Security, Data & Privacy Report

The Tapper Monitoring Script is a lightweight, asynchronous JavaScript snippet embedded on a customer’s website. It is designed to detect and block invalid traffic without collecting personally identifiable information (PII) or disrupting site performance. Behavioral and Technical Data Capture (Fully Anonymized) Tapper collects non-PII signals to identify suspicious activity. These include: • User interactions: Clicks, scroll depth, mouse movements, and time-on-page • Technical fingerprints: IP address, browser type, operating system, screen resolution, language, and time zone • Session patterns: Frequency and timing of visits, device reuse, and velocity anomalies • HTTP header analysis: User agent, referrer, and cookie behavior This data enables Tapper’s fraud models to assess whether traffic is human or bot-based in real time. Real-Time IP Blocking & Audience Exclusions When invalid activity is detected: • For Google Ads, the IP address is added to the customer’s IP exclusion list via the Google Ads API. • For Meta Ads, the user is added to a blocked audience that prevents future impressions. This ensures ongoing protection by cutting off bad actors before they can click again. Privacy-Safe Session Replay Tapper provides session replay using event-based logs only — no screen recording. All text inputs are redacted, and sensitive data is never captured. Only events like clicks, scrolls, and hovers are simulated. Form fields are scrubbed before processing. No videos or PII are stored or accessible. Performance Impact Tapper’s monitoring script is designed to be: • Asynchronous: It loads in parallel with the page, never blocking the browser. • Lightweight: Optimized for speed and under 30KB. • Non-blocking: Does not affect page performance or load time.

Tapper uses supervised and unsupervised machine learning models to analyze ad click and session data in real time. The models classify traffic as valid or invalid (bots, click farms, competitor clicks, automated tools) to protect ad budgets on Google and Meta. Intended Use • Primary users: Performance marketers, advertisers, and agencies. • Use case: Detect and block invalid ad traffic in real time to recover wasted spend and reduce CPA. • Not intended for: Content generation, general-purpose AI, or decision-making outside of ad fraud prevention. Model Performance • Trained on billions of anonymized click/session events. • Evaluated against labeled datasets of bot and human traffic. • Benchmarks: High precision in detecting invalid traffic, with continuous monitoring and retraining. Safety Features • Limited domain: Only classifies ad traffic (not people or protected attributes). • No use of personal identity data (PII) in model training. • Human override: Customers can review exclusions before applying blocks. Limitations • False positives may occur (valid users flagged). • Effectiveness depends on accurate campaign tracking setup. • Model does not identify all forms of sophisticated fraud (e.g., new attack vectors). • Not a substitute for broader cybersecurity measures. Ethical Considerations • Focused on protecting ad spend and campaign efficiency. • No profiling of individuals or sensitive personal information. • Designed to complement, not replace, marketer decision-making. Last Updated: August 2025

This document outlines Tapper’s approach to PII redaction, session recording controls, and behavioral data anonymization to address concerns regarding sensitive data exposure. Redaction of Input Fields Tapper implements an automatic redaction mechanism that prevents any input field data from being stored or processed. This applies to all text fields where users may enter sensitive information, such as names, email, addresses, phone numbers, credit card details, and passwords. Technical Implementation I. Field Auto-Detection & Redaction: • Tapper redacts all input fields, ensuring that no user-entered data (e.g., names, emails, credit card details) is stored or processed. • Any captured keystrokes or field values are automatically replaced with [REDACTED] before being processed. II. Form Submission Handling: • Tapper does not intercept or store form submission data. • Any user-submitted data is processed exclusively by the website’s backend, not by Tapper. III. No Storage of User Input Fields: • Tapper does not store or log data from user input fields. • All logs related to fraud analysis are stripped of any text input information. Behavioral Data is Anonymous Tapper focuses solely on behavioral analytics, capturing non-PII metrics such as: • Mouse movements and scrolling patterns • Click frequency and timing • Device fingerprinting (browser type, OS, screen resolution) • IP-based anomaly detection (e.g., excessive clicks from a single source) All captured data is fully anonymized and never linked to a specific user or stored with PII. Conclusion Tapper ensures that no Personally Identifiable Information (PII) is ever collected or stored. If you require additional custom configurations to meet your security policies, our team is happy to collaborate with your security team to tailor the implementation.

