TLS in transit, AES-256 at rest, mandatory 2FA, least-privilege access, quarterly access reviews, 72-hour breach notification, accounts owned by clients (not us), no certifications we don't actually hold.
Our approach
Highstone Media manages paid-media accounts for clients spending tens of millions of dollars per year. That data — ad accounts, customer email lists for custom audiences, billing records, weekly performance reports — is sensitive, and the platforms we work with are high-value targets for credential theft. We treat security as an operational discipline, not a marketing badge.
This page describes the controls we actually run. We have not certified to SOC 2, ISO 27001, or any third-party security standard, and we do not display a logo for any certification we have not earned. If you require a certified vendor, we are happy to refer you.
Data handling
In transit. All Site traffic uses TLS 1.2 or higher; HTTP requests are redirected to HTTPS at the edge. Email between Highstone and clients uses STARTTLS opportunistic encryption and DMARC alignment on highstonemedia.com.
At rest. Client systems we use (Google Workspace, Attio, Stripe, Vercel, Cloudflare R2) encrypt customer data at rest using AES-256 or stronger. Files stored locally on team devices are on encrypted volumes (FileVault / BitLocker).
Customer-list handling. When a client provides a customer list for a custom audience, we hash it client-side before upload where the platform supports it (Meta CAPI, Google Customer Match, TikTok), retain the raw file only for the time needed to upload, and delete it from our systems within 30 days.
Backups. Critical configuration (dashboards, ad-account structure snapshots, GTM containers) is exported on a rolling weekly schedule and retained encrypted for 90 days.
Access control
Authentication. Two-factor authentication is required on every Highstone account that holds client data — Google Workspace, password manager, ad-platform business managers, CRM, billing, hosting. We use hardware keys (FIDO2/WebAuthn) where supported. Shared passwords are stored in 1Password Business with item-level access logging.
Least privilege. Access to each client's ad accounts is granted only to the team members directly working on that account. We do not maintain a default-allow group.
Joiner / mover / leaver. Access is granted on engagement kickoff and revoked within 24 hours of role change or departure. We run a quarterly access review across every client account and internal tool.
Your accounts are yours. All client ad accounts live in your own Business Manager / MCC / Ads Manager — never ours. On engagement end you keep account history, creative, and audiences. We remove our admin access on your confirmation.
Operational security
Devices. Team devices use full-disk encryption, automatic OS patching, and managed endpoint protection. Devices that go missing are remote-wiped on report.
Vulnerability management. Dependency updates on highstonemedia.com are tracked through Dependabot. Critical patches are reviewed and merged within 7 days of disclosure. We do not run unmaintained client software at project-end without an explicit handover plan.
Logging and monitoring. Sign-in logs from Google Workspace, ad-platform admin actions, and Vercel deploys are reviewed weekly. Anomalies trigger an incident-response check.
Sub-processors and vendor review
Each new sub-processor we onboard goes through a brief vendor review: published security documentation, GDPR/CCPA stance, DPA availability, breach history, and headquarters location. We maintain the current sub-processor list at /sub-processors and update it with at least 30 days' notice before changes to active clients.
We do not engage a sub-processor that cannot or will not execute a written Data Processing Agreement (DPA) that pushes our obligations under our DPA downstream.
Incident response and breach notification
We maintain an internal incident-response plan covering identification, containment, eradication, recovery, and post-mortem. The plan names roles, communication channels, and decision-making authority and is reviewed at least annually.
Breach notification. If we become aware of a personal-data breach that is likely to result in a risk to the rights and freedoms of natural persons, we will notify affected controllers (you, if you are the controller) without undue delay and within 72 hours of becoming aware, in line with GDPR Art. 33. We will notify affected data subjects directly where required by law or where the breach is likely to result in a high risk to them.
We apply this 72-hour standard worldwide regardless of where you reside.
Responsible disclosure. If you believe you have found a security vulnerability on the Site or in our processes, please email legal@highstonemedia.com with details. We commit to acknowledging within 2 business days, and we will not take legal action against good-faith researchers who comply with our policy (no destructive testing, no public disclosure before remediation, no access to data beyond what is needed to demonstrate the issue).
Ad-platform-specific safeguards
Meta Business Manager. We require client ownership of the Business Manager, page, ad account, and Conversions API integration. We accept admin assignment only via Business Manager invitation — never via shared login.
Google Ads. Linked via your MCC or as a manager account on your top-level Google Ads account. We do not store Google API credentials outside Google's OAuth flow.
TikTok Ads Manager. Admin via TikTok Business Center; Spark Ads connections held by the creator and disconnected at handover.
Server-side tagging. Container instances run in your own cloud account (Google Cloud / Vercel) on your domain — not ours — so the data path stays inside your perimeter.
Physical security
We do not maintain a customer-data-bearing office or on-prem infrastructure. The Wyoming registered office holds business mail only. All client data lives in the cloud services listed above. Team members work from home offices with reasonable physical security (locked devices, no client data on paper).
Audit and assurance
We do not currently hold a SOC 2 Type II, ISO 27001, or similar third-party certification. We are happy to complete a vendor-security questionnaire and to share our internal Trust & Security documentation under NDA on request. If a client requires us to obtain a specific certification as a condition of engagement, we will price and timeline that separately or refer you to a certified peer.
Contact security
- Security and incident reports
- legal@highstonemedia.com
- Phone
- +1 (360) 994-1062
- Highstone Media, LLC · Attn: Security
317 W Whitney St
Sheridan, WY 82801, USA