Isolated provisioning & hardening
Single-tenant environment provisioned on enterprise-grade cloud infrastructure. Initial hardening pass. BAA execution. Pen-test firm engaged. Site survey of the client's tracking deployments.
Platform
Single sanitization layer. Two replacements, four destinations, one perimeter.
The architecture, the data flow, the destinations Apex Vault can route to, and the systems it explicitly does not touch. Every enterprise deployment ends with an independent Letter of Attestation before traffic activates.
01
Data flow
Tracking events enter the Apex Vault sanitization boundary raw, exit sanitized. The boundary is a single proxy hop. Every event gets one of three outcomes: stripped, forwarded to private analytics, or forwarded as a non-identifying conversion signal.
| Event | What enters Apex Vault | What leaves Apex Vault | Destination |
|---|---|---|---|
| Page view | IP, browser fingerprint, URL, referrer, user agent | Full session data (first-party) | Matomo (private, client-owned) |
| Conversion event | IP, fingerprint, URL, form context | Per-event UUID, value, timestamp | Conversion APIs |
| Form interaction | Field-level interaction data | Interaction events (first-party only) | Matomo |
| EHR / patient portal | — | — | Never enters Apex Vault |
| CRM / marketing automation | — | — | Different data path |
What never crosses the wire to a third-party destination: raw IP, browser fingerprint, URL, referrer, user agent, click identifiers (fbclid, gclid), hashed email, hashed phone, hashed name, hashed date of birth, or any persistent user identifier. The Conversion API payload is restricted to a per-event UUID with no user linkage, the conversion value, and the timestamp.
02
Supported destinations
Two categories. Five named destinations. Nothing else is configurable as an Apex Vault output.
First-party analytics
Matomo
Private, client-owned analytics instance. Receives full first-party session data. Inside the client's perimeter. No third-party data flow.
Conversion API
Meta Conversions API
Server-side conversion events. Payload: per-event UUID, value, timestamp. No user identifier. Powers Advantage+, Smart Bidding, prospecting.
Conversion API
Google Ads Conversion API
Server-side conversion events to Google Ads. Same minimal payload structure. Powers Performance Max, Smart Bidding, aggregate conversion reporting.
Conversion API
Microsoft Bing UET (server-side)
Sanitized conversion events for Microsoft Advertising. Same minimal payload structure. Powers Bing's algorithmic optimization at the aggregate layer.
Conversion API
LinkedIn Conversion API
Server-side conversion events to LinkedIn. Same minimal payload structure. Powers Matched Audiences, Conversion Tracking at the aggregate layer.
Anything else
Not supported
Third-party analytics, CRM, marketing-automation platforms, and clinical systems are not configurable Apex Vault outputs. See Section 03.
03
Out of scope
Apex Vault is a perimeter proxy for the marketing and analytics tracking surface only. The following systems are explicitly not touched. They run on separate data paths and continue to operate exactly as they did before deployment.
Apex Vault does not sit in front of:
- Third-party analytics (GA4, Adobe Analytics)Replaced by Matomo
- EHR / EMR systems (Epic, Cerner, athenahealth, eClinicalWorks, NextGen)Different data path · untouched
- Authenticated patient portalsDifferent data path · untouched
- Clinical workflow systemsDifferent data path · untouched
- CRM platforms (Salesforce, HubSpot, Zoho)Different data path · untouched
- Marketing automation (Marketo, Pardot, Klaviyo, ActiveCampaign)Different data path · untouched
- Email marketing (Mailchimp, Constant Contact)Different data path · untouched
- Marketing platforms (Freshpaint, Segment)Different data path · untouched
- Clinical-trial / pharmacovigilance systemsDifferent data path · untouched
- Anything not on the visitor's browser-side tracking surfaceOut of scope
04
Validation Standard
Every MSO Platform and Enterprise deployment ends with an independent Letter of Attestation before any live production data routes through the perimeter. Three pillars.
01
Isolated Provisioning
Dedicated single-tenant deployment on enterprise-grade cloud infrastructure carrying provider-level SOC 2 Type II and ISO 27001 attestations, operated under Apex Vault's direct engineering control. Apex Vault's own posture is CSA CCM / CAIQ self-attested, with SOC 2 Type 1 as the next milestone.
02
Dedicated Penetration Testing
Independent third-party security firm conducts a targeted manual pen test against the client's specific infrastructure before any live production data enters. Cost absorbed by Apex Vault. Findings remediated to zero un-remediated Critical or High under CVSS v3.1.
03
Attestation at Go-Live
Independent Letter of Attestation issued. Traffic routing activates only after manual hardening, validation, and the clean attestation. Annual re-validation pen test runs against the deployment for the life of the engagement.
05
Deployment timeline
MSO Platform and Enterprise deployments run a 9-week cycle anchored on the Validation Standard. Independent Practice tier runs a 7-day cycle on multi-tenant infrastructure with an annual third-party security review.
Weeks 1 — 2
Weeks 3 — 6
Integration & configuration
Apex Vault proxy configured for the client's specific tracking surface. Matomo instance provisioned. Conversion API routes wired to client ad accounts. End-to-end testing of sanitized data flow under non-production traffic.
Weeks 7 — 8
Penetration testing & remediation
Independent third-party manual pen test against the client's specific infrastructure. Findings reviewed. Remediation to zero un-remediated Critical or High. Re-test as needed.
Week 9
Attestation & go-live
Letter of Attestation issued. Tracking pixels removed from client site. Traffic routing activates. Sanitized data flow goes live. Annual re-validation pen test scheduled for next cycle.
06
Pricing
Independent Practice tier is publicly priced on the Independent Practice page. MSO Platform and Enterprise tier pricing is MNDA-gated.
Tier sheets covering MSO Platform and Enterprise — including Validation Standard scope, single-tenant infrastructure terms, annual re-validation pen test, BAA negotiation scope, and indemnification structure — are made available under MNDA.
compliance@apexvaultcompliance.com →