Compliance
Trust and Compliance Built-In.
Apex aligns with globally-trusted compliance standards, protecting your business, your customers, and their data.
Certifications & Compliance
- PCI DSS – Apex maintains PCI compliance across applicable services.
- Aligned with SOC 2 Type II.
- ISO 27001 – Controls are aligned to ISO 27001; certification roadmap is in progress.
- Privacy frameworks – Apex supports compliance with GDPR/UK GDPR/CCPA-CPRA and similar regimes, with contractual DPAs and SCCs available.
Privacy & Data Governance
Apex provides the controls and contractual safeguards you need to meet common privacy laws. Because privacy compliance depends on how you configure and use any platform, Apex follows a shared-responsibility model (see “Your Responsibilities” below).
Region-Specific Frameworks We Support
EU (EEA):
- GDPR (Regulation (EU) 2016/679) — data subject rights, lawful bases, records of processing.
- SCCs for international transfers where applicable; optional EU data residency for select services.
- ePrivacy/Consent — supports consent capture and cookie banner controls via CMP integrations.
United Kingdom:
- UK GDPR and Data Protection Act 2018 — mirrors GDPR principles with UK-specific requirements.
- International Data Transfer Addendum (IDTA) / UK SCCs support for cross-border transfers.
- PECR compliance support through consent management tools.
United States:
- State privacy laws including CCPA/CPRA (California), VCDPA (Virginia), CPA (Colorado), CTDPA (Connecticut), UCPA (Utah).
- Do Not Sell/Share signals, opt-out links and limited use/sharing flags supported via configuration.
- Sectoral add-ons (e.g., HIPAA BAA) available on request where applicable to your use case.
How Apex Supports Your Compliance Program
- Consent & Preference Management: Integrates with leading CMPs; APIs to store and honor consent.
- Data Subject Requests (DSAR): locate, export, rectify or delete personal data.
- Data Processing Agreement (DPA): Standard DPA with SCCs/IDTA available; subprocessor list with change notifications.
- Data Lifecycle Controls: Configurable retention periods and deletion workflows for stale data.
- Auditability: Comprehensive logs for access and admin actions; export for compliance review.
Your Responsibilities (Shared-Responsibility Model)
- Implement & Configure: Enable consent tools, configure retention policies, and set appropriate roles/permissions.
- Review Workflows: Audit internal processes and data flows; maintain records of processing activities (RoPA).
- Manage DSARs: Provide request channels and meet statutory timelines for access, rectification and erasure.
- Governance & Training: Appoint a DPO or internal lead where required; train staff on privacy/security policies.
- Vendor Management: Review our DPA, subprocessors and status updates; perform your own risk assessments.