Let internal teams act on marketing — with guardrails .
The same approval infrastructure agencies trust, applied to your own teams and business units. Per-seat billing, role-based access, and governed writes across every channel. Run it in our cloud, or self-host it entirely inside your own environment — same governance model, your choice of where it lives.
Same governance. You choose where it runs.
Every control on this page — approval-before-execute, role-based access, the full audit trail — works identically whether AdUp runs in our cloud or entirely inside yours. The governance never changes. The deployment is yours to decide.
AdUp Managed
We run it. You stay in control.
We stand up the whole system — connectors, approval rules, reporting — and keep it tuned. Your team gets governed AI on every channel without operating any infrastructure. Billed per active seat.
Best for: Teams that want governed AI live in days, without standing up infrastructure.
AdUp Self-Hosted
Enterprise engagementYou run it. Your data never leaves.
Deploy AdUp as containers inside your own cloud or data center. Your platform credentials, your database, your identity provider — none of it touches our infrastructure. We ship the software and the updates; you own the environment end to end.
Best for: Organizations with data-residency, procurement or security requirements that mandate everything stays inside their own boundary.
| Compare | AdUp Managed | AdUp Self-Hosted |
|---|---|---|
| Who operates it | We run and tune it for you | You run it in your environment |
| Where it runs | AdUp cloud | Your cloud or data center (BYOC) |
| Your data & platform traffic | Flows through our managed service | Never leaves your environment |
| Platform credentials (OAuth) | Managed for you | Your own apps; tokens stay in your vault |
| Database & state (approvals, audit) | Hosted by AdUp | A database you own and operate |
| Delivered as | A managed service | Container images + compose |
| Updates & maintenance | Handled by us, continuously | We publish releases; you choose when to upgrade |
| Identity & login | Managed accounts; SSO on request | Your IdP — Entra ID, Okta, Google (SSO in rollout) |
| Governance model | Identical — approval-before-execute, RBAC, full audit | Identical — approval-before-execute, RBAC, full audit |
| Partner access | Scoped governed seats | Scoped governed seats |
| Connectivity | Internet-connected | Internet-connected, or fully air-gapped |
| Time to live | Days | An enterprise deployment engagement |
| Billing | Per active seat | Annual license + support |
| Best for | Fast governed rollout, no infra to run | Data-residency, procurement or security mandates to keep everything in-house |
AI velocity with the controls your org requires.
Business units, one standard
Give every brand team and regional unit the same governed access to AI. Scope each seat to the platforms and accounts it should touch — nothing more.
Governance procurement will sign off on
No AI write reaches a live account without clearing your rules. Approval-before-execute, per-tool limits, and a complete audit trail are the default, not an add-on.
Seats, not surprises
Billed per active seat. Add a marketer, add a seat; offboard them, it drops. Predictable cost as teams grow, with the same infrastructure throughout.
Control what AI can reach
Point AdUp at any MCP server — official or internal. Classify every tool, then decide which writes are allowed, which need approval, and which are off-limits.
Decide exactly what AI is allowed to touch.
Connect any MCP server from the vetted catalog or by URL. AdUp introspects its tools and classifies each one as read or write automatically.
Then set policy per write tool: allow, require approval, or block. A real control panel over what AI can do inside your stack.
Connect official MCP servers or your own internal ones. In a self-hosted deployment, an internal MCP server can stay entirely within your network — AdUp governs it without the data ever leaving your environment.
Control Center
meta-ads-mcp · 5 tools introspected
get_campaignsget_insightsupdate_campaign_budgetpause_ad_setcreate_campaignThe same role model, mapped to your org.
Owners see everything. Team leads run their units. Managers approve to a limit, analysts propose, and read-only stakeholders observe.
| Role | Sees | Propose writes | Approve writes | Manage team |
|---|---|---|---|---|
| Owner | Everything | All changes | ||
| Team lead | Their group | Within group | ||
| Manager | Assigned clients | Up to a threshold | ||
| Analyst | Assigned clients | No — always pending | ||
| Read-only | Assigned clients | No |
Owner
- Sees
- Everything
- Propose
- Approve
- All changes
- Manage team
Team lead
- Sees
- Their group
- Propose
- Approve
- Within group
- Manage team
Manager
- Sees
- Assigned clients
- Propose
- Approve
- Up to a threshold
- Manage team
Analyst
- Sees
- Assigned clients
- Propose
- Approve
- No — always pending
- Manage team
Read-only
- Sees
- Assigned clients
- Propose
- Approve
- No
- Manage team
Let partners act on your marketing — without handing over the keys.
Agencies, freelancers and external specialists can work inside your accounts the same way your own teams do: scoped to exactly the platforms and clients they're assigned, able to propose, never able to push an unapproved write to a live account. They get a seat, not your credentials.
Scoped to the work, nothing more.
An external partner sees only the accounts and tools they're assigned. The credentials and the broader stack stay invisible — and stay yours.
Propose, don't push.
Partner writes route through the same approval pipeline as everyone else. Your team — or your KPI rules — clears every change before it touches a live account.
Every action, attributed.
The audit log records which partner proposed what, and who approved it. When a client asks “who changed this,” the answer is already there — internal or external.
One view of spend and performance across the org.
Every team works in their AI assistant of choice with the same AdUp skills — dashboards, pacing, anomaly alerts and reports — while leadership gets per-team and per-user stats.
When someone asks “who changed this campaign,” the audit log already has the answer.
Cross-platform overview · last 7 days
Blended ROAS
3.4×
+0.4
Spend (7d)
€48.2k
+6%
Revenue (7d)
€164k
+12%
CPA
€21.40
-8%
Revenue by channel
GA4-attributed
Built so your data stays yours.
For a self-hosted deployment, this is the part procurement reads. Present what's live, plan for the rest — here's how the architecture holds up.
Designed to run without phoning home. A self-hosted deployment runs without calling back to AdUp. With egress restricted to the ad platforms you approve, nothing leaves your environment.
Bring your own credentials. You connect your own Meta, Google and analytics apps. The OAuth tokens live in your vault and never reach us.
Your database, your state. Approvals, audit logs and configuration sit in a database you own and operate.
The write-block runs locally. The control that stops an AI from changing a live account runs inside your deployment — not as a remote service.
Your identity provider. AdUp maps roles and groups from your IdP — Entra ID, Okta, Google — to its access model, validating the tokens you issue rather than holding a separate user directory. SSO is in rollout.
Per-employee rights through the agent layer. When your AI assistant — Claude, Gemini or Copilot — connects through a delegated sign-in, each request carries the individual user's identity, so access and the audit trail are per person, not per service account.
A human in the loop where it matters. Where an agent layer can't carry an individual identity, risky actions still route to the approval queue, where an authenticated person signs off.
From fully managed in our cloud, to self-hosted in your own cloud (bring-your-own-cloud), to fully air-gapped. The same containers; you set how isolated it runs.
Built to support your SOC 2 and ISO requirements — security documentation available on request.
Roll out AI to your teams without losing control.
Talk to us about seats, business units, partner access, SSO, self-hosting and procurement.