Security, confidentiality and corporate transparency.
Independent advisory work depends on trust. This page consolidates the third-party validations of our infrastructure, the controls we apply to transaction data, our corporate identification and the channels through which security researchers and clients can reach us.
Third-party security checks.
Live reports from independent scanners. Click any badge to verify the current rating on the provider's website.
Independent TLS / HTTPS configuration audit.
View live reportNo unsafe content detected by Google's threat intelligence.
View live reportReputation and malware scan by Gen Digital / Norton.
View live reportAggregated scan across 90+ antivirus and URL scanners.
View live reportControls applied to every mandate.
Confidentiality is a discipline, not a clause. The controls below are enforced for every client engagement, from preliminary discussions through closing and post-closing record retention.
- Mandatory NDA for access
Every counterparty signs a non-disclosure agreement before any project material is shared.
- Granular permission control
Permissions are scoped per user, per document and per project phase.
- Document watermarking
Sensitive files are dynamically watermarked with the recipient's identity and timestamp.
- Download auditing
All downloads are recorded with user, IP, document and timestamp.
- Immediate access revocation
Access can be revoked in real time — including for files already opened.
- Full activity logs
Tamper-evident logs of every view, print, download and share are retained for the life of the mandate.
- Per-user restricted sharing
Sharing is disabled by default; secondary distribution requires explicit partner approval.
Who you are contracting with.
- Legal name
- Apeltrys Serviços Administrativos Ltda
- CNPJ
- 56.005.202/0001-80
- Registered address
- Av. Paulista 1106, sala 01, 16º andar — São Paulo, SP, Brazil
- Ownership structure
- 100% nationally owned (Brazil)
- Applicable jurisdiction
- Federative Republic of Brazil
- Institutional contact
- societario@apeltrys.com
Scale of the platform.
- Active mandates
- 30+ live projects
- Aggregate transaction volume
- > US$ 1 billion
- Strategic & financial investors reached
- 3,000+
- Geographic coverage
- Latin America, United States, Canada, Europe, Israel, United Kingdom & Ireland
Uptime and security incident history.
Public website, secure deal-room infrastructure and client communication channels are monitored continuously. Incidents are published here as they are confirmed.
Apeltrys Advisors has had no confirmed security incidents to date. Any future incident affecting client data will be disclosed here, in writing to affected counterparties, and to the competent authorities as required by applicable law.
Reporting a vulnerability.
Apeltrys Advisors welcomes reports from security researchers, clients and the public regarding potential vulnerabilities in our digital assets. We commit to acting in good faith toward anyone who reports an issue through the channels described below.
- Acknowledge receipt of valid reports within five business days.
- Provide an initial assessment and indicative remediation timeline within fifteen business days.
- Not pursue civil or criminal action against researchers acting in good faith and within the scope of this policy.
- Credit reporters publicly when remediation is complete, with their consent.
- Give us a reasonable opportunity to remediate before any public disclosure.
- Avoid accessing, modifying or destroying data that does not belong to them.
- Refrain from denial-of-service testing, social engineering of our staff, or physical attacks against our offices or counterparties.
- Comply with all applicable laws, including the Brazilian General Data Protection Law (LGPD).
How we handle reports internally.
- Step 01Intake
Reports received via security@apeltrys.com or the anonymous whistleblowing channel are triaged within one business day by the security contact.
- Step 02Validation
Findings are reproduced in a controlled environment and classified by severity using CVSS v3.1.
- Step 03Remediation
Critical and high-severity issues are remediated within 7 and 30 days respectively. Medium and low-severity findings follow the next quarterly maintenance window.
- Step 04Verification
Fixes are independently re-tested before closure. The reporter is invited to confirm the remediation.
- Step 05Disclosure
Once remediated, findings may be disclosed in coordinated fashion with the reporter, including CVE assignment where relevant.
- Step 06Post-mortem
Significant findings trigger a written post-mortem with structural fixes, retained as part of our internal control library.
How to reach us, securely.
Direct channel for vulnerability reports, security inquiries and audit requests.
For sensitive disclosures requiring anonymity, use our Hushline channel at tips.hushline.app/to/apeltrys. Messages are end-to-end encrypted.
Apeltrys does not currently publish a PGP key. For confidential communication please use the Hushline channel, which provides equivalent end-to-end encryption without key-management overhead for the reporter.
Path to formal attestation.
Apeltrys Advisors is not yet SOC 2 certified. The roadmap below sets out the path we are following toward Type I and Type II attestation, and is shared in the interest of transparency.
- Q3 2026Phase 1 — Readiness
Scoping exercise, control gap analysis and selection of a Big-4 audit firm. Internal policies aligned to the Trust Services Criteria (Security, Confidentiality, Availability).
- Q4 2026 – Q1 2027Phase 2 — Remediation
Implementation of identified controls: access governance, vendor risk management, incident response runbooks, business-continuity testing and continuous monitoring tooling.
- Q2 2027Phase 3 — SOC 2 Type I
Point-in-time attestation of control design. Report shared with clients and counterparties under NDA.
- Q4 2027 – Q1 2028Phase 4 — SOC 2 Type II
Twelve-month observation window covering operating effectiveness, followed by Type II attestation.
The dates above are indicative and may shift based on auditor availability and the completion of remediation milestones. This page will be updated as each phase concludes.