Security

• ✓All data in transit is encrypted using TLS 1.2 or higher
• ✓Sensitive fields (TOTP secrets) are encrypted at rest using AES-256 via Fernet
• ✓Passwords are hashed using bcrypt — never stored in plain text
• ✓Stripe handles all payment card encryption under their PCI DSS Level 1 certification

• ✓Role-based access control (RBAC) enforces least-privilege across all features
• ✓Multi-factor authentication (TOTP) is available and encouraged for all accounts
• ✓Platform administrator access is separate from shop accounts and fully audited
• ✓Employee permission overrides are logged in the audit trail
• ✓User impersonation by platform staff is short-lived, requires justification, and is fully logged

• ✓All significant actions generate an immutable audit log entry
• ✓Security-relevant events (login, logout, password reset, 2FA changes, permission changes) are logged separately
• ✓Audit logs include actor identity, IP address, and user-agent where available
• ✓Sensitive field values (passwords, tokens, secrets) are never written to logs
• ✓Logs are retained for 2 years for security events

• ✓The application runs in isolated Docker containers
• ✓Database and application are isolated in separate containers with controlled network access
• ✓File storage uses Cloudflare R2 with private access controls
• ✓Automated database backups run on a daily schedule
• ✓Backup restoration is tested to verify data integrity

• ✓We maintain a list of all subprocessors at apexpitcore.com/legal/subprocessors
• ✓Subprocessors are evaluated for security posture before onboarding
• ✓Webhook signatures from Stripe and Twilio are validated before processing
• ✓Third-party integrations (QuickBooks, etc.) use OAuth — we never store third-party credentials in plain text

• ✓Dependencies are monitored for known vulnerabilities using automated scanning
• ✓Security patches are applied on a priority basis based on severity
• ✓We welcome responsible disclosure of security vulnerabilities

• ✓We maintain a written incident response plan covering detection, containment, notification, and recovery
• ✓In the event of a data breach affecting personal information, we notify affected shop accounts as required by applicable law
• ✓California breach notification is provided within 72 hours of discovery where required under California Civil Code § 1798.82

If you discover a security vulnerability in ApexPitCore, please report it to [email protected]. We ask that you give us reasonable time — typically 90 days — to investigate and address the issue before public disclosure. We do not pursue legal action against researchers who report vulnerabilities in good faith and comply with this policy.

If you need to complete a vendor security questionnaire or review our controls in more detail, contact [email protected]. We can provide additional documentation under NDA for enterprise customers.