APIXX logoTrust Center

This page is maintained by APIWORX LLC to answer common security and privacy questions about APIXX. It reflects the platform features and practices we have in place today, and is updated as our posture evolves.

Trust Center

APIXX is built to protect the integrations and data that power your business. Below are the controls, certifications, and practices we rely on.

Access & authentication

  • Multi-factor authentication — enforced for console access and configurable for end users (TOTP-based MFA via settings).
  • Single sign-on — SAML 2.0 support for enterprise identity providers.
  • Role-based access control — per-tenant admin, editor, and viewer roles with least-privilege defaults.
  • API key scoping — REST API keys are scoped by customer and carry explicit permissions (e.g. flows:read, data:read). Keys are shown once and hashed at rest.
  • Session management — short-lived access tokens with automatic rotation via refresh tokens.

Platform & hosting

APIXX runs on Amazon Web Services (AWS) in the US regions. AWS infrastructure is responsible for physical security, network isolation, and hardware lifecycle. APIWORX LLC is responsible for application-level security, tenant isolation, access controls, and data handling.

  • Tenant data is logically isolated — every API and database query is scoped to the authenticated customer.
  • Encryption in transit via TLS 1.3. Encryption at rest via AES-256 on managed storage (RDS, S3, EBS).
  • Sub-processors are limited to AWS (compute, storage, networking) and APIWORX-managed services.

Data collection & use

APIXX processes the data you send us in order to run integration flows — e.g. orders, contacts, products, and their field mappings. We do not sell customer data or use it for advertising. Analytics and telemetry are limited to operational metrics (error rates, latency, run counts) and never include sensitive record payloads.

Retention & deletion

  • Run logs and canonical data are retained according to your plan tier. You can request a shorter retention window or immediate deletion via trust@apiworx.com.
  • Revoked API keys and MCP tokens are immediately deactivated and removed from active caches.
  • On account termination, customer data is soft-deleted immediately and hard-deleted from backups within 90 days.

Compliance & certifications

The following certifications and frameworks are in process. We are actively working toward formal attestation and expect to complete them in the coming quarters. For current status or to receive updates, contact trust@apiworx.com.

  • SOC 2 Type II — in process. Independent audit of controls for security, availability, and confidentiality underway.
  • ISO/IEC 27001 — in process. Information-security management system implementation and audit underway.
  • GDPR — Data Processing Agreements (DPAs) are available for EU customers. We honor data-subject requests (access, rectification, erasure, portability) and have appointed a data protection contact.

Incident response & contact

  • Security incidents are triaged and communicated within 24 hours of confirmed impact.
  • Report vulnerabilities to trust@apiworx.com.
  • We do not pursue legal action against researchers who follow responsible disclosure (no public exploitation, no customer data access, reasonable time to fix).

Shared responsibility

APIXX provides the platform, but customers are responsible for how they configure it. Specifically:

  • Keep your API keys and MCP tokens confidential and rotate them regularly.
  • Configure least-privilege scopes on API keys.
  • Review connector credentials and remove systems you no longer use.
  • Enable MFA on all user accounts and manage offboarding promptly when team members leave.

Questions

Reach out at trust@apiworx.com. We typically respond within one business day.