Apex Platform · Last updated: 2026-05-08 · Status: v1 published
This page is the canonical reference for Apex Platform's security posture, data-protection commitments, and external-validation evidence. Linked from the [security.txt](/security.txt) (RFC 9116) at the root of southlodge.ai.
What no other security scanner offers. Every finding, suppression, override, and scan run is cryptographically anchored into a SHA-256 hash chain that runs end-to-end through the audit log. An auditor can verify "this CVE was triaged with documented business justification by user X on date Y" cryptographically — not just "we have a database row that says so".
Implementation: 11+ migrations (mig 285 / 287 / 289 / 389 / 396) ship the chain plus
row-level FOR UPDATE serialisation, hash-version-aware verification, and a
known-forks baseline table for forensic review. Live verified 2026-05-08: 0 unbaselined
chain forks; both audit_log_insert overloads hold the lock;
security_navigator_code_finding trigger enabled.
Why this matters: for trust-services audit evidence, HIPAA §164.312(b) audit controls, ISO 27001 A.12.4 logging, PCI DSS 10.7 — auditors require non-repudiable audit trails. A scanner whose findings cannot be tampered with by either the customer or the vendor is a different category of evidence.
Where Apex leads vs the market:
| Capability | Snyk | GitHub Advanced Security | Semgrep AppSec | Apex |
|---|---|---|---|---|
| Cryptographic audit-chain on findings | — | — | — | Yes (unique) |
| Client-side payload integrity verify (in-browser SHA-256 re-hash) | — | — | — | Yes (unique) |
| Per-tenant RLS isolation of findings | Yes | Yes | Yes | Yes |
| Open documentation + ADRs | Partial | Partial | Yes | Yes (12 ADRs + 13 systems diagrams shipped) |
| Software Bill of Materials (CycloneDX 1.5) | Yes | Yes | Yes | Yes — sbom.cyclonedx.json |
| RFC 9116 security.txt + Hall of Fame | Partial | Yes | Partial | Yes — security.txt + Hall of Fame |
Where Apex is catching up:
| Capability | Status | Target |
|---|---|---|
| Detection precision (recall + FP measured against labelled corpus) | Building | Recall ≥ 95% / FP ≤ 5% / calibration r ≥ 0.90 — published quarterly |
| Multi-language coverage | TS / JS + Python today | Java + Go + .NET + Ruby + PHP + mobile (extension roadmap) |
| Top-down direction (call-graph + taint + reachability) | Bottom-up shipped; top-down deferred | Sprint S6+ (per dual-direction-scan-strategy.md) |
| GitHub App + PR comments | Planned | Sprint S10 (plan filed at github-app-integration-plan.md) |
| VS Code extension v1 | Stub published | Sprint S11 — fork from shipped tools/windsurf-dashboard-ext pattern |
security_navigator_code_* table has Row-Level Security via canonical snake_case
tenant_id JWT claim (mig 387). Cross-tenant access is technically impossible.
raw_engine_output + what_we_* + file_path columns are
per-tenant trade-secret IP and warrant row-level audit-trigger defense-in-depth alongside
application-level logAudit calls.
The third-party services Apex uses to deliver the platform. Customer data flows are scoped via per-component DPAs.
| Sub-processor | Purpose | Data type | Region |
|---|---|---|---|
| Netlify (Netlify, Inc., USA) | Edge + Function compute | HTTP request/response metadata; ephemeral | Global edge; data in transit only |
| Neon (Neon Inc., USA) | PostgreSQL database | Customer findings, audit logs, configuration | EU-West-2 (London) |
| Anthropic (Anthropic PBC, USA) | LLM inference (Claude family) | Scan triage prompts (no source code persisted upstream) | USA |
| OSV.dev (Google LLC) | Vulnerability database lookups (CVE / GHSA) | Package names + versions only (public data) | USA |
Data-Processing Addendum template available on request — contact dpo@southlodge.ai.
Coordinated vulnerability disclosure per RFC 9116 (security.txt). Acknowledgements published at the Hall of Fame. Full policy at disclosure-policy.html.
Honesty disclosure (per CLAUDE.md verification-before-claims discipline): Apex has not yet engaged a third-party trust-services audit firm. We do not currently hold trust-services attestations from a named external auditor. Quality-floor measurements (recall / FP rate / calibration) are documented thresholds — not yet measured against a labelled corpus.
We will only update this section with explicit external evidence (audit-firm report, attestation letter, or measured corpus run). Cross-referenced from feedback_no_uncertified_compliance_claims.md.
What WE can verify today (from public artefacts):
scripts/generate-sbom.mjs.
| Vulnerability reports | security@southlodge.ai |
| Data-protection enquiries | dpo@southlodge.ai |
| General customer support | support@southlodge.ai |
This Trust Centre is open-source artefact-driven — every claim links to a verifiable source (GitHub commit, mig file, or live endpoint). Last updated 2026-05-08 by the engineering team during the multi-dimensional audit + path-to-A+ planning session.