Documentation

Connect your marketing data to Claude, ChatGPT and other LLMs.

Security — Search Console

Token storage

  • OAuth tokens (Google / Meta) encrypted at rest with AES-256-CBC via Laravel Encrypter
  • Encryption key = APP_KEY (never logged, never committed, never exposed in responses)
  • No third-party DB backup contains tokens in clear
  • Account deletion = cascade deletion of tokens (GDPR)

MCP authentication — OAuth 2.1

  • Standard OAuth 2.1 + PKCE (S256) for all flows
  • Dynamic Client Registration (RFC 7591) — each Claude session generates an ephemeral client_id, no pre-registration on gadspilot's side
  • Resource Indicators (RFC 8707) — Claude must declare the target MCP resource in the authorize request
  • Access tokens: 30-day validity, hashed (SHA-256) in DB
  • Tokens revocable instantly via /profile or via Google Account permissions

Per-account safety toggles

Each connected account has its own flags:

  • Write enabled (ON by default): if OFF, all write tools return an error immediately, even outside dry-run
  • Dry-run default (ON by default): if ON, every write tool runs in dry-run unless explicitly passed dry_run=false

Audit log

  • All write attempts (real AND dry-run) are logged in the mcp_write_logs table
  • Each entry: tool name, params (JSON), timestamp, dry_run flag, result (success/error + body)
  • Visible to the user via /logs

Rate limits

EndpointLimit
MCP requests per token60 / minute
OAuth token endpoint30 / minute per IP
In-app Insights AI analysis30 / day per user
Email reports10 / day per user

Hosting & infrastructure

  • VPS LWS.fr (France) under ISPConfig
  • Apache + PHP-FPM 8.4, Let's Encrypt certs auto-renewed
  • HTTPS-only with HSTS
  • ISO 27001 certified datacenter
  • No data transferred outside the EU except calls to Google/Meta APIs (required) and OpenRouter for optional AI analysis

Data sent to OpenRouter (optional AI analysis)

The in-app AI analysis in the Insights pages (the ✨ button) sends aggregated KPIs to an Anthropic Claude model via OpenRouter. Granular per-account consent required, full GDPR audit log, no automatic sending.

The MCP-side analysis (Claude itself) does not go through OpenRouter — that's your AI client direct.

Account deletion

  • Self-service from /profile — type "DELETE" to confirm
  • Immediate cascade: OAuth tokens, MCP tokens, audit logs, notes, ai_consent_logs deleted
  • Data export available on request to contact@gadspilot.com

Vulnerabilities

Reporting via /.well-known/security.txt (RFC 9116) or ceo@lws.fr. SLA: ack within 48h, fix per severity.

Full details: Privacy Policy · Terms of Service

Need help? Ask me 💬
Ask gadspilot
Free AI assistant · Try me