ApexPitCoreSubmit a Privacy Request →

Security

Last updated: May 9, 2026

Security Contact: security@[yourdomain].com

Protecting the data that shops and their customers trust us with is a core responsibility, not an afterthought. This page summarizes the security controls we have in place. It is not an exhaustive technical specification, but is intended to give shop owners and their customers a clear, honest picture of how we protect your data.

Encryption

  • All data in transit is encrypted using TLS 1.2 or higher.
  • Sensitive fields (TOTP secrets) are encrypted at rest using AES-256 via Fernet.
  • Passwords are hashed using bcrypt — never stored in plain text.
  • Stripe handles all payment card encryption under their PCI DSS Level 1 certification.

Access Control

  • Role-based access control (RBAC) enforces least-privilege across all features.
  • Multi-factor authentication (TOTP) is available and encouraged for all accounts.
  • Platform administrator access is separate from shop accounts and fully audited.
  • Employee permission overrides are logged in the audit trail.
  • User impersonation by platform staff is short-lived, requires justification, and is fully logged.

Audit Logging

  • All significant actions generate an immutable audit log entry.
  • Security-relevant events (login, logout, password reset, 2FA changes, permission changes) are logged separately in the security event log.
  • Audit logs include actor identity, IP address, and user-agent where available.
  • Sensitive field values (passwords, tokens, secrets) are never written to logs.
  • Logs are retained for 2 years for security events.

Infrastructure

  • The application runs in isolated Docker containers.
  • Database and application are isolated in separate containers with controlled network access.
  • Automated database backups run on a configurable schedule.
  • Backup restoration is tested to verify data integrity.

Vendor Management

  • We maintain a list of all subprocessors at /legal/subprocessors.
  • Subprocessors are evaluated for security posture before onboarding.
  • Webhook signatures from Stripe and Twilio are validated before processing.
  • Third-party integrations (QuickBooks, etc.) use OAuth — we never store third-party credentials in plain text.

Vulnerability Management

  • Dependencies are monitored for known vulnerabilities using automated scanning.
  • Security patches are applied on a priority basis based on severity.
  • We welcome responsible disclosure of security vulnerabilities.

Incident Response

  • We maintain a written incident response plan covering detection, containment, notification, and recovery.
  • In the event of a data breach affecting personal information, we notify affected shop accounts as required by applicable law.
  • California breach notification is provided within 72 hours of discovery where required.

Responsible Disclosure

If you discover a security vulnerability in ApexPitCore, please report it to security@[yourdomain].com. We ask that you give us reasonable time to investigate and address the issue before public disclosure. We do not pursue legal action against researchers who report vulnerabilities in good faith.

Security Questionnaires

If you need to complete a vendor security questionnaire or review our controls in more detail, contact security@[yourdomain].com. We can provide additional documentation under NDA.