Architectural Data Flow Diagram Tapper Integration with Google Ads Tapper integrates seamlessly with Google Ads via the Google Ads API. Through this integration, Tapper monitors clicks and impressions in real-time and can apply exclusions or adjust targeting parameters directly within a client’s Google Ads account. This ensures that ads are served only to legitimate users, automatically updating exclusion lists for blocked IPs and audiences as required. Tapper JavaScript Integration Tapper operates by embedding a lightweight JavaScript snippet on the client’s website. This snippet collects data on user interactions and behaviors, which is securely transmitted to Tapper’s servers for analysis. The Architectural Data Flow Diagram (found in the compliance section above) illustrates the process, showing data flow from user interactions to analysis and back to client platforms. Data Attributes and Capture Methods Behavioral Data • Page Views: Tracks which pages users visit and their duration. • Clicks: Monitors specific user interactions, such as ad clicks. • Scroll Depth: Tracks user engagement by monitoring scrolling behavior. • Mouse Movements: Detects patterns indicating bot-like activity. • Method: Event listeners embedded in the Tapper JS snippet capture these behaviors. Technical Data • IP Address: Obtained from HTTP request headers to identify unique users and detect fraud. • User Agent: Captures device, operating system, and browser information for device fingerprinting. • Referrer URL: Extracted to understand traffic sources. • Geolocation: Derived from IP to provide geographic insights. • Method: HTTP headers and JavaScript APIs are used to collect this data. Derived Attributes • Session IDs: Created to track unique visits over time. • Click-to-Conversion Rate: Derived from clickstream data. • Fraud Patterns: Identified using machine learning to detect invalid traffic (e.g., bots, click farms). • Method: Standard web technologies such as HTTP headers and event listeners within the JavaScript snippet. Data Flow Encryption Data in Transit: All data transmitted between the client’s website and Tapper’s servers is encrypted using TLS (Transport Layer Security) to prevent interception. Data at Rest: Data stored on Tapper’s servers is encrypted using AES-256 encryption, ensuring secure storage. Architectural Design and Infrastructure Tapper’s infrastructure is hosted on AWS, leveraging its security and scalability features. Key components include: • AWS Lambda: Processes incoming data in real-time. • Amazon S3: Stores encrypted data securely. • Amazon RDS: Manages relational data for quick retrieval. • AWS Glue: Builds a data catalog and detects sensitive data. The Tapper EKS Architecture Diagram (found in the compliance section above) further details this design. Handling of Screen Recordings and PII Tapper utilizes session replay technology, not traditional continuous screen recording, to enhance click fraud detection. What Tapper’s Session Replay Entails The session replay functionality captures: Mouse Movements, Scroll Actions, Clicks and Tap Locations, and Form Interactions. This enables advertisers to review user interactions to determine whether behavior aligns with legitimate users or fraudulent bots. Technical Overview • JavaScript Tracking Script: A JS snippet on the client’s website captures user interactions in real-time. User actions are logged as events (e.g., clicks, scrolls) rather than video recordings. • Event-Based Replay: Interactions are reconstructed visually using structured data, simulating the user session without recording full screen activity. Integration with Fraud Detection Session data is analyzed to flag: • Rapid, sequential clicks indicating bot activity. • Abnormal navigation behaviors. • Multiple sessions from the same IP or device fingerprint. Data Privacy Considerations • Personal data is excluded or anonymized to comply with GDPR and CCPA. • Sensitive information (e.g., form inputs) is masked or redacted. Key Differences from Full Screen Recording • Captures only website interactions within the browser. • Focuses on specific events rather than entire screen activity. • Designed with privacy in mind, ensuring minimal intrusion. Conclusion Tapper’s robust security measures, including data encryption, AWS infrastructure, and session replay technology, ensure client data is protected while providing actionable insights for ad fraud detection. For further details or specific questions regarding Tapper’s processes, please do not hesitate to reach out.

Yes, Tapper’s services involve the collection of certain client data for the purpose of identifying and blocking invalid traffic. This data includes user interactions with ads and websites, such as clicks, impressions, and user behavior metrics (e.g., click patterns, session duration). This data is used to detect fraudulent activity and improve campaign performance. However, Tapper does not access sensitive or personally identifiable client data such as financial information or personal identifiers unless necessary for fraud detection.

