pex

Security & Trust

Built on AWS. Designed for trust.

Your growth data is the most sensitive thing you have. Apex runs on AWS primitives with isolated accounts, encrypted storage, and engineering guardrails that treat security as a release gate, not a review step.

Contact security@apex.inc

Four Pillars

Four pillars, every layer audited.

From the AWS account boundary down to the individual IAM grant, every layer is designed to isolate, encrypt, and audit. Every claim below maps to a specific engineering control, not a compliance logo.

Infrastructure

  • Dedicated AWS account, isolated from every other tenant
  • Dedicated staging & prod stacks via CDK
  • Every resource scoped by stage context
  • No shared secrets between environments

Data

  • DynamoDB encryption at rest
  • TLS 1.2+ for all data in transit
  • S3 buckets with server-side encryption
  • Retention policies on event streams

Access

  • AWS Cognito authentication (separate staging + prod pools)
  • Google and GitHub OAuth support
  • Least-privilege IAM for app users
  • Read-only CI IAM user isolated from app credentials

Compliance

  • Explicit data-sharing consent via Portfolio linking
  • No silent data sharing, ever
  • Audit logs on every permission change
  • SOC 2 roadmap in progress

How We Deploy

Security is a release gate, not a review step

No feature merges to main until its infrastructure exists in production. Code and infrastructure deploy together, never code first. CI enforces this with drift-detection and env-parity jobs.

Step 1

CDK diff

Every change proposes infrastructure diffs before any code ships.

Step 2

Stage validate

Stage context prevents cross-environment resource bleed.

Step 3

Deploy infra first

AWS resources are created before application code that depends on them.

Step 4

Deploy app

Application deploys to staging against real, verified infrastructure.

Step 5

Verify → merge

Staging is tested end-to-end before a single commit touches main.

The production-readiness rule

Our engineering rules mandate that CDK diff must be clean, env vars must match across branches, and infrastructure must be verified against the running system before any PR reaches main. CI blocks merges when these checks fail. That is the system working as designed.

Our Commitments

What we promise.

Plain-English commitments we hold ourselves to. No fine print, no carve-outs.

  • Your data is yours. Export anytime, delete anytime.

  • We don’t sell data or share aggregated patterns without explicit opt-in.

  • Every third-party integration uses scoped tokens that you can revoke from one settings page.

  • No silent capture: every tracked event follows from an SDK call you wrote.

  • Uptime dashboard available on request.

Sub-processors

Every third party, on the record

The services Apex uses to operate, what they handle, and where to read their policies.

ServicePurposeData handledPolicy
AWS
Primary infrastructure (us-east-1)All application data, events, logsView
Amazon SES
Transactional and marketing emailRecipient email addresses, message contentView
Stripe / Stripe Connect
Billing and partner payoutsBilling contacts, payout destinationsView
Anthropic
AI features (experiment recommendations, comm generation)Prompted experiment metadata, not raw customer recordsView
AWS Cognito
AuthenticationLogin identifiers, OAuth tokensView

See our privacy policy and data processing addendum for the full picture.

Have a security question?

Disclosures, vendor reviews, architecture questions. We read every message. Expect a response within one business day.

security@apex.inc

Trust center expanding with SOC 2 evidence throughout 2026.