Security & Trust

Security & Trust

Last updated: 11 Aug 2025

RAPTOR Commerce is built with a privacy-first, least-privilege philosophy. We only fetch the Google Ads and Merchant Center data needed to provide reporting and optimisation insights, and we protect that data with layered technical and organisational controls.

Overview

  • Internal-use application: The dashboard is used by RAPTOR Commerce staff to manage client campaigns.
  • Data minimisation: We store metrics and product metadata only—no ad text, no user identifiers, no search queries.
  • Purpose-limited: Data is used solely for analysis, reporting, and campaign operations for the relevant client.

Architecture (high level)

  • Scheduled jobs call Google Ads and Merchant Center APIs and write results to a private database.
  • The internal dashboard reads from that database to render charts and reports for our team.
  • No inbound public access to the data plane; outbound requests only to Google APIs.

Access & Authentication

  • Least privilege: Access is limited to authorised RAPTOR Commerce staff.
  • MFA required: Admin consoles and developer tooling are protected with multi-factor authentication.
  • Secrets management: API keys and tokens are stored in a secure secrets store; access is logged and restricted.

Encryption

  • In transit: All communications with Google APIs and admin consoles use modern TLS (1.2+).
  • At rest: Databases, backups, and stored credentials are encrypted using industry-standard encryption (e.g., AES-256).
  • Token storage: OAuth refresh tokens (if used) are encrypted before storage.

Backups & Retention

  • Backups are encrypted and retained for a limited period for disaster recovery.
  • Operational data is retained only as long as needed to provide the service and to meet legal or contractual obligations.
  • We honour removal requests and plan-based look-back limits defined in our service configuration.

Monitoring & Logging

  • Job runs, API errors, and security-relevant events are logged for audit and troubleshooting.
  • Access to logs is restricted and monitored.

Vulnerability Disclosure

If you believe you’ve found a security issue, please email security@raptor.uk.
Please include steps to reproduce and your contact details. We’ll acknowledge receipt and keep you updated on remediation.

Incident Response

  • We maintain an incident response procedure covering triage, containment, remediation, and post-incident review.
  • Where required, we notify affected customers and applicable authorities within statutory timeframes.

Privacy & Compliance

  • We follow UK GDPR principles (lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, and confidentiality).
  • We do not sell or share Google Ads or Merchant Center data with third parties.
  • See our Privacy Policy and Terms of Service for details.

Disconnection & Data Deletion

  • On request, we revoke API access and disable scheduled jobs for a given account.
  • We delete associated identifiers and encrypted tokens, and we can purge historical metrics on request (subject to legal obligations).

Contact

Questions about security? Email security@raptor.uk or contact us. We’re happy to provide additional detail under NDA where appropriate.