Security Policy

Certifications and Assessments

We maintain the following security certifications and undergo regular assessments:

• SOC 2 Type II certification (in progress)
• Annual third-party penetration testing
• Continuous vulnerability scanning
• Regular security audits by independent firms

Detailed security reports are available at apilium.com/security

Code Data Flow

When you use Apilium Forge IDE, your code flows through our secure infrastructure:

• Your code is encrypted in transit using TLS 1.3
• Requests are processed through our backend servers hosted on AWS
• AI processing is performed by our model providers with zero-retention agreements
• With Privacy Mode enabled, no plaintext code is stored after request completion

Infrastructure Partners

Encryption

Data in Transit: All data transmitted between Apilium Forge and our servers is encrypted using TLS 1.3 with strong cipher suites

Data at Rest: All stored data is encrypted using AES-256-GCM encryption

Encryption keys are managed using AWS KMS with automatic rotation every 90 days

For Enterprise customers, we offer end-to-end encryption where only you hold the decryption keys

Access Controls

• Multi-factor authentication (MFA) required for all employee accounts
• Hardware security keys (FIDO2/WebAuthn) for privileged access
• Role-based access control (RBAC) with principle of least privilege
• Just-in-time access provisioning for production systems
• Quarterly access reviews and immediate deprovisioning for departures
• IP allowlisting and VPN requirements for administrative access

Network Security

• Web Application Firewall (WAF) with custom rulesets
• Enterprise-grade DDoS mitigation (Cloudflare Magic Transit)
• Network segmentation with private subnets for sensitive services
• Intrusion Detection/Prevention Systems (IDS/IPS)
• Continuous network traffic monitoring and anomaly detection
• Regular external and internal penetration testing

Application Security

• Secure Software Development Lifecycle (SSDLC) with security gates
• Mandatory code reviews with security-focused checklist
• Static Application Security Testing (SAST) in CI/CD pipeline
• Dynamic Application Security Testing (DAST) for deployed applications
• Software Composition Analysis (SCA) for dependency vulnerabilities
• Regular security training for all developers
• Protection against OWASP Top 10 and SANS Top 25 vulnerabilities

Client (IDE) Security

Apilium Forge IDE is built with security in mind:

• Code-signed binaries for all platforms (Windows, macOS, Linux)
• Automatic security updates with rollback capability
• Sandboxed extension execution environment
• Local encryption of cached data and credentials
• Configurable network access with allowlist domains
• Support for .apiliumignore to exclude sensitive files from AI processing

Employee Security Training

All Apilium employees undergo comprehensive security training:

• Security awareness training during onboarding
• Quarterly security training updates and assessments
• Monthly phishing simulation exercises
• Role-specific security training for engineers
• Annual incident response tabletop exercises

Security Policies

We maintain and enforce comprehensive security policies:

• Information Security Policy and Standards
• Acceptable Use and Access Control Policies
• Incident Response and Communication Plan
• Business Continuity and Disaster Recovery Plan
• Vendor Security Assessment Requirements
• Data Classification and Handling Guidelines
• Change Management and Release Procedures

Employee Vetting

All employees with access to customer data undergo background checks appropriate to their role and jurisdiction, and sign confidentiality agreements.

Enterprise Privacy Options

• On-premises deployment for complete data sovereignty
• Dedicated infrastructure isolated from other customers
• Custom data residency requirements (EU-only, specific regions)
• Bring-your-own-key (BYOK) encryption
• Private network connectivity (AWS PrivateLink, VPN)

Data Classification

We classify all data based on sensitivity level:

• Public: Marketing materials, public documentation
• Internal: Internal processes, non-sensitive business data
• Confidential: Customer account data, support communications
• Restricted: Customer code, credentials, security configurations

Backup and Recovery

We maintain robust backup and disaster recovery capabilities:

• Encrypted, geographically-distributed backups
• Point-in-time recovery for databases (up to 35 days)
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour
• Quarterly disaster recovery testing
• Multi-region failover capability

Incident Response Process

We follow a structured incident response process:

• Detection: 24/7 automated monitoring and alerting
• Triage: Security team assessment within 15 minutes
• Containment: Immediate isolation of affected systems
• Investigation: Root cause analysis and impact assessment
• Eradication: Removal of threat and system hardening
• Recovery: Controlled restoration of services
• Post-mortem: Lessons learned and process improvements

Breach Notification

In the event of a security breach affecting your data, we commit to:

• Notify affected users within 72 hours of confirmed breach
• Provide clear details about what data was affected
• Explain actions we're taking to address the incident
• Offer guidance on steps you can take to protect yourself
• Notify relevant regulatory authorities as required by law
• Provide regular updates until the incident is resolved

In Scope

• Apilium Forge IDE (all platforms)
• api.apilium.com and all subdomains
• portal.apilium.com (Customer Portal)
• apilium.com (Website)

How to Report

If you discover a security vulnerability:

• Email [email protected] with detailed vulnerability information
• Include steps to reproduce, potential impact, and any proof-of-concept
• For sensitive reports, use our PGP key (available on our security page)
• Allow up to 90 days for remediation before public disclosure

Our Commitment

We commit to security researchers:

• Acknowledge receipt within 24 hours
• Provide initial assessment within 5 business days
• Keep you informed of remediation progress
• Credit you in our security acknowledgments (unless anonymity preferred)
• Not pursue legal action for good-faith security research

We offer bounties for qualifying vulnerabilities. Contact us for current program details.

Vendor Security Requirements

All vendors with access to customer data must meet our security requirements:

• Complete security questionnaire and risk assessment
• SOC 2 Type II or equivalent certification
• Data Processing Agreement (DPA) with GDPR-compliant clauses
• Annual security review and re-certification
• Immediate breach notification requirements

Subprocessors

Current subprocessors with access to customer data:

• AWS (Infrastructure) - US/EU
• Anthropic, OpenAI (AI Models) - US with zero-retention
• Stripe (Payment Processing) - US/EU
• Cloudflare (CDN/Security) - Global
• MongoDB Atlas (Database) - EU
• SendGrid (Email) - US

We notify customers 30 days before adding new subprocessors. Current list available at apilium.com/compliance