APLEXICA

Trust is engineered, not asserted.

Aplexica is built so that we cannot read your content even on our own servers. The architecture is public; the cryptography is auditable; the sub-processor list is current. Below is the complete picture.

Encryption
XChaCha20-Poly1305
Hosting
AWS · us-east-1
Audits
SOC 2 — planned

The four guarantees.

  • 01

    Zero knowledge

    Per-namespace symmetric keys never leave your devices. Aplexica’s servers cannot decrypt your content under any circumstance.

  • 02

    Open source

    The daemon, the portal, and the self-hosted relay artifacts are AGPL-3.0. The trust boundary is auditable end to end.

  • 03

    Minimum data

    We collect only what we need to operate the service: identity, billing metadata, and encrypted payloads. No third-party trackers.

  • 04

    Customer control

    Export everything via CLI. Delete anything via portal. Bring your own KMS keys on Enterprise. Cancel without forfeiting your data.

What we do — and don’t — with your data.

  • 01

    End-to-end encryption

    Customer artifact bodies are encrypted on the client with XChaCha20-Poly1305 keys derived per namespace. Aplexica’s servers handle only ciphertext.

  • 02

    Audit logging

    Every audit-relevant action on the control plane is recorded with actor, action, target, and signed timestamps. Exportable to your SIEM at Team and Enterprise.

  • 03

    Customer-managed keys

    Enterprise customers can supply their own KMS-rooted keys. Aplexica becomes a transport with no ability to decrypt at rest or in flight.

  • 04

    Infrastructure

    Aplexica Cloud runs on AWS in us-east-1 today (eu-west-1 planned). All compute is private-subnet only. No public databases. No public buckets.

  • 05

    Backups & retention

    Encrypted backups are taken daily with 30-day retention. Customer-driven deletes propagate within 30 days to all replicas and backups.

  • 06

    Open source

    The Aplexica daemon, the portal, and the self-hosted relay artifacts are all AGPL-3.0. Inspect what runs on your machine. Build from source if you prefer.

Certifications.

Aplexica is a 2026-incorporated company. Formal certifications take time; we publish honest status updates rather than logos we have not yet earned.

SOC 2 Type II

Planned — Type I scoping is in progress; Type II observation period opens once Type I is complete.

GDPR & UK GDPR

DPA available on request today; sub-processor list public; standard contractual clauses in place for non-EEA processors.

ISO 27001

On the roadmap. Control mapping is being authored against the existing security architecture.

HIPAA & PCI

Not in scope for the self-serve tiers. Enterprise customers with regulated workloads should reach out — many controls are already in place.

Documents on request.

Report a vulnerability.

Found a security issue? We want to hear about it. Email the address below; for sensitive details, please encrypt with the Aplexica security PGP key. We acknowledge reports within 72 hours.

security@aplexica.com
Contact
security@aplexica.com
PGP fingerprint
TBD — published with the security runbook
Acknowledgement
Within 72 hours of report receipt.
Disclosure policy
Coordinated. Status within 7 days; decision within 90.
Machine-readable
/.well-known/security.txt

Need to talk to a human?

Aplexica's security team responds within one business day.

Email security@aplexica.com See disclosure policy