Technology and Security Overview

To earn and maintain the trust and confidence of the world’s largest and most advanced advertisers, Smartly takes all reasonable precautions to safeguard our systems and the data entrusted to us by our customers against breaches of confidentiality, integrity and availability. This overview provides insight to the practices followed by Smartly with regard to information security and technology management.

Not Just Empty Words

We are also certified and always follow the globally recognized best practices for information security management.


Smartly is certified under the ISO 27001 standard. The globally recognized standard specifies the best practices for information security management.


Our services are compliant with GDPR and CCPA requirements – we are committed to provide services that help our customers to comply with the GDPR and CCPA.


Smartly services can be, and usually are, used without Smartly acting as a personal data processor on your behalf – you retain control over your data.

Get to Know Our Practices

Learn more about our security practices below.

Technology Overview

  • Smartly is a web based service for automating and optimizing marketing campaigns on different social media platforms, such as Facebook, Instagram, Pinterest, and Snapchat.
  • The service is built using modern programming languages, frameworks and orchestration platforms.
  • The service is operating on modern Linux-based dedicated servers hosted in high security data centers operated by Hetzner Online GmbH in Germany, Europe.
  • Additionally Amazon Web Services (European regions) and CloudFlare are used for some functionality (e.g. CloudFront, S3, network optimization, DDoS protection).
  • Hetzner, Amazon Web Services and CloudFlare are all ISO27001 certified.
  • The processing of personal data is minimized in our systems and we have GDPR compliant Data Processing Agreements and Privacy Policies in place.

Security Audits

  • Smartly undergoes annual external penetration testing and code reviews by professional security consultants for our production environments.
  • Internal penetration testing and code reviews are performed at least annually and after major changes.
  • Network scanning of all internet-facing systems is performed quarterly.

Application Security

  • Smartly web service is accessed by user-specified passwords and optional two-factor authentication (TOTP)
  • The minimum required password length is 12 characters.
  • All passwords are hashed using the bcrypt password hashing algorithm with cost factor 13. In addition to the built-in salts of bcrypt, additional “application salt” is used.
  • All customer data is encrypted both in transit (TLS 1.2+) and at rest (disk encryption, aes-xts-plain64:sha512 with 512-bit keys).

Development Practices

  • Smartly uses agile methodologies as well as continuous integration (CI) and continuous deployment (CD) in its development.
  • OWASP Top 10 awareness is an integral part of our software development culture.
  • All code and configurations are maintained in a version control system and all changes require peer review and approval as well as passing the CI pipeline before they can be deployed.
  • Automated code security analysis tools are used as part of the CI.

Logging and Monitoring

  • All access and activity is logged to a centralized system.
  • The environment and each service within are continuously monitored and alerts are triggered when anomalies are detected.

Network Security

  • The production environment is fully separated from development and testing environments and corporate networks.
  • Multiple layers of firewalls are deployed both in front of and within the environments.
  • Cloudflare is used in front of the service to provide additional WAF and DDoS protections as well as network optimization.
  • TLS 1.2 and 1.3 are supported with the strongest cipher suites.

Vulnerability & Incident Management

  • Smartly performs continuous assessment of vulnerabilities both in OS packages as well as in software libraries used in the applications.
  • Automated patching is performed on a daily basis where feasible.
  • Intrusion detection system is in place to detect and alert about any abnormal activity
  • Incident response team and documented incident handling processes are in place

Vendor Management

  • Vendor risk assessment is performed for new vendors to ensure consistency with our security and privacy policies and commercial agreements
  • Data Processing Agreements are in place with all vendors that process Personal Data on Smartly’s behalf as a processor

Organizational Security

  • Smartly’s security team is responsible for risk management and information security
  • Security policies and supporting processes are in place and communicated to all employees
  • Confidentiality and non-disclosure clauses are part of our employment agreements
  • Access to Smartly premises is controlled with electronic locks
  • Smartly implements best practice security controls for all employee laptops, including full disk encryption, firewalls, malware protection and regular updates.
  • On employee termination, all access to systems are revoked and devices returned and securely wiped

Data Protection

  • All access and activity to customer data is logged and auditable
  • All customer data is encrypted at rest and stored in Europe
  • All backups are encrypted
  • Customer data will be removed upon contract termination or when the data is no longer needed to provide the service.

Business Continuity and Disaster Recovery

  • Business Continuity and Disaster Recovery plans are documented and we have commited to Recovery Time Objective (RTO) of 24 hours and Recovery Point Objective (RPO) of 24 hours
  • Smartly utilizes a configuration management system for provisioning new servers and services enabling rapid scalability and recovery from disasters
  • Production systems are distributed to multiple independent data centers and the load is evenly balanced
  • Zero-downtime release process is used to deploy new software versions without interruptions
  • Backups are taken at least on a daily basis, monitored and regularly tested


If there are any questions or you found a security threat, do not hesitate to contact

Learn More About Our Platform and Service

Get in touch to see how we can help you grow your business online.

Get a platform demo