VelisAds Network

Security Policy

Effective date: February 17, 2026 | Version: 2026.02-global

This Security Policy defines baseline controls for identity management, secure development, infrastructure hardening, monitoring, incident response, and resilience operations.

Security controls are risk-based and must be continuously improved as threats evolve.

Scope and Applicability

  1. Applies to applications, APIs, databases, storage, and production infrastructure.
  2. Applies to employees, contractors, and partners with system or data access.
  3. Applies to code delivery pipelines, release workflows, and dependency management.
  4. Applies to detection, logging, alerting, and incident response processes.
  5. Applies to third-party services that process platform data.
  6. Applies to business continuity and disaster recovery controls.

Mandatory Requirements

Identity and Access Control

  • Access must follow least privilege with role-based authorization controls.
  • Privileged operations require strong authentication and user-level attribution.
  • Inactive or orphaned accounts must be disabled on a defined schedule.
  • Credentials and secrets must be rotated and never hardcoded in repositories.

Secure Engineering and Deployment

  • Code changes must pass security checks aligned to system risk.
  • Dependencies require vulnerability scanning and timely patching.
  • Production release flows must include approval gates and rollback plans.
  • Security-critical changes require peer review and traceable documentation.

Monitoring and Incident Response

  • Security telemetry must cover access abuse, anomaly detection, and policy bypass attempts.
  • Incident severities and escalation responsibilities must be defined.
  • Forensic artifacts should be preserved for root-cause and legal review.
  • Post-incident actions must produce measurable control improvements.

Prohibited Practices

  1. Sharing privileged credentials without individual accountability.
  2. Deploying directly to production outside approved release processes.
  3. Ignoring critical security findings beyond remediation timelines.
  4. Disabling logs or monitoring to hide operational actions.
  5. Transferring sensitive data through unapproved personal channels.
  6. Bypassing MFA or endpoint protections for convenience.
  7. Running unauthorized penetration activities against production systems.
  8. Concealing known incidents from designated response owners.

Governance, Monitoring, and Enforcement

  1. Security control owners maintain evidence for internal and external audit readiness.
  2. Risk registers track findings, remediation status, and residual risk decisions.
  3. Critical controls are retested after material architecture or process changes.
  4. Vendor security posture is assessed during onboarding and renewal cycles.
  5. Mandatory security training applies to all personnel with platform access.
  6. Incident KPIs are reviewed for detection speed, containment, and recurrence.
  7. Emergency changes require retrospective review and documentation closure.
  8. Policy updates are versioned and communicated to affected teams.

Global Source Links and Standards

  1. NIST Cybersecurity Framework 2.0
  2. NIST SP 800-53
  3. OWASP ASVS
  4. OWASP Top 10
  5. CIS Critical Security Controls
  6. ISO/IEC 27001
  7. MITRE ATT&CK
  8. CISA Security Resources

Operational Interpretation and Regional Mapping

These requirements should be interpreted as global baseline controls for a live ad operations platform. Teams must map each requirement to local legal obligations, contractual duties, and traffic-source constraints before enabling production delivery at scale.

When regional regulations impose stricter standards, the stricter standard applies. Where legal ambiguity exists, operations should default to least-risk handling and documented escalation to legal or compliance owners.

Policy-to-Workflow Mapping

  • Map each policy control to one concrete workflow checkpoint.
  • Define accountable owner, review cadence, and evidence source.
  • Link policy failures to clear remediation and rollback actions.
  • Track policy exceptions with expiry and approval metadata.

Evidence and Audit Quality

  • Keep verifiable logs for approvals, enforcement, and account state changes.
  • Maintain immutable records for policy acceptance and version changes.
  • Preserve incident evidence with timestamp accuracy and actor context.
  • Support regulator and partner audits with structured evidence retrieval.

Release and Change Governance

  • Run policy impact review before major workflow or billing changes.
  • Gate high-risk releases behind compliance and security readiness checks.
  • Document rollback criteria for policy or abuse regressions.
  • Communicate material policy updates with effective-date clarity.

Extended Compliance Checklist

  1. Confirm access controls for admin, publisher, advertiser, and support roles.
  2. Verify domain ownership, sitemap coverage, and install-code integrity before launch.
  3. Validate ad creatives, landing behavior, and category eligibility rules.
  4. Ensure budget, spend, and settlement paths align with billing model selection.
  5. Run fraud and abuse controls for both ad-serving and click attribution pathways.
  6. Confirm user data handling for consent, retention, and rights-response timelines.
  7. Check payout safeguards, webhook integrity, and transaction audit visibility.
  8. Review security events, incident triage flow, and postmortem documentation quality.
  9. Ensure policy pages remain reachable, indexable, and version-consistent in sitemap.
  10. Require periodic policy refresh training for operational and support teams.

Policy FAQ for Operations Teams

How often should this policy be reviewed?

Review before each major release and at recurring governance intervals, especially when billing logic, targeting controls, or verification workflows change.

What happens if live behavior conflicts with policy text?

Live enforcement should default to safer behavior immediately, then trigger incident review and documented correction to either implementation or policy wording.

How should teams handle partner-specific requirements?

Apply partner requirements as stricter overlays where needed, while preserving baseline platform controls and maintaining auditable policy-to-process mapping.