Security and governance posture for Apotheon evaluations
Security, deployment, and data controls
Public posture statements are intentionally scoped and reviewed through the same governance model as proof claims.
Security architecture
Defense-in-depth target architecture with tenant isolation, least-privilege service access, centralized logging, policy gates, and reviewable audit evidence.
Deployment models
Evaluation patterns include Apotheon-managed cloud, customer cloud, and hybrid/private deployment discussions; final controls are scoped per contract and environment.
Encryption
Target posture uses TLS in transit, managed key services for data at rest, secrets management, and environment-specific key ownership review.
SSO, RBAC, and audit
Enterprise deployments are designed for SSO, role-based access, approval workflows, administrative audit trails, and periodic access review.
Retention and deletion
Retention windows, deletion workflows, backup handling, legal holds, and evidence-preservation requirements are documented during implementation.
Subprocessors
Subprocessor lists and data-flow responsibilities are supplied during procurement and updated when deployment scope or vendors change.
Disclosure, compliance, and incident posture
Vulnerability disclosure and security.txt
Report suspected vulnerabilities through Apotheon contact while a dedicated /.well-known/security.txt policy is prepared for publication. Do not include sensitive exploit details in public channels.
Compliance status wording
Apotheon describes controls, mappings, and readiness work without claiming certifications that have not been formally issued. Any SOC 2, ISO, HIPAA, FedRAMP, CMMC, or EU AI Act statement must identify whether it is a target architecture, readiness assessment, customer responsibility mapping, or completed third-party validation.
Incident history
No material public security incidents are listed in this Trust Center as of 2026-07-19. This statement is reviewed as part of the trust-page publication workflow and should be updated with incident date, scope, impact, containment, customer notice, and corrective actions if that changes.