Data Protection
Last updated: March 2026 • Amble Media Group LLC
At MicroNicheBrowser, safeguarding the information entrusted to us is a core part of how we operate. This document outlines the technical and organizational measures we employ to protect your data throughout its lifecycle.
1. Our Commitment to Data Protection
Amble Media Group LLC (“we,” “us”) operates MicroNicheBrowser.com as both a data controller and data processor depending on the context. When you create an account and provide personal details, we act as the controller. When we process market research data on your behalf, we act as a processor. In both capacities we apply the same rigorous safeguards described below.
2. Encryption Standards
In Transit
Every connection to MicroNicheBrowser.com is secured with TLS 1.2 or higher. We enforce HSTS headers with a minimum max-age of one year to prevent protocol downgrade attacks. HTTP requests are automatically redirected to HTTPS.
At Rest
Databases are hosted on infrastructure with full-disk encryption enabled. Sensitive fields such as API key hashes are stored using SHA-256 one-way hashing, meaning we cannot reverse them back to the original key value.
Secrets Management
Environment credentials, third-party API tokens, and database passwords are stored in encrypted environment files and are never committed to source control. Access to secrets is restricted to production deployment pipelines.
3. Access Controls
We follow the principle of least privilege across every layer of the platform:
- Role-based access control (RBAC) governs which team members can view, modify, or delete user data.
- Database credentials are unique per service and rotated on a regular schedule.
- Administrative access to production servers requires key-based SSH authentication — password-based login is disabled.
- Third-party integrations (Clerk, Stripe, DataForSEO) receive only the minimum permissions required for their function.
4. Infrastructure Security
MicroNicheBrowser is deployed on dedicated virtual private servers with the following safeguards:
- Containerized services isolated via Docker, limiting the blast radius of any single vulnerability.
- Reverse proxy with strict Content Security Policy, X-Frame-Options, and rate limiting.
- Automated dependency scanning to flag known vulnerabilities in libraries and packages.
- Network-level firewall rules restrict inbound traffic to only the ports and protocols required by the Service.
- Daily automated database backups with a 7-day rolling retention window.
5. International Data Transfers
Our primary servers are located in the United States. If you access the Service from outside the US, your data may be transferred to and processed in the US. Where applicable, we rely on Standard Contractual Clauses or equivalent safeguards approved by relevant data protection authorities to ensure your data receives an adequate level of protection during international transfers.
6. Regulatory Compliance
GDPR (EU/EEA Users)
If you are located in the European Economic Area, you have rights under the General Data Protection Regulation including the right to access, rectify, erase, restrict processing, object to processing, and data portability. You may also lodge a complaint with your local supervisory authority. To exercise these rights, email [email protected].
CCPA (California Residents)
California residents may request disclosure of the categories and specific pieces of personal information collected, request deletion, and opt out of the sale of personal information. We do not sell personal information. To submit a request, email [email protected].
7. Breach Notification
In the unlikely event of a data breach that affects your personal information, we will notify affected users by email within 72 hours of becoming aware of the breach. The notification will describe the nature of the breach, the data involved, the steps we have taken to contain it, and recommended actions you can take to protect yourself. Where required by law, we will also report the breach to the relevant supervisory authority within the same timeframe.
8. Data Minimization
We collect only the information strictly necessary to deliver the Service. We do not request demographic details, physical addresses, or government identification. Market research data gathered by the platform is sourced from publicly available channels and is not linked to any individual user’s personal identity.
9. Vendor Due Diligence
Every third-party service that touches user data is evaluated for security posture before integration. Our current vendor stack includes:
| Vendor | Function | Security Standard |
|---|---|---|
| Clerk | Authentication & identity | SOC 2 Type II |
| Stripe | Payment processing | PCI-DSS Level 1 |
| Cloudflare | CDN & DDoS protection | SOC 2 Type II, ISO 27001 |
| OVHcloud | Server hosting | ISO 27001, SOC 1/2 |
10. Updates to This Policy
We review this Data Protection policy periodically. Material changes will be communicated to active users via email at least 14 days before taking effect. The “Last updated” date at the top of this page reflects the most recent revision.
11. Contact
For questions about how we protect your data, or to report a security concern: