Is AppApex SOC 2 certified?

Not yet. We are working toward SOC 2 Type II and do not currently claim certification. If your buying process requires SOC 2 today, AppApex is not the right fit yet — we will announce certification publicly when it is complete.

Where is my data stored?

In US regions on Vercel (compute) and Supabase (Postgres + authentication). We do not replicate to non-US regions.

Can AppApex modify my App Store metadata or paywalls?

Not without your explicit approval. We use read-only API access. On Growth and Studio plans, AppApex can execute approved actions on your behalf, but every action is staged and reviewed before it runs.

How do I revoke AppApex access?

Regenerate your App Store Connect or RevenueCat API key. AppApex loses access the moment the old key is invalidated. We delete cached data within 24 hours of disconnection.

Do you sell or share my data?

No. Your app data is used exclusively to power your AppApex agents. We do not sell, share, or use customer data to train third-party models. Aggregate, anonymized benchmarks may be used internally to improve our AI prompts, never with personally or app-identifiable information.

Where can I report a security issue?

Email security@appapex.io with details. We acknowledge reports within 1 business day.

Agents How it works Integrations Pricing

Security

Read-only access.Encrypted at rest.Revoke in 60 seconds.

AppApex connects to your App Store Connect, RevenueCat, and Superwall accounts using read-only API keys you generate yourself. Credentials are encrypted at rest with AES-256-GCM and stored separately from the encryption key. We host on Vercel and Supabase in US regions. Every agent-executed action requires your approval before it runs.

Read-only API access
AppApex authenticates to App Store Connect, RevenueCat, and Superwall using read-only API keys you generate yourself. We never request write scopes. We physically cannot push App Store metadata, modify paywalls, or change your app without your explicit involvement.
AES-256-GCM credential encryption
API keys are encrypted at rest in our database using AES-256-GCM with per-row nonces. The encryption key is held in a Vercel-managed environment variable separate from the database. A database snapshot leak alone cannot decrypt your credentials.
US-region hosting on Vercel and Supabase
AppApex is deployed on Vercel (US regions) with Postgres and authentication on Supabase (US regions). All traffic is TLS 1.3 end-to-end. All compute and storage run in US regions; we do not replicate to non-US regions.
Action approval before execution
Even on Growth and Studio plans where AppApex can execute approved actions ("Do it with AI"), every action is staged and shown to you before it runs. There is no autonomous execution mode that bypasses review.
You can revoke access in under 60 seconds
AppApex never holds OAuth tokens or session cookies for your provider accounts. To revoke access, regenerate your read-only API key in App Store Connect or RevenueCat. AppApex loses access immediately and we delete the cached data within 24 hours of disconnection.

Read-only access.Encrypted at rest.Revoke in 60 seconds.

How we protect your data

Read-only API access

AES-256-GCM credential encryption

US-region hosting on Vercel and Supabase

Action approval before execution

You can revoke access in under 60 seconds