Security & Data Sovereignty

Your data, on our infrastructure, under your control.

Security pillars

Six principles that govern how we build, host, and operate Apivom.

Encryption at rest & in transit

All data is encrypted in transit with TLS 1.3 and at rest with AES-256. Keys are managed in our own Key Vault — never shared with third parties.

Our infrastructure, our control

Apivom runs on Microsoft Azure today, inside our own tenant — not on shared SaaS infrastructure. Enterprise customers can request migration to other clouds or fully customer-managed deployments.

GDPR & KVKK aligned

Privacy-by-design from day one: data minimization, purpose limitation, and built-in workflows for subject access, rectification, and erasure requests.

100% self-hosted stack

Analytics, CMS, email automation, error tracking, secrets — every component runs in our tenant. Your data is never silently forwarded to third-party SaaS vendors.

Zero-trust access control

Keycloak OIDC authentication with OpenFGA fine-grained authorization. Every action is checked against least-privilege relationships — no shared admin accounts.

Responsible disclosure

Found a vulnerability? Email security@apivom.com. We acknowledge reports within 48 hours and work directly with researchers on coordinated disclosure.

Why data sovereignty matters

Most modern SaaS platforms quietly forward your customer data to a dozen third-party tools — analytics, tag managers, email vendors, error trackers, A/B testing platforms. Each one becomes another sub-processor in your privacy notice, another vendor to audit, another regulatory surface you don't fully control.

Apivom takes the opposite approach. Every layer of our stack — analytics (Apivom Opus), CMS (Apivom Vesta), customer data platform (Apivom Orbit), email automation (Apivom Mars), error tracking (Apivom Odin), secret management (Apivom Kami) — is open-source, self-hosted, and runs inside our own infrastructure. Your data stays where you can see it.

Today that infrastructure lives on Microsoft Azure inside our tenant. Tomorrow it could move to AWS, GCP, or a sovereign cloud. For enterprise customers with strict residency or compliance requirements, we offer customer-managed deployments where Apivom runs entirely inside your own infrastructure — same product, your control plane.

Data sovereignty isn't a feature flag for us. It's the foundation.

Have a security question? Talk to our team.

Vulnerability reports, compliance questionnaires, data-residency requests, or enterprise self-host evaluations — we read every message.

Email: security@apivom.com