Compliance

Trust and Compliance Built-In.

Apex aligns with globally-trusted compliance standards, protecting your business, your customers, and their data.

Certifications & Compliance

PCI DSS – Apex maintains PCI compliance across applicable services.
Aligned with SOC 2 Type II.
ISO 27001 – Controls are aligned to ISO 27001; certification roadmap is in progress.
Privacy frameworks – Apex supports compliance with GDPR/UK GDPR/CCPA-CPRA and similar regimes, with contractual DPAs and SCCs available.

Privacy & Data Governance

Apex provides the controls and contractual safeguards you need to meet common privacy laws. Because privacy compliance depends on how you configure and use any platform, Apex follows a shared-responsibility model (see “Your Responsibilities” below).

Region-Specific Frameworks We Support

EU (EEA):

GDPR (Regulation (EU) 2016/679) — data subject rights, lawful bases, records of processing.
SCCs for international transfers where applicable; optional EU data residency for select services.
ePrivacy/Consent — supports consent capture and cookie banner controls via CMP integrations.

United Kingdom:

UK GDPR and Data Protection Act 2018 — mirrors GDPR principles with UK-specific requirements.
International Data Transfer Addendum (IDTA) / UK SCCs support for cross-border transfers.
PECR compliance support through consent management tools.

United States:

State privacy laws including CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah).
Do Not Sell/Share signals, opt-out links and limited use/sharing flags supported via configuration.
Sectoral add-ons (e.g., HIPAA BAA) available on request where applicable to your use case.

How Apex Supports Your Compliance Program

Consent & Preference Management: Integrates with leading CMPs; APIs to store and honor consent.
Data Subject Requests (DSAR): locate, export, rectify or delete personal data.
Data Processing Agreement (DPA): Standard DPA with SCCs/IDTA available; subprocessor list with change notifications.
Data Lifecycle Controls: Configurable retention periods and deletion workflows for stale data.
Auditability: Comprehensive logs for access and admin actions; export for compliance review.

Your Responsibilities (Shared-Responsibility Model)

Implement & Configure: Enable consent tools, configure retention policies, and set appropriate roles/permissions.
Review Workflows: Audit internal processes and data flows; maintain records of processing activities (RoPA).
Manage DSARs: Provide request channels and meet statutory timelines for access, rectification and erasure.
Governance & Training: Appoint a DPO or internal lead where required; train staff on privacy/security policies.
Vendor Management: Review our DPA, subprocessors and status updates; perform your own risk assessments.