APEX VAULT.
How it works

What enters. What leaves. What never crosses the wire.

A single sanitization boundary between your site and every third-party tracking destination. Tracking events enter raw, leave with no matchable identifier of any kind. Every Enterprise and MSO Platform deployment ends with an independent Letter of Attestation before live traffic activates.

01

Data flow

Every tracking event takes one of three paths: stripped at the perimeter, forwarded to private analytics in full, or forwarded as a non-identifying conversion signal.

Event What enters Apex Vault What leaves Apex Vault Destination
Page view IP, browser fingerprint, URL, referrer, user agent Full session data (first-party) First-party analytics (private, client-owned)
Conversion event IP, fingerprint, URL, form context Per-event UUID, value, timestamp Conversion APIs
Form interaction Field-level interaction data Interaction events (first-party only) First-party analytics
EHR / patient portal Never enters Apex Vault
CRM / marketing automation Different data path

What never crosses the wire to a third-party destination: raw IP, browser fingerprint, URL, referrer, user agent, click identifiers (fbclid, gclid), hashed email, hashed phone, hashed name, hashed date of birth, any persistent user identifier. The Conversion API payload carries a per-event UUID, the conversion value, and the timestamp. Nothing else.

02

Destinations

Two categories. Five named outputs. Nothing else is configurable.

First-party analytics

Private analytics instance

Visibility into user behavior without forwarding it to Google or Meta (neither will sign a BAA for these products). Private, client-owned instance inside your perimeter. Full session data, no third-party flow. Replaces GA4 / Adobe Analytics.

Sanitized Conversion APIs (server-side)

Meta · Google · Bing · LinkedIn

Each receives a per-event UUID, conversion value, timestamp. No user identifier crosses the wire. Powers Advantage+, Performance Max, Smart Bidding at the aggregate layer.

Anything else — third-party analytics, CRM, marketing automation, clinical systems — is not a configurable output. See Section 03.

03

Out of scope

Apex Vault is a perimeter proxy for the marketing and analytics surface only. Everything else runs on separate data paths and is untouched.

What Apex Vault does NOT touch

  • EHR / EMR (Epic, Cerner, athenahealth, eClinicalWorks, NextGen)Untouched
  • Authenticated patient portals · clinical workflow systemsUntouched
  • CRM & marketing automation (Salesforce, HubSpot, Marketo, Pardot, Klaviyo)Untouched
  • Email marketing (Mailchimp, Constant Contact, etc.)Untouched
  • Marketing platforms (Freshpaint, Segment)Untouched
  • Clinical-trial & pharmacovigilance systemsUntouched
  • Third-party analytics (GA4, Adobe Analytics)Replaced by first-party analytics
04

Validation Standard

Every MSO Platform and Enterprise deployment ends with an independent Letter of Attestation before live production data routes through the perimeter.

01

Isolated Provisioning

Dedicated single-tenant deployment on enterprise-grade cloud infrastructure carrying provider-level SOC 2 Type II and ISO 27001 attestations, operated under Apex Vault's direct engineering control. Apex Vault's own posture is CSA CCM / CAIQ self-attested, with SOC 2 Type 1 as the next milestone.

02

Dedicated Penetration Testing

Independent third-party security firm conducts a targeted manual pen test against the client's specific infrastructure before any live production data enters. Cost absorbed by Apex Vault. Findings remediated to zero un-remediated Critical or High under CVSS v3.1.

03

Attestation at Go-Live

Independent Letter of Attestation issued. Traffic routing activates only after manual hardening, validation, and the clean attestation. Annual re-validation pen test runs against the deployment for the life of the engagement.

05

Deployment timeline

9 weeks for MSO Platform and Enterprise — anchored on the Validation Standard. Independent Practice tier runs a 7-day cycle on shared infrastructure.

Weeks 1 — 2

Isolated provisioning & hardening

Single-tenant environment provisioned on enterprise-grade cloud infrastructure. Initial hardening pass. BAA execution. Pen-test firm engaged. Site survey of the client's tracking deployments.

Weeks 3 — 6

Integration & configuration

Apex Vault proxy configured for the client's specific tracking surface. First-party analytics instance provisioned. Conversion API routes wired to client ad accounts. End-to-end testing of sanitized data flow under non-production traffic.

Weeks 7 — 8

Penetration testing & remediation

Independent third-party manual pen test against the client's specific infrastructure. Findings reviewed. Remediation to zero un-remediated Critical or High. Re-test as needed.

Week 9

Attestation & go-live

Letter of Attestation issued. Tracking pixels removed from client site. Traffic routing activates. Sanitized data flow goes live. Annual re-validation pen test scheduled for next cycle.

06

Request a tier sheet

Independent Practice pricing is public on /core. MSO Platform and Enterprise tier sheets are MNDA-gated — Validation Standard scope, single-tenant terms, annual re-validation cadence, BAA negotiation, indemnification structure.