Trust & Safety
Penguin is designed with security, fairness, and user trust at every layer.
Security measures
HMAC-signed click tracking
All click URLs contain an HMAC-SHA256 signed JWT token encoding the ad unit ID, agent ID, clearing price, and timestamp. Tokens expire after 7 days and cannot be forged or modified.
Rate limiting
Distributed, database-backed rate limiting protects all endpoints:
| Endpoint | Limit |
|---|---|
| Signup | 5 / minute |
| Login | 10 / minute |
| Decide (per IP) | 1,000 / minute |
| Decide (per key) | 100 / minute |
| Events | 2,000 / minute |
| Feedback | 100 / minute |
Anti-fraud
- Impression-gated clicks — Revenue only earned when a valid impression precedes a click
- Atomic billing — Click charges are idempotent and use database-level atomicity
- Token deduplication — Prevents double-billing via signature-based dedup
- Click-gated ratings — Business ratings require a verified click within 72 hours
Input validation
- All payloads validated server-side with strict size limits
- XSS prevention via HTML entity escaping (
escapeHTML()) - URL sanitization blocks
javascript:,data:,file:protocols - Prompt injection protection in dynamic capabilities (11 regex patterns)
API key security
- Keys use
am_test_andam_live_prefixes for clear environment separation - Key rotation with 1-hour grace period for old keys
- Timing-safe comparison prevents timing attacks
Content policies
For advertisers
- Ads must accurately represent the product or service
- Landing pages must be functional and match the ad content
- No misleading claims, deceptive practices, or prohibited content
- Budget limits enforced: $10 – $100,000 per campaign
For developers
- Ads must be clearly distinguished from organic content
- User experience should not be degraded by ad placement
- No artificial click generation or impression inflation
- Feedback predictions must reflect genuine user reactions
Data handling
- API keys transmitted via HTTPS only
- No PII stored in tracking tokens
- Error logs sanitized to prevent credential exposure
- Session data encrypted at rest in Supabase
Reporting issues
If you encounter policy violations, misleading ads, or security concerns, contact the platform team through the developer portal.