Tapper integrates with Google Ads via the Google Ads API. Through this integration, Tapper is able to monitor clicks and impressions in real time and can apply exclusions or adjust targeting parameters directly within a client’s Google Ads account. This integration allows Tapper to analyze traffic patterns and ensure that ads are served only to legitimate users, automatically updating exclusion lists for blocked IPs and audiences as required. For more information about the Google Ads API and the schema, see here: https://developers.google.com/google-ads/api/docs/get-started/introduction

Yes, Tapper processes limited personal information as part of its ad fraud prevention services. This includes IP addresses, device IDs, user agent strings, and other device/browser information necessary to distinguish legitimate users from bots or fraudulent traffic. The information collected is used solely for fraud detection and prevention purposes. Tapper is compliant with GDPR and other relevant privacy regulations to ensure proper handling and storage of this data.

Tapper retains data for a default period of 12 months to facilitate analysis and reporting, which ensures that we can provide accurate insights and historical trend data. However, this period can be adjusted based on your specific compliance requirements, and we can work with your legal team to align on the ideal retention period.

Tapper’s Monitoring Script or “pixel” primarily collects non-personally identifiable information (non-PII) related to user behavior on your digital properties. This includes details like: • Click data (e.g., timestamp, ad source, and user interaction metrics). • Device information (e.g., browser type, device model). • IP address, which is used solely for the purpose of identifying fraudulent or suspicious activity. Importantly, the pixel does not collect sensitive financial information, customer names, or other identifiable data that would require more stringent handling.

The pixel serves a dual purpose: Detection: It helps identify and monitor invalid or fraudulent traffic, which is critical for protecting ad budgets from bots and click farms. Blocking: Based on the analysis, Tapper can automatically exclude fraudulent sources, ensuring that ads are only shown to legitimate users, thereby improving campaign performance and reducing wasted spend. The pixel is primarily used for analysis and real-time decision-making, ensuring that your campaigns are protected throughout their duration.

The pixel is typically implemented for the duration of the partnership between Tapper and our customers. However, if the customer wishes to terminate the use of Tapper’s services, the pixel (Tapper’s Monitoring Script), can be removed within 30 days of written notice, ensuring that the data is no longer being collected or processed beyond the agreed period.

Tapper detects and blocks invalid traffic, in real time, on the world’s most popular paid ad platforms. • Google Search Ads • Google Display Ads • Google Performance Max • YouTube Display Ads • Facebook Ads • Instagram Ads • Facebook Messenger Ads • Facebook Audience Network Your dynamic exclusion list is updated regularly for the best results (where possible). In addition to IP blocking, we also use over 100 data points to identify and block fraudulent activity on your paid campaigns. With Meta for Business Ads, our unique detection methods create a custom audience list of blocked accounts. These accounts will not be able to view or click your ads across all Facebook and Instagram Ad campaigns.

Tapper utilizes the “ads_read” permission within Meta (Facebook) Ads to gain critical access to various components of an advertiser’s Meta account, including campaigns, ad sets, ads, available audiences, and account pixels. Campaigns, Ad Sets, and Ads: With this permission, Tapper can access detailed information about active campaigns, ad sets, and individual ads. This allows Tapper to analyze and identify fraudulent audiences or invalid traffic associated with specific campaigns or ads. By linking fraudulent activity to particular campaigns and ad sets, Tapper can provide targeted protection and insights to optimize ad performance. Ad Sets and Exclusion Audiences: Ad set information is crucial for Tapper’s functionality, as audience exclusions are attached to Ad sets. Audiences and Account Pixels: Access to audiences and account pixels is essential for Tapper to create and manage exclusion audiences.

Tapper leverages Meta’s “Ads Management Standard Access” permission to effectively scale of Meta ads accounts connected and deal with high volumes of traffic.

Tapper utilizes the “ads_management” to create an exclusion audience, update the audience, and update ad sets to attach audiences as an exclusion.

Tapper integrates with the Google Ads API to provide the following functionalities for our users: Campaign Monitoring: We connect securely to user Google Ads accounts via the API to monitor campaign data in real-time. This allows us to analyze click activity and identify patterns indicative of invalid traffic. Fraud Detection: By leveraging advanced algorithms and machine learning, Tapper analyzes user click data against various parameters to detect suspicious activity such as abnormal click patterns, bot activity, and geographically anomalous clicks. Alerting & Reporting: When fraudulent activity is detected, Tapper alerts users and provides detailed reports with identified invalid clicks. This enables users to take action and block fraudulent traffic sources within their Google Ads campaigns. Campaign Optimization: By eliminating invalid clicks, Tapper helps users optimize their Google Ads campaigns for genuine traffic, maximizing their return on ad spend (ROAS). Data Security & User Privacy Tapper prioritizes user data security. We utilize industry-standard data encryption practices and adhere to strict user access controls to ensure the confidentiality and security of user information accessed through the Google Ads API. Compliance Tapper understands and strictly adheres to Google Ads policies regarding ad traffic. Our software functions solely to identify and report invalid clicks. We do not manipulate clicks, impressions, or conversions in any way, nor do we interfere with Google’s own click fraud detection systems. We believe Tapper offers a valuable solution for businesses using Google Ads and contributes to a healthier online advertising ecosystem.

