Skip to content
ApexMediation

ApexMediation Security Pack

Comprehensive Security Documentation

Generated: January 15, 2026Document Version: 2.0

Table of Contents

  1. Executive Summary
  2. Infrastructure Architecture
  3. Encryption Standards
  4. Access Control (RBAC)
  5. Authentication Mechanisms
  6. Threat Model & Mitigations
  7. Data Processing & Retention
  8. Audit Logging
  9. Privacy & Compliance
  10. DSAR Workflow
  11. Incident Response
  12. Contact Information

1. Executive Summary

ApexMediation is a server-side ad insertion (SSAI) and mediation platform designed with security, transparency, and privacy as foundational principles. This document provides comprehensive, verifiable documentation of our security architecture, threat model, data handling practices, and compliance posture.

Architecture Overview

Two-server production topology (App + DB), Caddy TLS termination, Redis caching, PostgreSQL 16 persistence.

Encryption Standards

TLS via Caddy (Let's Encrypt auto-provisioning), AES-256-GCM for secrets at rest with 12-byte IV and auth tags.

Access Control (RBAC)

Three-tier customer roles (admin, publisher, readonly) with separate operator authentication for system access.

Audit Logging

Structured logging via Winston, separate audit stream for compliance, configurable retention (30 days–1 year by plan).

Threat Model

Defense-in-depth: cache controls, circuit breakers, dedupe layers, Ed25519-signed auction logs, replay protection.

Privacy & Compliance

GDPR/CCPA-aligned data handling, consent signal propagation, DSAR workflow, data minimization principles.

2. Infrastructure Architecture

Production infrastructure runs on dedicated EU-based servers with strict network segmentation.

ComponentDetails
App ServerHosts Backend API (Node.js/Express on port 8080), Console (Next.js on port 3000), Website (Next.js/PM2 on port 3002), Redis (system service), Prometheus/Grafana monitoring.
DB ServerDedicated PostgreSQL 16 instance with 139+ tables, accessible only from App Server IP, daily backups configured.
TLS TerminationCaddy reverse proxy with automatic Let's Encrypt certificate provisioning and renewal. HTTP/1.1 and HTTP/2 support.
Network SecuritySSH key-based access only, UFW firewall (ports 22, 80, 443), PostgreSQL restricted to App Server IP.
Network Diagram: App Server ↔ (Internal Network) ↔ DB Server. External traffic terminates at Caddy (TLS). Database accessible only from App Server IP.

3. Encryption Standards

LayerImplementationEvidence
In TransitCaddy auto-provisions TLS certificates via Let's Encrypt. All public endpoints served over HTTPS.infrastructure/caddy/Caddyfile
At Rest (Credentials)AES-256-GCM encryption with 12-byte random IV and authentication tag. Key derived from APP_KMS_KEY environment variable.backend/src/utils/crypto.ts (aesGcmEncrypt, aesGcmDecrypt)
API KeysOnly bcrypt hash stored; SHA-256 digest for constant-time lookup. Full secret shown once at creation, never stored.backend/src/middleware/apiKeyAuth.ts
2FA SecretsTOTP secrets encrypted with AES-256-GCM before database storage. Legacy plaintext secrets auto-migrated.backend/src/services/twofa.service.ts

4. Access Control (RBAC)

Customer Console access is governed by role-based access control. Operator (system) access uses a completely separate authentication mechanism.

RoleCapabilities
adminFull organization access: billing, team management, settings, all publisher features.
publisherManage placements, view analytics, access developer tools, read-only billing access.
readonlyView-only access to dashboards, reports, and analytics. No configuration changes.
operator (separate)System-level access to Control Plane (/admin/*). Requires separate authentication (not customer RBAC).

Source: console/src/lib/rbac.ts, console/src/lib/useAdminGate.ts

5. Authentication Mechanisms

Console Authentication

  • JWT tokens (HS256) with configurable expiry (default: 7 days)
  • Tokens stored in httpOnly cookies to prevent XSS
  • Optional TOTP-based 2FA with encrypted secret storage
  • Backup codes generated on 2FA enrollment

API Authentication

  • API keys: sk_* (user) / ak_* (app/SDK)
  • Keys verified via SHA-256 digest lookup + bcrypt comparison
  • Full secret displayed once at creation, then only prefix + last 4 digits
  • Usage tracking per key for audit and rate limiting

BYO Credential Tokens

  • Short-lived JWT tokens (5-15 minute TTL) for network credentials
  • Credentials encrypted with AES-256-GCM, never exposed to SDKs
  • Token bound to publisher ID; audit logged on generation

