, budgets, emails, posts, and account settings.

Spending guardrails that fail closed

Every write to an ad account passes a spend-cap check and a deny-by-default list before it runs. If a check cannot run, for any reason, the action is denied. When in doubt, the answer is no.

A broken safeguard stops the action. It never skips the check.

Your credentials, encrypted

The keys that connect your ad accounts are encrypted before they are stored, a separately sealed secret for each customer. They are never saved in plain text.

Fernet symmetric encryption, applied before anything reaches the database.

Refuses to start unsafe

If the service finds itself in an unsafe configuration, it refuses to boot rather than run with weak settings. Its database role also runs without superuser bypass, so even our own code has no shortcut around its limits.

Startup checks run before a single request is served.

Read-first managers

Every account manager reads and analyzes freely, but stages any change as a reviewable dry-run. Analysis is unlimited. Action always waits for you.

The same rule for every manager, on every connected account.

The principle underneath

When a check cannot run,
the answer is no.

Many services fail open: if a safeguard breaks, actions slip through. AdvisorPPC fails closed. If the spend-cap check cannot run, the write is denied. If the configuration looks unsafe, the service will not start. A broken safeguard stops work. It never skips the check.

Straight answers

The questions owners ask us.

Can a manager spend my money on its own?
No. Spending changes are staged as drafts, checked against your caps, and wait for your approval. If the cap check cannot run, the change is denied.
Can it publish or send something without me?
No. Publishing, sending, and account changes all require your explicit approval. On their own, managers read, analyze, and draft.
How are my account credentials stored?
Encrypted, per customer, before they reach the database. Never in plain text.
Do you promise zero risk?
No, nobody honestly can. What we build instead is a set of safeguards that fail closed: when something is uncertain, work stops and waits for you.

See your managers work,
read-only first.

Connect an account and watch them analyze it. Nothing changes until you approve it.

Questions about security? Write to hello@advisorppc.com.