We recently brought all paid search and paid social in-house after poor agency experiences. We’ve built a data-layer-first attribution and conversion tracking system and want an experienced cybersecurity professional to review our implementation for security, privacy, and data integrity gaps before we scale spend.
This is not a marketing role. We’re looking for someone who understands how modern web apps, analytics, and ad platforms actually work — and can spot risks that engineers and growth teams often miss.
Broadly, you'll be reviewing:
• Our tracking architecture and data flows
• How identifiers, cookies, and click IDs are handled
• Server-side event pipelines and webhooks
• Permissions, access, and abuse vectors
• Privacy, consent, and data leakage risks
We will provide a detailed internal runbook that documents our full implementation (Next.js, Supabase, GTM/GA4, Google Ads, Meta, Stripe).
What You’ll Be Reviewing
• Web & server tracking architecture
Client-side → server-side → ad platform data flows
GTM Web + optional GTM Server (sGTM)
• Identifiers & attribution
First-party cookies (device/session IDs)
Click IDs (gclid, wbraid, gbraid, fbclid, etc.)
Event IDs and deduplication logic
• Backend & database
Supabase/Postgres schema and access patterns
Event idempotency
Row-level security (RLS) assumptions
• Third-party integrations
Stripe webhooks
Zoom webhooks (call attendance)
Google Ads offline conversion uploads
Meta Conversions API
• Privacy & compliance posture
PII handling (hashed vs raw)
Consent gating assumptions
Risk of unintended data sharing
What We Want From You (Deliverables)
1. Written audit report covering:
• Security risks
• Data leakage risks
• Abuse/fraud vectors (fake conversions, spoofed events, replay attacks, etc.)
• Privacy/compliance red flags
2. Concrete recommendations, prioritized by severity:
• “Must fix before scaling spend”
• “Should fix soon”
• “Nice to have”
3. Optional (nice bonus):
• Suggested hardening patterns
• Monitoring or alerting ideas
• “If I were trying to break this…” scenarios
We care far more about thinking quality than a giant PDF
Who You Are
You likely have experience with:
• Web application security or security architecture
• Modern analytics stacks (GTM, GA4, Meta CAPI, Google Ads)
• Server-side event pipelines or webhook systems
• SaaS products handling PII and payments
Strong pluses:
• Experience auditing analytics or attribution systems
• Familiarity with ad fraud, conversion spoofing, or data poisoning risks
• Understanding of how growth teams accidentally create security holes