Last updated · 21 June 2026
Security
CampaignPacks asks you to trust it with sensitive things, above all your AI provider keys. Here is plainly how we protect them. We describe what we actually do, and we do not claim certifications we do not hold.
Your provider keys never touch the browser
AI provider keys and integration tokens are encrypted at rest using AES-256-GCM before they are stored. They are decrypted only on our server, and only at the moment we make the AI or integration call you asked for. They are never sent to your browser and never shown back to you in full; the interface only ever displays a masked hint of a saved key. The encryption key that protects them is held as a server-side secret, separate from the stored data.
Authentication and sessions
Sign-in is handled by Firebase Authentication (email and password, or Google). Your session is held in a single first-party cookie that is:
- Encrypted and HTTP-only, so it cannot be read by JavaScript in the browser
- Sent only over HTTPS in production
- Scoped with SameSite protection to reduce cross-site request risk
- Time-limited, expiring after five days, with revocation checked server-side
Access control and data isolation
Every request for your data is checked against your authenticated identity on the server, so projects, packs, and assets are scoped to their owner. During private beta, sign-in is further limited to an allowlist of invited email addresses. Public share links, when you create them, use long unguessable tokens and are read-only.
Infrastructure
CampaignPacks runs on Google Firebase (authentication, database, file storage, and hosting), which provides encryption in transit and at rest and operates hardened, audited data centres. Traffic to the application is served over HTTPS. You can see the full list of providers in our Privacy Policy.
Data minimisation
We collect as little as we can to run the product. There is no third-party analytics, advertising, or tracking. When you delete your account, we remove your profile, projects, packs, brand assets, stored keys, and integration tokens, and delete your authentication record.
Reporting a vulnerability
If you believe you have found a security issue, we want to hear from you. Please email support@baseframelabs.com with details and steps to reproduce, and give us a reasonable chance to investigate and fix it before disclosing it publicly. We appreciate good-faith research and will not pursue researchers who act responsibly and avoid privacy violations or service disruption.