Secure by design.
Your data. Your control.
Authentication
OAuth 2.0 for all connections. We never see or store your passwords. Tokens are scoped to minimum permissions.
- OAuth 2.0 for Google Ads and Meta Ads (formerly Facebook Ads)
- Shopify private app tokens with minimal scopes
- Session tokens expire and rotate automatically
Encryption
AES-256-GCM encryption at rest with per-tenant keys. TLS 1.3 for all data in transit.
- AES-256-GCM encryption for stored credentials
- Per-tenant encryption keys
- TLS 1.3 for all network communication
Controlled Execution
Every write action requires your explicit approval. You always see proposed changes before they execute.
- All write operations require user confirmation
- Proposed actions shown with full details
- Complete audit log of every action
Data Processing
All data processed in EU (Frankfurt). GDPR-compliant. Your data is never sold or shared.
- Hosted on Fly.io Frankfurt (eu-central)
- Supabase in EU region
- GDPR-compliant processing
- Zero third-party data sharing
Access Rights Overview
We use the least-privilege principle. Here is exactly what Carli can access:
| Platform | Read Access | Write Access | Approval Required |
|---|---|---|---|
| Shopify | Orders, products, inventory | None | Read-only |
| Google Ads | Campaigns, ad groups, keywords, metrics | Budget, bids, status, ad copy | Yes — always |
| Meta Ads | Campaigns, ad sets, ads, metrics | Budget, status, ad creative | Yes — always |
Report a Security Issue
Found a vulnerability? Have questions about security? Contact us directly.
security@getcarli.ioSecurity — FAQ
Where is Carli data hosted?
All Carli data is hosted in Frankfurt, Germany (EU) on Fly.io infrastructure with Supabase in the EU region. This ensures full GDPR compliance and data sovereignty. No data leaves the European Union. All network communication is encrypted with TLS 1.3, and stored credentials use AES-256-GCM encryption with per-tenant keys.
Does Carli access personal customer data?
No, Carli does not access or store personal customer data from Shopify. Carli only reads aggregated order data (revenue, product performance, order counts) and ad platform metrics (spend, ROAS, CTR). No names, email addresses, or payment information from your customers is ever processed by the Model Context Protocol (MCP) server.
How are ad account credentials protected?
Ad account credentials are protected with AES-256-GCM encryption using per-tenant encryption keys stored in Supabase with Row Level Security (RLS). Google Ads and Meta Ads connections use OAuth 2.0 tokens with minimum-permission scopes. Tokens rotate automatically, and Claude never sees or stores raw credentials — all access is mediated through Carli's secure MCP server.
Is AI ad management GDPR compliant?
GDPR compliance for AI ad tools requires: EU data hosting, encrypted credential storage, clear data processing agreements, and user control over data deletion. Carli meets all requirements: EU hosting in Frankfurt (Fly.io + Supabase), AES-256-GCM encryption for all OAuth tokens, Row Level Security in the database, and complete data deletion within 30 days of account closure. Carli never stores end-customer PII from Shopify.
Is AI ad management GDPR compliant
Carli is fully GDPR compliant. All data is hosted in Frankfurt, Germany (EU) on encrypted infrastructure. Ad account credentials are protected with AES-256-GCM encryption. Carli processes no personal customer data — only aggregated campaign metrics. The MCP protocol ensures all AI interactions are auditable, and the approval-based execution model means no automated decisions affect your ad spend without human consent.