67 questions about privacy, security & data.

Apexkit hosts in Azure Container Apps UK South (compute), Supabase EU Ireland (database), Cloudflare R2 EU (file storage), and Resend EU (transactional email). UK + EU residency by default.

For most tools, no. The OpenAI API call (for AI tools) is routed through OpenAI's EU residency endpoint; Replicate (for some image / audio models) is currently US-resident — we flag this in-tool with a banner.

Yes — UK + EU data residency, customer-controlled deletion via Settings, a published DPA on request, and standard contractual clauses for any cross-border transfers. Apexkit Ltd is a UK ICO-registered data controller.

Yes — email hello@apexkit.pro from your work email. Our standard DPA is signed-once and covers the SCCs for any non-EU sub-processors.

No — we use the enterprise endpoints for OpenAI and Anthropic which contractually exclude your data from model training. Replicate is the same — your inputs aren't used to improve any model.

Free tier: 24 hours. Basic / Pro / Plus: 7 days. Power / Agency: 30 days. After expiry, the R2 object is hard-deleted via a nightly job.

Yes — /app/files lists everything; one-click delete per file. The R2 object is removed within 5 minutes.

No — we log a usage event (which tool, when, your tier, cost) but not the prompt body or the output. Tier-enforcement only needs the count, not the content.

Yes — TLS 1.2+ everywhere. Apexkit is HTTPS-only, with HSTS + secure cookies set on Auth flows. Our cert is issued by DigiCert (auto-renewed via Azure).

Yes — over HTTPS, processed in memory by qpdf, never logged or stored. Once the response returns, the password is garbage-collected from server memory.

Supabase Auth supports TOTP 2FA — coming to the Apexkit UI in V2. For now, sign in via Google OAuth (which uses your Google 2FA) is a good interim.

Yes — Google OAuth is enabled. Click 'Continue with Google' on /sign-in or /sign-up.

SCIM + SAML SSO ship in Year 1 (Q4 2026) for Enterprise tier customers. Until then Google OAuth is the closest you'll get without paid enterprise plumbing.

Domain-restricted sign-in ships with the Team Workspaces feature in V2 (month 7-12). For now, share a credential with your team or use Google OAuth on a shared address.

Yes — Settings → Danger zone → Delete account triggers: 1) Stripe cancellation, 2) audit-log row created, 3) hard DB delete + cascade (subscription, usage, files, counters), 4) Supabase Auth user removal. No way to undo.

Account events: sign-ins, sign-outs, password resets, plan changes, deletions. No tool-content data. Audit logs survive account deletion (no FK to users) to satisfy GDPR's right-to-be-told-what-was-done.

Auth cookies: yes, for session. Analytics: Plausible (cookie-free, anonymised). No third-party tracking pixels, no advertising cookies, no Google Analytics. Full breakdown at /cookies.

Yes — Plausible respects DNT (Do Not Track) headers and adblocker rules. Disabling JavaScript also disables analytics entirely. We don't fingerprint.

No — never. We have no advertiser, broker, or third-party data partner. Our revenue is 100% subscriptions. Subprocessors (Supabase, Cloudflare, Stripe, OpenAI, Anthropic, Replicate) are listed at /privacy and exist solely to operate the service.

Listed at /privacy. Headlines: Supabase (auth + DB, EU), Cloudflare R2 (file storage, EU), Stripe (payments, US — SCCs in place), Resend (email, EU), OpenAI (AI inference, EU residency endpoints), Anthropic (some AI, EU), Replicate (some image / audio AI, US for now), Azure (hosting, UK South).

Supabase has its own SOC 2 + ISO 27001 audit; if a breach affects Apexkit data, we'd notify you within 72 hours per GDPR Article 33. Audit log makes scope-of-impact assessment straightforward.

AES-256 via qpdf — the strongest standard PDF readers support. Cracking it at consumer scale is not feasible.

No — and neither can anyone else. AES-256 is mathematically not crackable at consumer scale. Store passwords somewhere safe before encrypting.

Yes — DKIM + SPF + DMARC set on the apexkit.pro domain via Resend. Receipts, dunning, weekly digests, and welcome emails all pass DMARC=quarantine policy.

Yes — GDPR Article 15 right of access. /app/settings → 'Export all my data' generates a ZIP with profile, usage history, file references, and audit log entries. Available on Pro+ via UI; lower tiers via email request.

Yes — most fields editable directly in Settings (email, display name, country). For corrections to historical usage / audit records, email hello@apexkit.pro.

Account passwords are hashed (Supabase Auth uses bcrypt with salts). PDF-encryption passwords are never stored — used in memory once then discarded.

Cloudflare R2 EU — physically in Cloudflare's Frankfurt + Amsterdam data centres. R2 doesn't egress to non-EU regions unless we explicitly configure it (we don't).

Yes — R2 encrypts at rest by default (AES-256). Database (Supabase) encrypts at rest too. Combined with TLS in transit, full end-to-end coverage.

Yes — California residents can request data access, deletion, and opt-out of any sale (we don't sell, so nothing to opt out of). Same flow as GDPR via /app/settings or hello@apexkit.pro.

No — Apexkit is not a HIPAA-covered entity and we don't sign BAAs. Don't upload PHI. For HIPAA-covered work use a specialist healthcare SaaS.

Not yet — SOC 2 Type II audit is on the Year 1 roadmap. Our subprocessors (Supabase, Cloudflare, Stripe, Azure) are individually SOC 2 + ISO 27001 audited.

Not yet — ISO 27001 certification is on the Year 1 roadmap alongside SOC 2 Type II. Subprocessors are individually certified.

Yes — tools that use a US-resident subprocessor (a small minority — currently AI Headshot training, parts of GPT-4o realtime) show an in-tool banner before processing. EU-only is the default everywhere else.

