Apex Radar
Security Policy

How we keep your data safe.

Effective date: May 3, 2026 · Last updated: May 3, 2026

Contents

  1. Quick summary
  2. Infrastructure
  3. Transport security
  4. HTTP security headers
  5. Data handling
  6. Access control
  7. Subprocessors
  8. Monitoring
  9. Incident response
  10. Responsible disclosure
  11. Certifications
  12. Contact

1. Quick summary

Apex Radar is built on modern, decentralized infrastructure with strong defaults. The marketing site is hosted on the Internet Computer Protocol (ICP), backend logic runs on Cloudflare Workers, and we use industry-standard service providers (Airtable, Slack, Stripe) under data processing agreements. Every page enforces TLS 1.3, HSTS, a strict Content Security Policy, and rejects framing.

Transport
TLS 1.3 + HSTS
Hosting
ICP + Cloudflare
Headers
CSP, X-Frame-Options DENY, nosniff
Data at rest
Encrypted by all subprocessors
Disclosure
Coordinated, 90-day default
Status
Pre-launch (Founder Beta May 15, 2026)

2. Infrastructure

Marketing site

The site at getapexradar.com is a static asset canister deployed on the Internet Computer Protocol. ICP is a fully on-chain, decentralized blockchain platform. There is no traditional server to compromise. Static content is served by ICP's HTTP gateway with TLS certificates automatically provisioned via Let's Encrypt (ACME).

Application backend

Lead capture, audit triggering, and webhooks are handled by a Cloudflare Worker at the edge. Workers run in V8 isolates with strict memory and CPU limits and zero persistent local state.

Data storage

Lead and audit data is stored in Airtable with role-based access controls and SOC 2 Type II compliance. Encrypted at rest by Airtable.

3. Transport security

  • TLS 1.3 is enforced on all connections. TLS 1.0 and 1.1 are disabled.
  • HSTS with max-age=31536000; includeSubDomains on every response.
  • HTTPS-only: HTTP requests redirect to HTTPS. Mixed content is blocked.
  • Modern cipher suites only — RSA key exchange, RC4, and 3DES are disabled.
  • Forward secrecy via ECDHE key exchange.

4. HTTP security headers

Every page response includes the following defenses against common web attacks:

HeaderValueProtects against
Strict-Transport-Securitymax-age=31536000; includeSubDomainsHTTPS downgrade / SSL stripping
Content-Security-PolicyStrict allow-list (self + named CDNs only)XSS, data exfiltration, clickjacking
X-Frame-OptionsDENYClickjacking
X-Content-Type-OptionsnosniffMIME sniffing attacks
Referrer-Policysame-originReferrer leakage
Permissions-PolicyCamera, microphone, geolocation, payment all deniedUnauthorized device access
X-XSS-Protection1; mode=blockReflected XSS (legacy browsers)

You can verify these headers yourself by visiting securityheaders.com.

5. Data handling

In transit

All data — between you and our edge, between our Worker and our subprocessors, and between our subprocessors themselves — is encrypted in transit using TLS 1.3.

At rest

All persistent data is encrypted at rest by our subprocessors using AES-256 (or equivalent):

  • Airtable: AES-256 disk encryption, SOC 2 Type II certified.
  • Cloudflare R2 / KV (if used): AES-256.
  • Stripe (when checkout launches): PCI DSS Level 1.

Secrets management

API tokens, webhook secrets, and credentials are stored as encrypted environment variables in Cloudflare Workers. They are never committed to source control. The marketing site contains zero secrets in client-side code.

6. Access control

  • Principle of least privilege. Internal team members receive the minimum access required to do their job.
  • Multi-factor authentication required on every account that can access customer data (Cloudflare, Airtable, Slack, Stripe, ICP identities, GitHub).
  • Role-based access in Airtable and Slack.
  • Hardware-backed key storage for ICP canister deployment identities.
  • Audit logging on Cloudflare and Airtable.

7. Subprocessors

We use the following service providers ("subprocessors") to operate Apex Radar. Each is bound by a data processing agreement and has its own published security program:

SubprocessorPurposeCompliance
CloudflareEdge Worker, DNS, lead captureSOC 2 Type II, ISO 27001, GDPR, CCPA
AirtableLead and audit record storageSOC 2 Type II, GDPR, HIPAA available
SlackInternal team notificationsSOC 2 Type II, ISO 27001, FedRAMP, GDPR
StripePayment processing (when checkout launches)PCI DSS Level 1, SOC 1, SOC 2, ISO 27001, GDPR
DFINITY / ICPStatic asset hosting (decentralized)Open-source blockchain protocol

8. Monitoring

  • Uptime monitoring on all customer-facing endpoints.
  • Anomaly detection on lead capture for abuse / scraping signatures.
  • Cloudflare WAF with managed rules for OWASP Top 10 protection.
  • Rate limiting on form submissions and API endpoints.
  • Bot detection via Cloudflare Bot Fight Mode.

9. Incident response

If we detect or are notified of a security incident affecting customer data:

  1. Contain the issue (rotate credentials, block traffic, take affected service offline if necessary).
  2. Investigate the scope and root cause.
  3. Notify affected users within 72 hours of confirmation, in line with GDPR Article 33 and Quebec Law 25 requirements.
  4. Notify regulators as required.
  5. Remediate and publish a postmortem for systemic issues.

Our incident-response contact: hello@apexarchitects.xyz (monitored 24/7 for severity-1 reports).

10. Responsible disclosure

Bug bounty

Found a vulnerability? We want to know.

We welcome responsible disclosure of security vulnerabilities. Please report to hello@apexarchitects.xyz.

What we ask

  • Give us reasonable time to fix the issue before public disclosure (default: 90 days).
  • Don't access, modify, or delete data that doesn't belong to you. Use your own test account.
  • Don't degrade the service for other users (no DoS, no spam, no automated scanners that flood the API).
  • Don't social engineer our team or contractors.
  • Stay within scope: getapexradar.com and *.getapexradar.com are in scope. Subprocessor infrastructure (Cloudflare, Airtable, Slack, Stripe) is out of scope — report those directly to the vendor.

What we'll do

  • Acknowledge your report within 48 hours.
  • Triage and respond with severity classification within 5 business days.
  • Fix and notify you when remediation is deployed.
  • Credit you (with your permission) on a hall of fame once we publish one.
  • Won't pursue legal action against researchers acting in good faith and within these guidelines.

Out of scope

  • Reports from automated scanners without proof of impact (Acunetix, Nessus, etc.)
  • Missing security headers without demonstrable impact
  • Self-XSS that requires the user to paste payloads into devtools
  • Issues in third-party integrations (report to that vendor directly)
  • Rate limit issues that don't cross into DoS
  • Best-practice suggestions without an exploit

Machine-readable disclosure policy

Per RFC 9116, our security contact is published at /.well-known/security.txt.

11. Certifications

Apex Radar is in pre-launch (Founder Beta opens May 15, 2026). We do not yet hold our own SOC 2 / ISO 27001 / HIPAA certifications. We rely on the certifications of our subprocessors (Cloudflare, Airtable, Slack, Stripe — all SOC 2 Type II or stronger).

Our roadmap includes pursuing SOC 2 Type I once the product matures. If you have specific compliance requirements (HIPAA, FedRAMP, ISO 27001), contact hello@apexarchitects.xyz to discuss what we can support.

12. Contact

For privacy practices and your rights as a data subject, see our Privacy Policy.