Security Pack
Everything your security team needs to evaluate ApexMediation: architecture, threat model, compliance, and data handling.
Printable Security Pack (HTML)What's Included
The Security Pack is a comprehensive document covering all aspects of our security posture.
Infrastructure Architecture
Two-server topology (App + DB), Caddy TLS termination, Redis caching, PostgreSQL 16 persistence, network isolation.
Encryption Standards
TLS via Caddy (Let's Encrypt auto-provisioning), AES-256-GCM for secrets at rest with 12-byte IV and auth tags.
Access Control (RBAC)
Three-tier customer roles (admin, publisher, readonly) with separate operator authentication for system access.
Audit Logging
Structured logging via Winston, separate audit stream for compliance, configurable retention (30 days–1 year by plan).
Threat Model
Defense-in-depth: cache controls, circuit breakers, dedupe layers, Ed25519-signed auction logs, replay protection.
Privacy & Compliance
GDPR/CCPA-aligned data handling, consent signal propagation, DSAR workflow, data minimization principles.
Threat Model Overview
Key threats we've identified and the controls in place.
Cache Poisoning
mitigatedSession manifests use Cache-Control: private, no-store. CDN keys include session token hash.
Token Leakage
mitigatedJWT tokens with configurable expiry. Short-lived BYO tokens (5-15 min). httpOnly cookies.
SSRF Attacks
mitigatedOutbound requests constrained to configured partner domains. CORS allowlist enforced.
Replay Attacks
mitigatedComposite dedupe keys (session, pod, slot, event, creative). DedupeLayer rejects duplicates.
Config Rollback Abuse
mitigatedAll config changes versioned with timestamps. Rollback creates new version, preserving history.
Partner Timeout Abuse
mitigatedPer-partner circuit breakers with configurable thresholds. Automatic quarantine on trip.
Auction Tampering
mitigatedEd25519 signatures on auction logs. Public key available for independent verification.
Credential Exposure
mitigatedNetwork credentials never exposed to SDKs. Short-lived JWT tokens generated on demand.
Data Processing Summary
What data we process, how long we keep it, and how to delete it.
| Category | Data Collected | Retention | Deletion |
|---|---|---|---|
| Session Data | Device type, app bundle ID, content ID, consent signals (TC string if provided) | 30 days–1 year (by plan) | Automatic TTL expiry + on-demand DSAR |
| Auction Logs | Bid requests/responses, decision traces, timing metrics, Ed25519 signatures | 30 days–1 year (by plan) | Automatic partition pruning + on-demand DSAR |
| Tracking Events | Impressions, quartiles, completions, click events (no direct PII) | 30 days–1 year (by plan) | Automatic expiry + on-demand DSAR |
| Console Users | Email, display name, role, 2FA status, audit trail | Account lifetime + 30 days | On account deletion request |
| API Keys | Key prefix, last4 digits, bcrypt hash (never full secret) | Until revocation | Soft delete with audit retention |
Data Subject Access Request (DSAR) Workflow
# DSAR Process Flow ┌─────────────────────────────────────────────────────────────────┐ │ DSAR Request Handling │ ├─────────────────────────────────────────────────────────────────┤ │ │ │ 1. Request Received │ │ └─▶ Email: privacy@apexmediation.ee │ │ └─▶ Console: Settings → Privacy → Submit DSAR │ │ │ │ 2. Identity Verification (within 48 hours) │ │ └─▶ Verify requester is data subject or authorized agent │ │ │ │ 3. Data Compilation (within 15 days) │ │ └─▶ Export all personal data in structured format │ │ └─▶ Include processing purposes and recipients │ │ │ │ 4. Delivery (within 30 days of request) │ │ └─▶ Secure download link or encrypted email │ │ └─▶ Deletion confirmation if requested │ │ │ └─────────────────────────────────────────────────────────────────┘
Compliance Status
GDPR
Aligned
CCPA
Aligned
IAB TCF 2.2
Consent Propagation
SOC 2
Type II-aligned controls
Operational targets
See full details at /slo.
Questions? Let's talk security.
Our team is available to discuss security requirements, conduct walkthroughs, and answer procurement questions.