Section 00 · Mission

What you can inspect. What you can attest to. What stays out of the wire.

One principle: no consumer health data should cross a third-party perimeter the operator cannot inspect. The architecture, cryptography, validation cycle, and corporate risk coverage all serve it.

Zero-trust framework throughout — every component mutually authenticated, every traffic flow logged inside the operator's perimeter, no third party receiving matchable identifiers. Risk analysis cycles run under 45 CFR § 164.308(a)(8). What follows is the reference posture.

Cloud architecture & data isolation

Isolated boundary under direct engineering control. Enterprise deployments run dedicated single-tenant infrastructure — no shared compute or storage across clients. Independent Practice multi-tenant deployments use logically-isolated environments with cryptographic separation.

Tenancy model Single-tenant dedicated environments for MSO Platform and Enterprise tiers. Multi-tenant logical isolation for Independent Practice tier.

Cloud infrastructure Enterprise-grade cloud provider carrying provider-level SOC 2 Type II and ISO 27001 attestations, operated under Apex Vault's direct engineering control. Provider details available under MNDA.

Data residency United States by default. Multi-region available for cross-jurisdiction deployment requirements.

Network isolation Dedicated single-tenant boundaries with no shared egress paths. Strict ingress and egress allowlists configured per deployment.

Backup & retention Encrypted backups within the deployment boundary. Retention windows configured per BAA and per data category. No cross-tenant backup pooling.

Validation Standard — dedicated infrastructure hardening

Every MSO Platform and Enterprise deployment ends with an independent Letter of Attestation before live production data routes through the perimeter.

Isolated Provisioning

Dedicated single-tenant environment on enterprise-grade cloud infrastructure carrying provider-level SOC 2 Type II and ISO 27001 attestations, operated under Apex Vault's direct engineering control.

Dedicated Penetration Testing

Independent third-party security firm conducts a targeted manual pen test against the client's specific infrastructure pre-go-live. Findings remediated to zero un-remediated Critical or High under CVSS v3.1.

Attestation at Go-Live

Independent Letter of Attestation issued. Traffic routing activates only after manual hardening, validation, and the clean attestation. Annual re-validation pen test runs for the life of the engagement.

Cryptography & transmission security

Industry-standard primitives in transit and at rest. Automated key rotation. Hardware-backed identity for privileged access.

In transit TLS 1.3 enforced on all external and internal traffic. Modern cipher suites only. No fallback to TLS 1.1 or below.

At rest AES-256 encryption for all stored data. Key rotation handled automatically by the cloud provider's managed key service.

Identity & access Multi-factor authentication required for all engineering access. Role-based access control mapped to principle of least privilege. Privileged access reviewed quarterly.

Key management Automated key rotation. Customer-managed keys available for Enterprise tier. Key access logged separately from data access.

Continuous monitoring & threat detection

Automated monitoring and incident response wrap every deployment. Detection runs at the infrastructure, network, and application layers.

Continuous scanning Continuous exposure scanning across all deployed environments. CVE detection and triage on a defined SLA per severity tier.

Incident response 24/7 automated monitoring and incident response pipelines. Severity-1 incidents trigger paging within minutes of detection.

Logging & audit All access events logged inside the deployment boundary. Logs retained per BAA requirements. Tamper-evident audit chain.

Anomaly detection Infrastructure-level anomaly detection across compute, network, and storage. Behavioral baseline established per deployment.

Compliance & attestation posture

Posture is deliberately calibrated to what is currently substantiated. Self-attestation language is not upgraded beyond what an independent audit confirms.

Apex Vault's own posture

Self-attested against the Cloud Security Alliance Cloud Controls Matrix (CCM) via the Consensus Assessments Initiative Questionnaire (CAIQ). SOC 2 Type 1 attestation is the next compliance milestone.

CSA STAR Registry submission: pending publication. Direct link will appear here once the CAIQ submission is live on the registry.

Infrastructure provider posture

Underlying cloud infrastructure carries provider-level SOC 2 Type II and ISO 27001 attestations, independently issued and operated under Apex Vault's direct engineering control. Provider-level attestation reports made available under MNDA.

Applicable regulatory frameworks

HIPAA Business Associate Agreement executed for every covered-entity client. Risk analysis cycles aligned to 45 CFR § 164.308(a)(8).

State consumer-health-privacy Architecture designed to keep the data flow outside the statutory "sale" definition under Washington MHMDA, Nevada SB 370, Connecticut health-data provisions, and equivalents in other states.

State wiretap statutes Sanitization at the perimeter prevents the kind of identifying interception that has driven state-law class actions under CIPA, Illinois Eavesdropping, NY Penal Law §250, and others.

Federal ECPA & FTC Act §5 Same architecture limits federal exposure on identifying transmission and on unfair or deceptive practice claims.

Corporate risk & insurance

Multi-million-dollar Excess Liability towers covering Tech E&O and Cyber Liability. Coverage scales to deployment shape; specific limits made available under MNDA.

Tech E&O Technology Errors & Omissions coverage carrying multi-million-dollar Excess Liability towers. Coverage confirmed annually.

Cyber Liability Cyber Liability coverage covering breach notification, forensic response, and third-party claims. Coverage confirmed annually under renewal underwriting.

Coverage detail Specific tower limits, retention amounts, and named-insured structure available to Enterprise clients on MNDA execution.

Request the full trust package under MNDA. Detailed architecture schematics, cloud-provider identity, complete attestation mapping, named subcontractors, specific control evidence, and full insurance tower documentation. Email compliance@apexvaultcompliance.com.