6. Threat Model & Mitigations

ThreatControl ImplementedStatus
Cache PoisoningSession manifests use Cache-Control: private, no-store. CDN cache keys include session token hash.Mitigated
Token LeakageJWT tokens with configurable expiry (default 7 days for session, 5-15 min for BYO credential tokens). httpOnly cookies.Mitigated
SSRF AttacksOutbound requests constrained to configured partner domains. CORS allowlist enforced.Mitigated
Replay AttacksTracking beacons use composite dedupe keys (session_id, pod_id, slot_id, event_type, creative_id). DedupeLayer rejects duplicates.Mitigated
Config Rollback AbuseAll configuration changes are versioned with timestamps. Rollback creates new version entry, preserving full history.Mitigated
Partner Timeout AbusePer-partner circuit breakers with configurable thresholds (error rate, timeout rate). Automatic quarantine on trip.Mitigated
Auction TamperingEd25519 signatures on auction logs. Canonical JSON serialization. Public key available for independent verification.Mitigated
Credential ExposureNetwork credentials never exposed to SDKs. Short-lived JWT tokens (5-15 min) generated on demand.Mitigated

7. Data Processing & Retention

CategoryData ElementsRetentionLegal BasisDeletion
Session DataDevice type, app bundle ID, content ID, consent signals (TC string if provided)30 days–1 year (by plan)Legitimate interest / ConsentAutomatic TTL expiry + on-demand DSAR
Auction LogsBid requests/responses, decision traces, timing metrics, Ed25519 signatures30 days–1 year (by plan)Legitimate interest (fraud prevention, transparency)Automatic partition pruning + on-demand DSAR
Tracking EventsImpressions, quartiles, completions, click events (no direct PII)30 days–1 year (by plan)Legitimate interest / ContractAutomatic expiry + on-demand DSAR
Console UsersEmail, display name, role, 2FA enrollment status, audit trailAccount lifetime + 30 days post-deletionContract performanceOn account deletion request
API KeysKey prefix, last4 digits, bcrypt hash, SHA-256 digest (never full secret)Until revocationContract performanceSoft delete with audit retention
Data Minimization: We aim to minimize collection. IP addresses may be processed (and in some cases retained) for security, fraud prevention, and rate limiting. Device identifiers (IDFA, GAID) are only collected when consent is provided. No direct PII is stored in tracking events.

8. Audit Logging

What Gets Logged

  • All authentication events (login, logout, 2FA enrollment/verification)
  • API key creation, rotation, and revocation
  • Configuration changes (placements, settings, team membership)
  • Credential access (BYO token generation, network credential rotation)
  • Operator actions via Control Plane (retained per compliance and operational requirements)

Log Integrity

  • Structured JSON logs via Winston with consistent schema
  • Separate audit stream for compliance-critical events
  • Ed25519 signatures on auction decision logs for cryptographic verification
  • Log retention is configured by plan (30 days / 90 days / 1 year) with automated pruning

9. Privacy & Compliance

✓ GDPR
Data subject rights supported (access, rectification, erasure, portability). Privacy by design. Data minimization enforced.
✓ CCPA
Do Not Sell signals honored. Consumer rights workflow implemented. 12-month data disclosure available.
IAB TCF 2.2
Consent string propagation implemented. TC strings passed through auction pipeline to demand partners. Consent signal encryption available in Console.
Note: We operate as a data processor. Publisher customers are data controllers responsible for obtaining end-user consent. We provide the technical infrastructure to honor consent signals and data subject requests.

10. DSAR Workflow

1. Request Received

• Email: privacy@apexmediation.ee

• Console: Settings → Privacy → Submit DSAR

2. Identity Verification (within 48 hours)

• Verify requester is data subject or authorized agent

3. Data Compilation (within 15 days)

• Export all personal data in structured JSON/CSV format

• Include processing purposes, categories, and recipients

4. Delivery (within 30 days of request)

• Secure download link (time-limited) or encrypted email

• Deletion confirmation with audit trail if requested

11. Incident Response

In the event of a security incident, we follow a structured response process:

  1. Detection & Triage: Automated monitoring alerts + manual review
  2. Containment: Isolate affected systems, rotate credentials if needed
  3. Investigation: Root cause analysis using audit logs
  4. Notification: Affected customers notified within 72 hours (GDPR timeline)
  5. Remediation: Fix deployed, post-incident review conducted

Report security issues to: security@apexmediation.ee

12. Contact Information

Security Inquiries (incidents): security@apexmediation.ee

Privacy / DPO (data rights): privacy@apexmediation.ee

General Contact: hello@apexmediation.ee

Website: https://apexmediation.ee

Registered Entity: Bel Consulting OÜ, Estonia

© 2026 Bel Consulting OÜ. All rights reserved.

This document is confidential and intended for security evaluation purposes.

Document generated from verified codebase implementation.

Back to Security Pack