Tapper utilizes AI-driven algorithms for ad fraud detection and prevention. These models analyze user behavior, device characteristics, and interaction patterns to identify and block fraudulent activities. While AI is central to Tapper’s detection capabilities, the platform does not use generative AI models. Instead, Tapper’s AI models focus on data analysis and pattern recognition to differentiate between legitimate users and fraudulent activities, ensuring accurate identification and mitigation of ad fraud.

Google Ads API Token with Sensitive/Restricted Scopes Justification for Sensitive/Restricted Scopes: Tapper’s core functionality relies on analyzing campaign data to detect fraudulent clicks. The following sensitive/restricted scopes are essential for this purpose: Campaign Management (can_manage_campaigns): This scope allows Tapper to read, write, and modify campaign settings, including budgets, bids, targeting options, and ad creatives. This is crucial for filtering out fraudulent clicks and optimizing campaigns for genuine traffic. Customer Management (manage_customers): This scope enables Tapper to access basic customer information like account name and time zone. This helps personalize the user experience and provide relevant campaign insights. Reporting (read only): This scope allows Tapper to access detailed campaign reports, including impressions, clicks, conversions, and costs. Analyzing these reports is vital for identifying patterns and anomalies indicative of ad fraud. Why More Limited Scopes Are Insufficient: Read-only access: While read-only access to some data would be helpful, it wouldn’t allow Tapper to take corrective actions against identified fraudulent clicks. The ability to modify campaigns (can_manage_campaigns) is essential for filtering out fraudulent traffic and protecting user budgets. Limited reporting scopes: Restricted reporting scopes wouldn’t provide the level of detail needed to effectively analyze campaign performance and detect fraudulent activity. The “readonly” scope grants access to comprehensive reports necessary for in-depth analysis.

Tapper uses AI and machine learning techniques to detect and prevent ad fraud by analyzing patterns in traffic data, identifying anomalies, and distinguishing between genuine and fraudulent activity. Anomaly Detection • Z-Score/Standard Score: Measures how many standard deviations a data point is from the mean, helping identify outliers. • Isolation Forest: A tree-based model that isolates observations by randomly selecting a feature and then randomly selecting a split value between the maximum and minimum values of the selected feature. Anomalies are isolated quickly, making it effective for fraud detection. Supervised Learning Models • Support Vector Machine (SVM): Particularly useful for binary classification tasks like fraud detection. One-class SVM can separate normal traffic from anomalies. • Random Forests: An ensemble method that builds multiple decision trees and merges them to get a more accurate and stable prediction. Unsupervised Learning Models • k-Nearest Neighbors (k-NN): Identifies anomalies based on the distance to the k-nearest neighbors. Points far from others are considered anomalies. • Clustering Algorithms: Techniques like K-means clustering help group data points and identify outliers that don’t belong to any cluster. Real-Time Behavioral Analysis • Mouse Movement and Click Patterns: Tracking the speed, acceleration, and patterns of mouse movements and clicks to differentiate between bots and humans. • Scroll Behavior: Monitoring how users scroll through a page to identify non-human behavior. • Event Frequency Analysis: Analyzing the frequency and distribution of events (like clicks) to spot irregular patterns. IP Address Analysis • STUN/DNS Techniques: These methods can help uncover masked IP addresses by interacting with the network infrastructure to reveal the true origin of the traffic. Dynamic JavaScript Challenges • Behavioral Tests: Running JavaScript code to test browser behavior and environment variables that are difficult for bots to mimic. • Fingerprinting: Collecting data about the user’s browser and device to create a unique identifier and detect anomalies. TCP/IP Analysis • TCP Fingerprinting: Examining TCP packet headers and behaviors to identify inconsistencies that suggest non-human traffic.

