Trust Center

Our commitments to security, privacy, and compliance — everything enterprise buyers need to evaluate ApexMCP.

Security Overview

Encryption at rest

All credentials encrypted with AES-256 via HashiCorp Vault. Database volumes encrypted at rest.

Encryption in transit

TLS 1.3 enforced on all public endpoints. No plaintext connections accepted.

SOC 2 Type I

Audit planned to start Q4 2026. Report will be available to enterprise customers under NDA once complete.

Penetration test

Third-party pen test planned for Q3 2026. Summary report shared with enterprise customers on request.

Certifications Roadmap

Certification	Status
SOC 2 Type I	Planned Q4 2026
SOC 2 Type II	Planned Q2 2027
Penetration Test	Planned Q3 2026

Sub-Processors

We use the following sub-processors to deliver the Service. All sub-processors are bound by data processing agreements and process data only as instructed.

Sub-Processor	Purpose	Location
Hetzner Online GmbH	Application hosting (compute, Vault, Zitadel)	Finland (EU)
Neon Inc.	Managed PostgreSQL database	AWS eu-central-1, Frankfurt (EU)
Upstash Inc.	Managed Redis (cache, rate-limit, sessions)	AWS eu-central-1, Frankfurt (EU)
Cloudflare, Inc.	DNS / CDN / WAF / inbound email routing	Global edge with EU presence
Stripe Payments Europe Ltd	Payment processing	Ireland (EU)
Sendinblue SA (Brevo)	Transactional email delivery	France (EU)

Data Handling

Data residency: EU and US regions available. EU-only storage available on Growth and Scale plans.
Audit log retention: 90 days on standard plans; extended retention available on request.
GDPR compliance: We act as data processor for connector data and data controller for account data. DPA available on request at privacy@apexmcp.ai.
Right to erasure: Account deletion purges all personal data within 30 days. Initiate from account settings or email privacy@apexmcp.ai.

Contact

For security inquiries, vulnerability reports, or compliance documentation requests (SOC 2 report, DPA, pen test summary), contact security@apexmcp.ai.