Cybersecurity & Tracking Architecture Audit (Paid Ads, Attribution, GTM, GA4, Meta, Stripe)

We recently brought all paid search and paid social in-house after poor agency experiences. We’ve built a data-layer-first attribution and conversion tracking system and want an experienced cybersecurity professional to review our implementation for security, privacy, and data integrity gaps before we scale spend. This is not a marketing role. We’re looking for someone who understands how modern web apps, analytics, and ad platforms actually work — and can spot risks that engineers and growth teams often miss. Broadly, you'll be reviewing: • Our tracking architecture and data flows • How identifiers, cookies, and click IDs are handled • Server-side event pipelines and webhooks • Permissions, access, and abuse vectors • Privacy, consent, and data leakage risks We will provide a detailed internal runbook that documents our full implementation (Next.js, Supabase, GTM/GA4, Google Ads, Meta, Stripe). What You’ll Be Reviewing • Web & server tracking architecture Client-side → server-side → ad platform data flows GTM Web + optional GTM Server (sGTM) • Identifiers & attribution First-party cookies (device/session IDs) Click IDs (gclid, wbraid, gbraid, fbclid, etc.) Event IDs and deduplication logic • Backend & database Supabase/Postgres schema and access patterns Event idempotency Row-level security (RLS) assumptions • Third-party integrations Stripe webhooks Zoom webhooks (call attendance) Google Ads offline conversion uploads Meta Conversions API • Privacy & compliance posture PII handling (hashed vs raw) Consent gating assumptions Risk of unintended data sharing What We Want From You (Deliverables) 1. Written audit report covering: • Security risks • Data leakage risks • Abuse/fraud vectors (fake conversions, spoofed events, replay attacks, etc.) • Privacy/compliance red flags 2. Concrete recommendations, prioritized by severity: • “Must fix before scaling spend” • “Should fix soon” • “Nice to have” 3. Optional (nice bonus): • Suggested hardening patterns • Monitoring or alerting ideas • “If I were trying to break this…” scenarios We care far more about thinking quality than a giant PDF Who You Are You likely have experience with: • Web application security or security architecture • Modern analytics stacks (GTM, GA4, Meta CAPI, Google Ads) • Server-side event pipelines or webhook systems • SaaS products handling PII and payments Strong pluses: • Experience auditing analytics or attribution systems • Familiarity with ad fraud, conversion spoofing, or data poisoning risks • Understanding of how growth teams accidentally create security holes Apply tot his job