Security — StackXray

🔒

Read-only OAuth

Never writes to your Google properties

🔑

AES-256-GCM

OAuth tokens encrypted at rest

💳

PCI Level 1

Payments via Stripe — we never touch card data

🏛️

SOC 2 Infrastructure

Vercel, Supabase & Clerk are SOC 2 Type II certified

StackXray connects to your Google properties using read-only OAuth permissions— the same standard used by Google's own tools. We never write to, modify, or permanently store your clients' raw analytics data. All analysis runs in-memory at audit time and is discarded the moment your report is generated.

This page is intended to answer the questions agencies ask before trusting a tool with client property access. If you have additional questions, reach out at security@stackxray.io.

How your data flows

Every audit follows this path. No data is persisted between steps except the final report PDF.

Your Browser

Initiates OAuth

↓

Google Consent

You approve scopes

↓

Google APIs

Read-only access

↓

Analysis Engine

In-memory only

↓

Report PDF

Encrypted at rest

↓

Your Download

Delivered to you

Your Browser

Initiates OAuth

›

Google Consent

You approve scopes

›

Google APIs

Read-only access

›

Analysis Engine

In-memory only

›

Report PDF

Encrypted at rest

›

Your Download

Delivered to you

In-memory means no persistence. Raw GA4 events, ad campaign data, tag configurations, and feed contents are loaded into memory solely to produce your report. They are never written to disk, never logged, and never stored in our database.

What we access

StackXray requests the minimum OAuth scopes required to audit each platform. You grant access once per client property. You can revoke access at any time from your Google Account security settings.

Platform	OAuth scope	What we read	What we never do
GA4	`analytics.readonly`	Properties, streams, events, conversions, traffic sources	Never writes to GA4. Raw event data is never stored.
GTM	`tagmanager.readonly`	Container config, tags, triggers, variables	Never modifies containers, tags, or triggers.
Google Search Console	`webmasters.readonly`	Site performance, indexing coverage, Core Web Vitals	Never alters indexing settings or submits URLs.
Google Ads	`adwords.readonly`	Campaign structure, conversions, bidding, spend	Never modifies campaigns, bids, or budgets.
PageSpeed Insights	`API key only (no OAuth)`	LCP, INP, CLS, FCP, TTFB per URL	No account access required.
Merchant Center (coming soon)	`—`	Feed health, product status, disapprovals	Not yet available. Scope will be added in a future release.

What we store

We store only what is necessary to operate the service.

We do store:

Your account info — name and email, synced from Clerk authentication
Agency organization details — name, branding settings, contact email
Client names and connected property IDs (not property data)
Audit metadata — client name, platform scores, finding counts, timestamps
Generated report PDFs — encrypted at rest using AES-256, stored in Supabase Storage
Google OAuth refresh tokens — AES-256-GCM encrypted before storage, never logged
Stripe billing data — handled directly by Stripe; we store only subscription status and plan

We do not store:

Raw GA4 events, sessions, or user data
Raw Google Ads campaign data, keywords, or spend details
Raw GTM container configurations or tag code
Raw Search Console query data or URL performance logs
Raw Merchant Center feed contents or product attributes
Any personally identifiable information about your clients' end users

Infrastructure

StackXray is built on established, independently audited infrastructure providers. We do not operate our own data centers.

Hosting — Vercel: SOC 2 Type II certified. All application code runs on Vercel's serverless infrastructure in the US East region.
Database — Supabase: SOC 2 Type II certified. PostgreSQL with row-level security enabled on all tables. Hosted in AWS us-east-1.
Authentication — Clerk: SOC 2 Type II certified. Handles all user sessions, Google OAuth token exchange, and organization management.
AI processing — Anthropic Claude API: Per Anthropic's API Terms of Service, data submitted via the API is not used to train models. Audit findings are transmitted over TLS and are not retained by Anthropic after the API response is returned.
Payments — Stripe: PCI DSS Level 1 certified. StackXray never handles raw card data; all payment processing flows through Stripe directly.
Email — Resend: Report delivery emails are sent via Resend. Email content includes only your generated report, not raw client data.

All data is encrypted in transit using TLS 1.2+. Google OAuth refresh tokens are encrypted at rest using AES-256-GCM with a secret key stored separately from the database. Report PDFs are encrypted at rest in Supabase Storage.

SOC 2 roadmap

StackXray is actively working toward SOC 2 Type II certification. We have adopted the controls and policies required for certification and are currently in the evidence-collection period.

Expected certification completion: Q4 2026. If your organization requires a SOC 2 report before then, contact us to discuss alternatives including a security questionnaire response or a call with our engineering team.

Report a vulnerability

If you believe you have found a security vulnerability in StackXray, please report it responsibly. Do not open a public GitHub issue.

Email: security@stackxray.io

Include a description of the vulnerability, steps to reproduce, and your assessment of impact. We will acknowledge receipt within 48 hours and keep you updated as we investigate. We do not currently operate a formal bug bounty program, but we recognize responsible disclosures publicly with permission.