← apselog.com
Trust & Security
Trust at Apselog
What we collect, where it goes, how it's protected — and the documents you need for your security review.
Security posture
- Encryption in transit
- TLS 1.3 enforced. HSTS preloaded on apselog.dev. Modern cipher suites only.
- Encryption at rest
- AES-256 via Neon. Card numbers never touch our infrastructure — handled directly by Stripe Checkout.
- Secrets management
- Production secrets stored in Vercel environment variables, never in Git. CRON_SECRET rotates on demand.
- API key handling
- Customer API keys (apse_live_*) are SHA-256 hashed before storage. The raw key is shown exactly once at creation — we cannot recover or display it again.
- Authentication
- OAuth-only via Google. We never store passwords.
- Audit trail
- Alert deliveries and incident summaries are logged with timestamps for post-incident review.
- Vulnerability reports
- Email [email protected]. We respond within 72 hours.
Sub-processors
Every third party that touches customer data. Each has a DPA you can review.
| Sub-processor | Purpose | Region | DPA |
|---|---|---|---|
| Neon | Primary database (Postgres) | AWS us-east-2 | neon.tech/dpa |
| Vercel | App hosting + AI Gateway | Global (Fluid Compute) | vercel.com/legal/dpa |
| Stripe | Subscription billing | US | stripe.com/legal/dpa |
| Resend | Transactional email | US (AWS) | resend.com/legal/dpa |
| Anthropic | AI incident summaries (via Vercel AI Gateway, zero-retention) | US | Vercel Gateway terms apply |
| OpenAI | Optional eval-drift judging (via Gateway, zero-retention) | US | Vercel Gateway terms apply |
| OAuth sign-in identity | US / Global | Google standard terms | |
| Cloudflare | DNS + registrar | Global | cloudflare.com/cloudflare-customer-dpa |
Data handling
- What we collect
- Account identity (from OAuth), subscription metadata (from Stripe), customer-uploaded golden eval sets, token-usage events you POST to our ingest API, and probe/incident data we generate on your behalf.
- What we DON'T collect
- Card numbers, passwords, the contents of your end users' requests to your AI app, or anything you don't explicitly send us.
- Retention
- Probe results: 90 days hot, aggregated indefinitely. Token usage events: 90 days. Eval runs: 1 year. Account data: until you delete it, plus 30 days of backups. Billing records: 7 years (US tax law).
- Customer rights
- Email [email protected] for access, deletion, portability, or correction requests. We respond within 30 days per GDPR Article 12.
- Cross-border transfers
- US-hosted infrastructure. EU data transferred under Standard Contractual Clauses with each sub-processor.
Compliance posture
GDPR
CompliantLawful basis: contract + legitimate interest. DSAR workflow via [email protected].
CCPA
CompliantCalifornia residents: right to know, delete, opt out. We don't sell personal information.
SOC 2
PlannedNot yet pursued. Will pursue when enterprise customers require it.
HIPAA / PCI
Not applicableNot a HIPAA-compliant or PCI-compliant service. Don't send PHI or card data through our ingest API.
Operational reliability
- Status page
- Apselog's own platform status is published at apselog.com/status/apselog, monitored by the same probes our customers use.
- Provider monitoring cadence
- Every 2 minutes per provider (Vercel Cron). Detection window: 2–5 minutes.
- Incident notification
- Public status page updates within 5 minutes of detection. Subscribed customers get email/Slack within the alert dedup window (30 min).
- Backup strategy
- Neon's automated continuous backups + point-in-time recovery to any second in the last 7 days (Pro tier when enabled).
- SLA
- No SLA on free tier. Pro and Team customers have a commercial reasonable-effort SLA documented in their subscription terms.
Documents
- Terms of Service →
- Privacy Policy →
- Cookie Policy →
- Acceptable Use Policy →
- Data Processing Agreement (DPA) — available on request to [email protected] for Pro and Team customers. Sub-processor change notifications: opt-in via [email protected].