Yes — internal records of processing activities, kept up to date with each new subprocessor. Available to your DPO on written request via hello@apexkit.pro.

Quarterly transparency reports launch with the V1 GA in June 2026 — covering law enforcement requests (we expect zero, but we'll publish either way), security incidents, and data residency changes.

IP allowlisting is an Enterprise tier feature (Q4 2026 roadmap). For now, use Google OAuth + 2FA at the Google level for the strongest off-the-shelf access control.

Yes for client-side tools (PDF Compress, Merge, Image Compress) — they never leave your browser. For AI tools, your upload sits on R2 EU for up to 24h (Free) / 7d (paid) then auto-deletes. Avoid uploading material you couldn't email to a contractor under a generic NDA.

Yes — internal runbook covers detection (monitoring + log alerts), containment, notification (72h GDPR clock), and post-mortem. Public status page ships in V2.

Informal — email hello@apexkit.pro with a security vulnerability and we honour reasonable bounties ($50-1000 depending on severity). Formal HackerOne / Intigriti program in Year 1.

Email hello@apexkit.pro with details + reproduction steps. We acknowledge within 24h and aim to fix or mitigate confirmed issues within 30 days. See /.well-known/security.txt for the canonical contact.

Yes — tier-based monthly caps (Pro 10k, Plus 50k, Power 200k, Agency 1M). On top of that we have a soft per-minute throttle (50 req/min per user) to keep the platform fast for everyone.

Yes — Cloudflare proxy (orange-cloud) sits in front of apexkit.pro with WAF + rate-limiting + bot management. Origin (Azure Container Apps) isn't directly reachable.

Engineers have read-only access to R2 for incident response, but file paths are user-scoped UUIDs (we don't know which file is yours without your user ID), and the auto-delete clock means most content is gone within 24h.

English law — Apexkit Ltd is a UK-registered company, jurisdiction is the English courts (or arbitration as set out in the Terms). EU customers also retain their consumer rights under EU law.

Yes — /app/settings → 'Export all my data' produces a JSON+files ZIP. Schema is documented at hello@apexkit.pro/data-export-format on request — machine-readable, suitable for re-import elsewhere.

BYO keys (KMS / customer-managed-keys) ship in the Enterprise tier (Year 1 Q4). For now, all encryption is operator-managed using AES-256 at rest on R2 + Supabase.

Yes — UK cyber insurance with a £1M limit covering data breach response, regulatory fines, and business interruption. Policy details available to enterprise customers on request.

You can — but most AI tools need to read the file content to process it, so server-side encryption (R2 default) + TLS in transit is the practical answer. Browser-side tools don't need to send anything.

No master recovery key — the password reset flow sends a magic link to your verified email. Lose access to your email + forget your password = you're locked out. (We can verify identity manually for paying customers via hello@apexkit.pro.)

Server-side via qpdf (the CLI binary runs in our Alpine container). Your unprotected PDF is uploaded over HTTPS, encrypted in memory, the encrypted output is returned, then the unencrypted version is purged from memory.

Account: email, optional display name. Billing: Stripe customer ID (no card data on our side). Usage: which tool, when, your tier (no content). Files: R2 object keys + filename + size + role (input/output). Audit: account events. No marketing-tracking PII.

Settings → Delete account → instant DB hard-delete + cascade (under 5 seconds). R2 objects are queued for the nightly delete job (within 24h). Audit log row remains as the legal record of deletion.

Yes — aggregated, anonymised tool-usage counts (e.g. 'compress-pdf was run 12,847 times in May') stay. Individual user-level records are deleted.

Plausible records page-view paths + referrer (anonymised, no IPs). Azure logs request URLs + status codes for 30 days for ops debugging. No content of forms, no body of requests.

Browser-level: install any ad blocker — Plausible respects it. Account-level toggle is on the Settings roadmap for V2.

We follow GDPR Article 33: notify the ICO within 72h, notify you (where the leak affects you) without undue delay, full post-mortem, remediation. Cyber insurance covers material costs.

Annual external pentest from V1 GA onwards. Scope: app + API + infrastructure. Findings + remediation summarised in the annual transparency report (severities only, no exploit details).

We use Plausible (cookie-free) for analytics + Supabase Auth (essential session cookies). We're below the 'requires consent banner' threshold in most jurisdictions, but a Cookie Settings page exists at /cookies for full disclosure.

Tax returns, invoices, financial statements — yes, with the caveat that AI tools temporarily upload to R2 EU. Browser-side tools (PDF Compress, etc.) never upload. For HMRC-regulated record retention, keep your own copies.

PCI DSS is delegated to Stripe (Level 1 certified) — Apexkit never sees card numbers. We don't store CHD; we store Stripe customer IDs and last-4-digit metadata only.

Zero confirmed breaches as of this writing. We've reviewed haveibeenpwned and other public breach databases — no Apexkit entries. Quarterly transparency reports will continue tracking this.

Tool-level permissions ship with Team Workspaces in V2 (month 7-12). For now all team members on Power / Agency share the same tier benefits.

Country-restricted sign-in is an Enterprise tier feature (Q4 2026). For now, Google OAuth lets you leverage Google's geo-restrictions at the identity-provider level.

No — we don't use any Google product (Analytics, Tag Manager, Ads) so consent mode is moot. Plausible is consent-mode-free by design.

Azure logs IPs for 30 days for ops + abuse detection. Plausible analytics anonymises IPs immediately. Audit-log entries store the IP for security-relevant events (sign-in, account delete). Per GDPR, we have a legitimate interest basis.

Generally no — audit logs exist for a reason (regulatory + security). For specific GDPR claims (e.g. inaccurate data in an audit field), email hello@apexkit.pro and we'll review on a case-by-case basis.