Tapper analyzes server-side signals via the HTTP Protocol. Using HTTP techniques, Tapper analyzes server-side signals transmitted via the HTTP protocol to detect anomalies that might indicate fraudulent activities. Technical Operation: • HTTP Headers Inspection: The system inspects HTTP headers for inconsistencies or unusual patterns. Key headers such as User-Agent, Referrer, Accept-Language, and X-Forwarded-For are scrutinized for signs of spoofing or manipulation. • Cookie Analysis: It examines cookies for abnormal patterns that may indicate automated scripts or bots. For example, the absence of cookies in sessions where they are expected can be a red flag. • Request Frequency and Timing: Analyzes the timing and frequency of HTTP requests. Unusually high request rates or precise intervals often suggest bot activity rather than human behavior. • Referrer Analysis: Looks at the referring URL to see if it aligns with expected traffic patterns. Mismatched or suspicious referrer information can indicate click fraud.

These techniques help in identifying the real IP addresses of users who may be trying to mask their identity using proxies or VPNs. STUN (Session Traversal Utilities for NAT): • Public IP Discovery: The client-side script initiates a STUN request to a STUN server to discover the public IP address of the client. This can reveal discrepancies between the reported IP and the actual public IP. • NAT Type Detection: Helps identify the type of NAT being used, which can provide context for why an IP might appear masked or altered. DNS Techniques: • Reverse DNS Lookup: Conducts reverse DNS lookups to verify if the IP address matches the domain name it claims to represent. Mismatched results can indicate the use of proxy servers. • DNSBL (DNS-based Blackhole List) Checks: Cross-references the IP address against known blacklists of malicious or suspicious IP addresses to identify potential fraud sources.

Using JavaScript, Tapper performs dynamic tests to verify the authenticity of the user’s browser and its environment. Technical Operations: • Behavioral Analysis: Deploys JavaScript to observe user interactions like mouse movements, clicks, scrolling behavior, and typing patterns. Bots often fail to mimic human behavior accurately. • Environment Checks: Checks for discrepancies in the browser environment by comparing reported attributes (such as screen size, time zone, and browser plugins) against expected values. Inconsistencies can indicate emulated or automated environments. • Fingerprinting: Uses JavaScript to generate a unique fingerprint of the user’s device by combining various browser attributes. Frequent changes in fingerprints or matches with known fraudulent fingerprints can indicate suspicious activity.

TCP techniques involve analyzing the Transmission Control Protocol (TCP) layer to detect anomalies that suggest fraudulent behavior. Technical Operation: • TCP Handshake Analysis: Monitors the three-way TCP handshake process to identify irregularities. Bots or automated scripts might handle TCP handshakes differently from legitimate browsers. • Packet Timing and Sequence: Examines the timing and sequence of TCP packets. Inconsistent timing or unusual packet sequences can indicate non-human activity. • TTL (Time to Live) Analysis: Analyzes the TTL values of incoming packets. Significant deviations from the norm can suggest IP spoofing or the use of anonymization services. • SYN/ACK Rates: Monitors the rate of SYN and ACK packets. High rates of SYN packets without corresponding ACK responses can be indicative of denial-of-service (DoS) attacks or probing activities by bots.

Tapper utilizes industry-standard practices concerning the encryption of data when stored and while in transmission. Tapper also has a documented cryptography policy that outlines the requirements for encrypting data and transmissions. Encryption at rest All data, including backups, is encrypted at-rest using AES-256 encryption. Encryption in transit Data is encrypted while moving between us and the browser with Transport Level Security (TLS) 1.2. Secure Sockets Layer Secure Sockets Layer (SSL) certificates are issued and managed through Amazon Web Services, and HTTP Strict Transport Security (HSTS) is enabled. Key management Amazon Web Services (AWS) stores and manages data cryptography keys in its redundant and globally distributed Key Management Service (KMS). AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys.

At Tapper, we are fully committed to complying with GDPR and CCPA requirements. We have established policies and procedures to ensure adherence to these laws, including conducting data protection impact assessments, privacy impact assessments, and incident response plans. We also have representation in the EU and UK to ensure compliance with regional regulations. Legal Framework Tapper operates in compliance with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We also comply with other relevant privacy laws and regulations as applicable. We have implemented appropriate technical and organizational measures to ensure that personal data is processed in accordance with these laws and regulations. Personal Data Collection Tapper uses the IP address, along with other data points, to determine whether a session is fraudulent and block access to the customer’s website. The IP address is considered personal data under the GDPR, and the other data points may also be considered personal data depending on their nature. To comply with GDPR, Tapper obtains explicit consent from its customers to collect and process personal data for this purpose. However, GDPR Article 6(1)(f) provides the legal basis for processing personal data, including IP addresses and cookies, without obtaining explicit consent, provided that the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject, which require protection of personal data. If a customer opts to use Tapper’s product to track fraudulent services, the data collected will be used only for this purpose, and in compliance with GDPR and CCPA. Tapper is classified as a “Processor” under GDPR and a “Service Provider” under CCPA, meaning that Tapper processes personal data it collects only as necessary to provide its services to the applicable Tapper customers who authorized the collection of such data. Tapper takes appropriate technical and organizational measures to ensure the security of personal data, including the IP address and other data points it collects. Individuals have the right to access, rectify, and delete their personal data collected by Tapper. Tapper will promptly respond to any request to exercise these rights, as required by GDPR and CCPA. You can read more about it here.

