Affiliate marketers live and die by their data. Conversion details, credit card numbers, contact information — it all flows through the performance ecosystem, every second of every day.  

At TUNE, we respect the responsibility that comes with this data. We also recognize how important it is to our customers to ensure it is accurate, secure, and confidential.  

We are therefore pleased to announce TUNE has completed another successful audit of our system and organization controls, assuring the availability, processing integrity, security, confidentiality, and privacy of customer data. This latest audit marks the fifth consecutive year TUNE has earned SOC 2 Type II certification, and the third consecutive year TUNE has earned SOC 1 Type II certification. 

SOC 2 Type II Certification Defined 

SOC stands for System and Organization Controls, a suite of services provided as part of the American Institute of CPAs’ (AICPA) reporting platform. 

In layman’s terms, SOC 2 audits examine and evaluate the operational controls of a business. They require a company to document and comply with comprehensive information security policies and procedures, among other responsibilities. The resulting report gives interested parties the information and insight needed to make a decision about working with that business.  

From the AICPA website: 

“SOC 2 reports are intended to meet the needs of a broad range of users that need detailed information and assurance about the controls at a service organization relevant to security, availability, and processing integrity of the systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.” 

—AICPA

SOC 1 Type II Certification Defined 

SOC 1 audits focus on user entities, testing their relevant internal controls over financial reporting system design and operating effectiveness. We see the feedback loop from periodic third-party reviews such as these, especially when they address both the TUNE platform and TUNE Pay, our payments system, as the best way to enhance our current product and operations. 

To earn a Type II report, a company must undergo testing over an extended period of time. (Type I reports test only a single moment in time.) TUNE’s usual audit period for SOC 2 and SOC 1 covers 12 months, demonstrating our ongoing effort to uphold the Trust Services Principles. 

Starting with our first audit, we have always voluntarily pursued the more demanding and comprehensive Type II report, rather than the Type I report. Type II reports for both audits signal that our customers can expect high standards across TUNE’s operational, data security, and privacy practices, as well as stringent change management controls throughout our software development life cycle.

Our Commitment to Quality 

Using an independent third-party to audit these controls is an investment companies do not take lightly. A SOC audit is, by its nature, an invasive, arduous process designed to compel a company on a variety of levels, requiring active employee engagement and diligence across a broad swath of the organization. It’s a process we are proud to undertake. 

As with our prior SOC audits, TUNE’s auditors determined that our controls were effectively designed and followed throughout the audit period. We intend to sustain our investments in customer-centric compliance in the years to come.

Relevant portions of both reports are available upon request to security@tune.com for TUNE customers as well as prospects under a current non-disclosure agreement. 

Today, I’m excited to announce an expansion to TUNE’s Performance Automation capabilities that gives TUNE customers even more power in the fight against fraud. Performance Automation protects against suspicious and fraudulent activity based on rules for Profit Margin and Conversion Rate thresholds. This launch expands these capabilities to include criteria based on our Time-to-Action metric, a powerful tool for identifying and blocking ad fraud.

TUNE Performance Automation Rules

TUNE’s Performance Automation suite is custom-built to help you save time, increase profit margins, and phase out traffic with undesirable conversion rates or fraudulent characteristics. Once you define rules for optimization, you can automate tasks like alerting partners, notifying their managers, or blocking them based on the quality of their traffic.

In addition to Conversion Rate Automation and Profit Margin Automation, this expansion means customers can now take advantage of new Time-to-Action rule criteria.

Conversion Rate Automation

These rules allow customers to optimize conversion rates that are either too high or too low. High conversion rate rules help protect marketers from paying out for a high volume of fraudulent conversions. Low conversion rate rules minimize cost by automatically acting against low quality traffic.

Profit Margin Automation

Profit Margin rules allow customers to optimize return on investment by automatically keeping tabs on their offers’ profit margins, ensuring that their partners are only running against profitable offers.

New! Time-to-Action Automation

This release introduces a third rule type to our Performance Automation suite, allowing customers to automate tasks based on the time it takes for traffic to convert. Whether the action is installing an app or making a purchase, Time-to-Action rules allow you to protect against undesirable or fraudulent behavior from partners or their traffic sources, such as click injection or click spamming.

How Time-to-Action Identifies Fraud

Time-to-action, also called time-to-install, is defined as the time between the start of the session (usually an ad click or an impression) and the “conversion” event or desired “action” taken by the user.

A variety of click fraud techniques can be clearly identified with time-to-action analysis. These include click injection, click stuffing/spamming, click stacking, and more.

Click Injection 

If a significant percentage of conversion events are recorded immediately after the start of the session, it may indicate the traffic source is doing something nefarious behind the scenes and directly before the conversion event to take credit for the conversion (click injection).

Click-injection shows as a clear and distinct pattern indicating fraud through a left-shifted conversion curve.

Click Stuffing/Spamming, Click Stacking

Additionally, if a significant percentage of conversion events happen outside the expected conversion window, or appear to happen randomly over time, it may indicate a traffic source is spamming click events into the session to try and capture a piece of the payout. Often, this can be seen as a random distribution of conversions long after the start of the session, because the bad actor can spoof the initial click, but some conversions are still happening organically much later in the session.

Click stuffing and click spamming show as a clear and distinct pattern indicating fraud through a flat line.

To learn more about these tools, head over to our support site articles on Using Performance Automation and Using the Time-to-Action Report.

Helpful note: You can also use TUNE’s Conversion Report to see the “Time-to-Action” for individual conversion events. Just select the “Time-to-Action” field in the Options panel and run the report. This will enable you to sort your conversion events by the Time-to-Action metric and see events with either suspiciously short or long conversion cycles.

Fight Fraud with TUNE

I’m excited to add these new capabilities to TUNE’s native suite of fraud-fighting features, including our exclusive Proactive Fraud Prevention service that we provide free of charge to all TUNE customers. We remain committed to continue finding new ways for you to protect your brand and business from bad actors.

If you use Performance Automation and would like to enable the new Time-to-Action criteria, please reach out to your dedicated customer success manager.

To learn more about our platform, features, or the benefits of becoming a TUNE customer, contact sales@tune.com.