Security Policy
We at Apxor take the privacy and protection of our customer’s data incredibly seriously. Hence,we enforce strong security and privacy all through the organisation and platform. We designed our platform with your security needs in mind to ensure utmost reliability so you can breathe easy.

• Apxor uses Google Cloud Platform (GCP) to persistently store customer data and does not host customer data on its premises or store customer data with any third party services. GCP is a leading cloud provider, and hold industry best security certifications, such as SOC2 and ISO 27001, and provides encryption in transit and at rest. Customer data sent to Apxor and injected around the world is sent to GCP data centres. When a customer requests a report at art.apxor.com, customer data is processed in a data centre and the results are sent back to customers via Apxor’s dashboard.

European Union’s General Data Protection Regulation (GDPR)

Apxor is committed to complying with GDPR so that our customer’s and their end user’s rights and obligations are met under GDPR, which took effect on may 25, 2018.

Introduction to GDPR


GDPR replaces the EU Data Protection Directive and seeks to strengthen individual rights while harmonising the patchwork of data protection laws throughout Europe. The GDPR regulates the“processing” of personal data, which is defined very broadly, of any EU resident, regardless of where the processing takes place. The regulation delineates individuals’ rights to access, rectify and restrict the processing of personal data.
Failure to comply with the GDPR could result in heavy fines: up to €20 million or 4% of worldwide revenue.

We outlined the steps Apxor was taking to ensure it was ready for GDPR, and the changes we were implementing that would allow our customers to use Apxor and comply with GDPR. Below we’ve provided the details on the changes we’ve made.

Nomenclature:
Data Subjects: End Users
Data Controller: Apxor Customers
Data Processor: Apxor

Assisting customers with Data Subject’s access requests:

The GDPR grants broad rights to individuals with regard to their personal information and who has access to it. The GDPR, therefore, provides data subjects with the “right to be forgotten.” In practice, this means organizations must now comply with a data subject’s request for access to his/her personal information in order to correct, delete, or retrieve such information. As a data processor for our customers, we have built tools that will allow us to assist our customers in complying with these data subject requests.

First, our client side SDKs have been updated to provide more robust opt-out methods that will opt users out of tracking on both the API and cookie level. While customers are still responsible for ensuring they have a lawful basis for processing (i.e. consent, legitimate interest) from their end users, our SDKs will now provide enhanced flags to help with that opt-in process. Customers will also be able to set a default opt-in/out state for their client-side implementations.

Second, we have developed deletion and export tools for end user data. Apxor will be able toretrieve or delete a specific property for a unique user or all of the data for a distinct_id. When GDPR takes effect, event deletion and export requests will be handled by our Support team. We will be providing instructions to our customers on how to submit the data subject deletion or export request prior to the GDPR effectiveness date. We will also have our external deletion API ready for customer use by the end of May 20.

Third, we’ve updated our customer data retention period to a default period of five years for event data. Among other obligations, GDPR limits the time period in which an organisation may retain data to “no longer than is necessary for the purposes for which the personal data are processed.”Apxor has historically allowed customers to retain data indefinitely. In developing this new policy,we were mindful of our customers’ needs for historical data while also trying to balance the rigorous data storage limitations in the GDPR which is why our default retention period will be five years. you can always reach out to contact@apxor.com if you want more information on the details on our retention policy, and the options available to customers.

Finally, as we discuss in more detail below, we wanted to make sure we tightened up controls around who in Apxor has access to the data our customers send into Apxor. To do that, we audited our systems and access permissions to ensure that only those we designated as a “need to know” are able to access the data sent into Apxor. We enhanced our data logging system to be sure we can track who is accessing customer data both internally and externally by customers,when it was accessed, and what they did, if anything, with the data. Customers can be sure that our logs will accurately reflect the details of access to their data.

Data processing Addendum

Article 28 of the GDPR requires data controllers to have a written document detailing the obligations with respect to the processing of personal data. Typically, this takes the form of a Data Processing Addendum (“DPA”). We modified our Terms of use to incorporate a GDPR compliant DPA. This DPA better describe our privacy commitments to customers and helps facilitate our customers’ GDPR readiness.
As related to the GDPR and data from the European Economic Area or Switzerland, this includes:
Processing In Accordance With Customer Instructions – Apxor will only process data in accordance with the customer’s instructions, as described in our current Terms of Use and DPA.
Assistance with Data Subject Requests – to the extent our customers cannot delete or retrieve data processed by Apxor on their own, we will assist customers with the data subject requests they receive.
Notification of Data Incidents – Apxor will notify customers without undue delay if thereare any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of,or access to the personal data. We will assist our customers in their obligations under Articles 32-36 of the GDPR.
Confidentiality Commitments of Personnel – All Apxor employees are required to sign a confidentiality agreement prior to employment, complete mandatory privacy trainings, and adhere to other internal policies.

Enterprise Grade Security

The GDPR requires controllers and processors of personal data to “implement appropriate technical and organisational” measures to ensure a level of security appropriate to the risk. Apxor uses Google Cloud Platform (“GCP”) as its third-party cloud storage subcontractor and does not host customer data on its premises. GCP is a leading cloud provider, and holds industry best security certifications, such as SOC2 and ISO 27001, and provides encryption in transit and at rest, without any action required from our customers.

Internal Controls – For Apxor employees, access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Additionally, all Apxor employees must abide by multiple policies about handling customer data securely and protecting customer data.

Audits for Vulnerabilities
– We run scans for software vulnerabilities and have a Security Information and Event Management platform, which provides 24x7x365 monitoring and alerting for security incidents in our networks and systems.

Product Security – Apxor customers can access product features and configurations to further protect personal data against unauthorized or unlawful processing, including Single Sign On(“SSO”) and 2-Step Verification.