This Statement describes the security practices in place at Apex Governance LLC (“Apex”) for the apexgscore.com website, the production environments that generate Apex's data products, and the channels through which those products are delivered to subscribers.
Apex is a focused research operation rather than a large enterprise, and this Statement is written to be honest about the scale and shape of the controls in place rather than to claim certifications it does not hold. Subscribers and prospective subscribers who require specific assurances beyond what is described here are invited to request a security questionnaire response under NDA.
§ 01 Scope
This Statement covers (a) the public website at apexgscore.com and any related subdomains, (b) the production environments in which Apex stores and processes the data that underpins the G-Score products, (c) the delivery channels (encrypted file transfer, dedicated subscriber portals once made available, and email-based delivery where expressly agreed), and (d) the limited categories of personal information that Apex processes in connection with inquiries, the services brochure request flow, and contractual relationships.
It does not cover third-party platforms operated independently of Apex (for example, the security posture of a subscriber's own enterprise systems after a data product has been delivered to them) or third-party services that subscribers may choose to use to consume Apex's products.
§ 02 Encryption
In transit. All connections to apexgscore.com and to Apex's production endpoints are served over TLS version 1.2 or higher, with modern cipher suites and HSTS enabled at the edge. Internal traffic between processing components in the production environment is similarly encrypted in transit.
At rest. Production data stores, working datasets, and backup snapshots are encrypted at rest using industry-standard symmetric encryption provided by the underlying cloud and storage platforms. Encryption keys are managed by the underlying platforms and rotated according to those platforms' default schedules; Apex does not currently operate a customer-managed-key arrangement.
Backups. Backup snapshots are retained on the same encrypted basis as the primary stores from which they are derived, and are subject to the same access controls.
§ 03 Access Control
Access to production systems, source code repositories, the website's edge configuration, and any credentialed administrative consoles is restricted on a least-privilege basis. Multi-factor authentication is required for all such access. Credentials are stored in a dedicated secrets-management facility rather than in source code, configuration files, or shared documents.
Because Apex operates as a focused founder-led research firm, the population of individuals with administrative access is small and well known to Apex's leadership. Access reviews are performed on an ongoing basis, and access for any individual who ceases to be associated with Apex is revoked promptly upon separation.
§ 04 Personal Information We Process
Apex deliberately limits the personal information it collects. The categories of personal information that Apex processes are: (a) the contact details that individuals provide voluntarily through email, the services brochure request flow, or formal contracting (typically: name, email address, employer, role, country, and the substance of the message); and (b) routine technical information about Website connections that is generated by edge providers and used for security and abuse-prevention purposes.
Apex does not knowingly collect special categories of personal data through the Website, does not run advertising or behavioral-tracking infrastructure on the Website, and does not sell or share personal information for advertising purposes. Further detail on personal-data handling is set out in the Privacy Notice.
§ 05 Vendor Security
Apex relies on a small number of established platform vendors for hosting, edge delivery, email, code repositories, and similar infrastructure. These vendors are selected with reference to their published security postures, certifications (where applicable), and operational track records. Apex avoids embedding multiple overlapping vendors where a single trusted provider can serve the same purpose, on the principle that surface area is itself a security risk.
The Website's edge layer is provided by Cloudflare, which supplies TLS termination, caching, and standard application-layer protections. Code is maintained in a major hosted version-control platform with branch-protection and review enforcement enabled.
A current list of subprocessors handling personal information is available on request to subscribers under contract; see the Privacy Notice.
§ 06 Source-Data Integrity
Apex's data products are constructed exclusively from publicly verifiable regulatory filings, exchange disclosures, and equivalent primary sources, supplemented by structural information from filings made under the relevant corporate-law regimes. The provenance and quality of those source data are addressed in the Data Accuracy Disclaimer and the Third-Party Sources Notice.
For security purposes, the relevant point is that production processing operates on copies of these public filings rather than on confidential data supplied by issuers, subscribers, or third parties. Apex does not, in the normal course, hold confidential issuer-supplied information.
§ 07 Logging and Monitoring
Edge traffic, administrative access events, and production-system events are logged and retained for a period appropriate to operational and security purposes. Logs are reviewed in response to anomalies and on a periodic basis. Apex does not at this time operate a 24x7 security operations center; alerting is configured to notify Apex personnel of high-signal events promptly.
§ 08 Incident Response
If Apex becomes aware of a security incident affecting personal information, customer data, or the integrity of its production environment, it will (a) take prompt steps to contain and remediate the incident, (b) investigate the cause and scope, (c) notify affected parties as required by applicable law and any contractual commitments, and (d) communicate the outcome to those affected with the level of detail appropriate to the circumstances.
Subscribers under contract receive incident-notification commitments calibrated to the data delivered to them; those commitments are set out in the relevant data-license terms or master subscription agreement.
§ 09 Retention and Disposal
Personal information collected through inquiries and the services brochure request flow is retained only for so long as needed to respond to and follow up on the inquiry, or for so long as a related commercial relationship requires, after which it is deleted or anonymized. Production data retention is governed by operational, contractual, and applicable-law requirements, with secure deletion procedures applied at end of life.
§ 10 Certifications
Apex does not currently hold SOC 2, ISO 27001, or equivalent third-party security certifications. Subscribers and prospective subscribers requiring such assurances should raise this with Apex during diligence; certain certifications may be pursued in connection with material commercial commitments. Apex believes it is more useful to describe its actual practices accurately than to claim certifications it does not hold.
§ 11 Reporting Vulnerabilities
Security researchers and other parties who believe they have identified a security vulnerability affecting Apex's Website or services are encouraged to report it under the Responsible Disclosure Policy. Reports made in good faith and in accordance with that policy are welcomed.