Data hosting
AWS Sydney (ap-southeast-2)
This page provides the public technical security posture for APEXLyn Attest and Trace. It is published for CISOs, auditors, insurers, procurement officers, government and banking evaluators, MSP technical reviewers, and other qualified evaluators who need specific detail before making a platform decision. Every value on this page reflects the production architecture. Security documentation containing additional implementation detail is available under appropriate review.
Request security documentationData hosting
AWS Sydney (ap-southeast-2)
Encryption at rest
AES-256 via AWS KMS
Encryption in transit
TLS 1.3
Evidence storage
WORM — Write Once, Read Many
Tenant isolation
Row-level security and per-tenant evidence chains
Access control
RBAC, deny-by-default, MFA across all tiers
Data retention
Tier-based and contract-defined
Audit logging
Immutable, Australian-resident, retention-governed
All data processed and stored by the core APEXLyn Attest and Trace production platforms remains in Australia. This is enforced through infrastructure and deployment controls, not policy statements alone. The following controls are in production.
If future regional deployments are launched, each region maintains its own database, its own evidence storage, its own ledger continuity, and its own tenant isolation. No cross-region evidence replication occurs.
Key administration and protected-data access are separated through role-based controls. Detailed key policies, identifiers, permissions, and rotation procedures are provided through controlled security documentation.
Both platforms treat committed evidence as tamper-evident, traceable proof. Evidence integrity is protected through storage, ledger, cryptographic, application, and governance controls.
If evidence requires correction or additional context, a new record is appended. The earlier record remains part of the evidence history.
Automated isolation testing is part of the release process. Tests include: tenant A cannot read tenant B objects (including via JOIN queries), MSP can only view assigned tenants, injection and abuse attempts are rejected and logged. All failed isolation tests block release.
Every customer operates within an APEXLyn tenant. Access depends on the organization’s authorized operating model.
No direct customer is placed beneath an MSP hierarchy.
Tenant Admin | Approver | Reviewer | Viewer
Read-only access to authorized dashboards, evidence views, framework results, and generated reports
Reviews evidence, findings, report previews, and governance requests
Performs authorized attestations, risk acceptance, approvals, and governance actions
Manages tenant users, authorized configuration, connectors, reporting permissions, and approved workflows
Every protected action must explicitly permit the applicable role. Where access is not explicitly permitted, access is denied.
Authorisation decisions are enforced server-side. The user interface presents the actions authorised by the platform but does not independently determine access.
Exact thresholds, token behaviour, recovery procedures, and emergency-access limits are maintained in controlled security documentation.
All security-relevant actions across Attest and Trace are recorded in an immutable, Australian-resident audit log. Audit events cannot be altered or deleted after recording.
Login success, login failure, MFA challenge, and MFA result
Session start, renewal, logout, and termination
Role assignment, role removal, and permission changes
Connection, disconnection, credential rotation, and consent changes
Evidence ingestion and evidence commitment
Export requests, generation, and authorised downloads
Attestation, risk acceptance, approval, review, expiry, and termination
Framework, evidence-scope, and assessment-scope changes
Support request, approval, session activity, and termination
Authorised elevated or portfolio-level administrative activity
Detailed audit-event fields, storage architecture, correlation logic, and monitoring rules are provided through controlled security documentation.
Legal hold, preservation services, matter activation, extended retention, exports, and offboarding rights are governed by the applicable entitlement and contract.
Approved reports generated by Attest or Trace can have their hash recorded in the evidence ledger at generation. The report-verification endpoint allows authorised reviewers to confirm approved verification metadata without platform access.
When queried with a valid report identifier, the endpoint returns:
Unique report identifier
SHA-256 hash of the generated report
Time the report was generated(UTC)
Framework versions and assessment scope bound to the report
Assessment scope represented by the report
Confirmation that the report hash is recorded in the evidence ledger
Valid or Invalid
Human governance decisions—including attestation, risk acceptance, approval, review, and termination—are preserved as evidence-backed governance events.
Risk-acceptance workflows include documented reasons, ownership, expiry, and review. Expired or terminated decisions remain part of the governance history.
Reports generated by Attest support two readability modes from the same governed evidence base.
Executive / Insurer View(default)
Plain English. Minimal jargon. Designed for board members, executives, insurers, and non-technical reviewers. Technical identifiers appear only when referenced in the Evidence Appendix.
Technical Appendix View
Full evidence proof: cryptographic hashes, timestamps, event IDs, device identity, ledger references. Designed for auditors, CISOs, and technical reviewers who need to verify the evidence chain.
Every finding includes: (1) what failed, in plain English; (2) why it matters, expressed as risk; (3) what to do next, with specific remediation guidance tied to the control record; and (4) evidence reference with cryptographic hash and event ID. Reports are generated server-side only — never in the browser. The generated PDF is stored in AU-region storage and its hash is recorded as a governance or evidence event.
Attest does not produce binary pass/fail results from incomplete or questionable evidence. Every control assessment includes a confidence evaluation.
A control produces PASS only when confidence is HIGH — meaning:
If any of those conditions is not met, the output is UNKNOWN (insufficient evidence), not PASS. Missing required evidence never produces a passing result. This is a hard platform rule that cannot be overridden.
NOT_ASSESSED is used only for intentional scope exclusions — controls that are deliberately out of scope for the tenant's configuration. NOT_ASSESSED is never used to hide insufficient evidence.
All required evidence is present, fresh, valid, and confidence is HIGH
Evidence is present and evaluation determines non-compliance
The available evidence cannot prove this.
This was intentionally outside the agreed assessment scope.
Governance-approved exception with documented reason, owner, and expiry date
UNKNOWN means: "The available evidence cannot prove this." NOT ASSESSED means: "This was intentionally outside the agreed assessment scope." These outcomes remain separate so insufficient evidence is not presented as a passing result or hidden as an intentional exclusion.
Detailed infrastructure policies, security findings, incident procedures, recovery configurations, and operational runbooks are available only through controlled evaluation.
APEXLyn product capabilities do not replace legal, privacy, audit, regulatory, or professional advice.
Our technical support and engineering teams do not have standing access to your evidence storage or governance records.
No APEXLyn employee has standing read access to tenant evidence storage. Access to tenant configurations requires just-in-time approval, is time-limited, and requires a documented support-ticket reference.
Any action taken by authorised APEXLyn support personnel on a tenant configuration is recorded in the tenant’s audit history. You have visibility over APEXLyn support interactions with your environment.
We are committed to independent verification of our own infrastructure.
We undergo regular CREST-certified penetration testing. Executive summaries of our most recent test results are available to qualified evaluators upon request.
While our platform maps evidence to ISO/IEC 27001 and Essential Eight for our customers, APEXLyn itself is progressing toward formal ISO/IEC 27001:2022 certification for our own operations.
APEXLyn Attest & Trace does not claim certification, accreditation, or formal compliance on behalf of an organization. Attest does not replace qualified professional advice. Assessment outputs are evidence-based, confidence-calibrated, scope-bound, and version-bound. They should be reviewed by appropriately qualified professionals for formal compliance, audit, regulatory, and legal decisions.
Where a framework requirement depends on policies, training records, contracts, consents, attestations, or other governance evidence that is not available through approved evidence paths, Attest does not treat that requirement as PASS. The platform reports it as UNKNOWN — Insufficient Evidence or excludes it from the agreed assessment scope where appropriate.
If you are evaluating APEXLyn for an enterprise, government, banking, insurance, MSP, healthcare, legal, education, or regulated-industry deployment and require information beyond what is published on this page, additional documentation is available under appropriate review.
Request security documentationAvailable to qualified evaluators. Response within two business days.