Security

Workspace isolation

Each workspace is scoped.

Data, signals, sources, brands, recommendations, delivery settings, and decisions are isolated per tenant.

Data access

OobiMax uses connected platform access to discover media accounts, collect campaign context, generate recommendations, and confirm approved actions. Measurement signals stay separate so tracking context can inform review without becoming permission to spend.

We do not:

• modify account structure without explicit user action
• access unrelated data
• share workspace data externally

Authentication and source control

All access is scoped and verified at the application level.

• Google and Meta OAuth connection sources with account discovery
• tenant-scoped Slack and Telegram delivery settings
• tenant-aware access validation
• encrypted storage for integration secrets
• authenticator-app TOTP MFA for workspace sign-in; no SMS provider required
• source-scoped execution credentials for approved platform actions
• separation between workspace administration and OobiMax platform administration
• workspace-user session revocation when users are frozen, forced to reset, or change security-sensitive access

Current OAuth and channel permissions

OobiMax keeps platform access tied to the workspace source that created it, then maps selected discovered accounts to brands. Google Ads data access is verified for the Google Ads scope. GA4 and Search Console use a separate approved read-only Measurement consent flow; discovery, collection, and brand mapping remain evidence-only and do not grant campaign or spend authority.

• Google Ads OAuth currently uses the Google Ads API scope for account discovery, campaign collection, and approved Google Ads actions through the mapped source. Google Auth Platform branding is verified for OobiMax, and Google Data Access verification for the Google Ads scope is approved.
• Google Measurement OAuth requests Analytics read-only and Search Console read-only scopes separately from the Google Ads flow so workspace admins can connect GA4 and Search Console evidence for brand-scoped Measurement review.
• Meta OAuth currently requests ads_read, ads_management, business_management, and pages_show_list so OobiMax can discover ad accounts, collect campaign/ad/ad-set/creative context, and identify eligible Pages for selected-account creative reference checks. OobiMax does not collect Page posts or publish Page content.
• Canva Connect is used by higher-tier Campaign Builder workspaces to let an operator connect their own Canva account, search designs, export a supported creative file, and import it into private OobiMax storage for QA and selected-brand approval.
• Slack uses workspace OAuth for recommendation delivery and signed interactive approvals, with chat:write, channels:read, and groups:read as the current app scopes.
• Telegram uses the OobiMax bot plus a tenant-scoped connect code; no user OAuth token is collected.
• OobiMax-managed AI credentials stay server-side and are never displayed back to workspace operators.

Execution control

OobiMax separates signal, recommendation, approval, and execution.

• Actionable recommendations expose approve/reject controls only when the action path is supported
• Review Only and Action Plan recommendations never pretend to be one-click executable
• approved actions are tracked through execution and confirmation where supported
• Retry Execution lets failed executions be retried after the source, token, or validation blocker is fixed
• Campaign Builder plans are review-first; spend launch stays blocked
• platform declarations are accountable approval checks, not background automation

Delivery control

External delivery is explicit. Refresh Intelligence updates OobiMax locally; recommendations are sent to Slack, Telegram, email, or future channels only when a workspace selects that destination.

Slack and Telegram mirror the Inbox recommendation state. They do not become separate systems of record.

Webhook and action safety

• signed Slack interactive actions
• Telegram callback validation
• expiring action tokens
• signed OAuth state expiry for Google, Meta, Slack, and Google Measurement connection flows
• stale signed webhook/action timestamps are rejected where supported
• operator metadata and audit context for decisions
• clear already-handled responses to reduce duplicate approval risk

Application hardening

• secure session cookie settings
• security headers and no-store public HTML controls
• browser-side CSRF hardening with Fetch Metadata and same-origin Origin/Referer checks on state-changing dashboard and contact routes
• rate limits on sensitive dashboard and webhook paths
• secret redaction in diagnostics and support surfaces
• workspace deletion previews return counts without exposing stored credentials or tokens

Infrastructure

OobiMax does not apply changes autonomously without user action.

OobiMax is deployed in a controlled cloud environment.

Contact

support@oobimax.io