Our system monitors your traffic at all times and the process of blocking an IP happens instantaneously. The moment our system detects click fraud, it also tells Google to block the IP.

Tapper monitors every IP that clicks on your ads and runs it against dozens of different tests and challenges. We’re using a sophisticated algorithm to validate whether the ad click is fraud or not. The algorithm includes testing the IP against different VPNs, proxies, known blacklists, and more! It also analyzes the number of clicks the IP has performed on your ads and other user behavior elements. When the system identifies a fraudulent IP, it adds the IP to your IP exclusion list on Google. This action prevents unwanted visitors from seeing your ad, therefore stopping them from clicking your ad further. It is instant and automatic as soon as the malicious IP is detected. We recommend adjusting your Click Fraud Threshold rules so they will suit your unique business characteristics.

Absolutely not. The Monitoring Script is a lightweight ultra fast code. The script executes asynchronously. That means that the browser does not wait for this script to finish executing before loading your website. Hence, it has no impact on your page’s load time.

Google Ads restricts users to an IP Exclusion list of up to 500 IP addresses. When the automatic IP blocking system detects that this 500 IP limit has been reached, it will begin to replace old IPs—those that may no longer pose a threat, with new, currently harmful IP addresses. This process ensures that your exclusion lists remain current and effective against ongoing threats. It’s important to note that an IP address used for fraudulent activity two months ago might not be used for the same activity today. If a previously removed IP clicks on your ads again, it will be immediately blocked.

Application-Level Tenant Isolation Each data record written into Tapper’s storage layer is tagged with a tenant identifier (Tapper Account ID). All backend APIs enforce tenant-scoped queries: • Every API request passes through an authentication layer that attaches the customer tenant ID. • Backend services enforce row-level filtering based on tenant ID. • No cross-tenant reads/writes are technically possible at the application level. Database-Level Logical Isolation (BigTable + BigQuery) Tapper uses a combination of BigTable (production fingerprint + click data) and BigQuery (analytics + reporting). Data segregation is achieved by: • Table-level & Row-level logical boundaries — Each table stores records with a customer identifier as part of the primary key design. • Access is enforced via service accounts — Each backend microservice has its own GCP IAM service account, and queries are only permitted for tenant-scoped data. • No shared queries or shared analytical models — Queries are always executed per tenant, never across customers. • Sensitive data is encrypted in transit and at rest (AES-256) — This ensures isolation even at the storage layer. Network-Level Isolation (per GKE namespace & Istio policies) As shown in the GCP Architecture diagram (see GKE Architecture, page 1), Tapper uses GKE Namespaces, Istio Virtual Services & Destination Rules, and mTLS between microservices. This ensures: • Only specific microservices can communicate with database endpoints. • No lateral movement is possible between services. • Only the tracker/analyzer/consumer services can access customer-specific data. This gives us strong network micro-segmentation equivalent to having separate VPCs per customer. GCP IAM-Enforced Isolation We rely on strict Identity and Access Management (IAM): • Only specific backend services have permission to read/write click logs. • BigQuery datasets and BigTable instances are accessible ONLY by the production service accounts. • No employee has direct access unless explicitly and temporarily approved under our SOC2 access control procedures.

Tapper follows Google Consent Mode requirements only where they apply. For IP-based exclusions, no consent is required. This means Tapper can block invalid or high-risk traffic across Search, Shopping, Demand Gen and Display in all regions, including the EEA, without relying on user consent signals. For audience-based exclusions (used to protect Meta and some Google placements), Consent Mode becomes relevant. Tapper treats non-EEA users as consent-granted by default unless the site’s CMP signals otherwise. For EEA users, Tapper treats consent as not granted unless explicit consent has been captured via the CMP. Tapper always honours the site’s existing consent signals to ensure compliant audience creation and targeting.