APEX

APEX is an open standard for ethical software publishing. It defines the business conduct requirements a product must meet to carry the APEX mark and rating. Certification is granted and maintained by the APEX governing body.

The APEX rating is a score out of 99, divided equally across three pillars: Ownership, Privacy, and Transparency. A product that triggers any deal breaker is disqualified from certification regardless of its score.

Deal Breakers

The following practices are incompatible with APEX certification. Any product found to engage in any of these practices will be denied or stripped of certification:

• No perpetual license is offered
• User data is sold to third parties
• Terms of service change without notice
• Vulnerability Level 4 - the user has no control over data or updates
• Remote access to the user's device or data without explicit user authorization

Pillar 1 - Ownership (33 points)

Requirements are weighted equally within this pillar.

• Perpetual License - a one-time perpetual license is offered at a fixed price. Free tiers and subscriptions are permitted in addition.
• Right to Repair - the user has access to documentation sufficient to maintain and repair the product.
• Right to Modify - the user is permitted to modify the software for personal use.
• Succession - the license is transferable to another person, including by inheritance.
• Versioning - prior versions remain available to the user. The user cannot be forced to update. New versions may be offered at an additional cost, provided the prior version remains fully functional.
• Installability - the product is installable offline, for example via USB, without requiring a network connection or remote authentication to activate.
• Portability - the user can export their data in a standard, non-proprietary format.
• Auditability - the user can verify what the product is doing on their device.

Pillar 2 - Privacy (33 points)

Requirements are weighted equally within this pillar. Privacy is measured in part by the product's Vulnerability Level, defined as follows:

• Level 0 - AirGapped - No internet connection required for any aspect of the software. Installation, updates, and operation are all achievable via USB or equivalent offline means.
• Level 1 - Local with User-Controlled Connectivity - Internet required for installation or updates, but data is saved locally encrypted. All internet activity is explicitly initiated and controlled by the user.
• Level 2 - Online-Dependent with Local Storage - Internet required to operate, but data is saved locally encrypted and transmitted encrypted. The user has manual control over updates.
• Level 3 - Remote Storage - Internet required to operate, data saved remotely. The user has manual control over updates.
• Level 4 - Fully Surrendered - Internet required, data saved remotely, no user control over updates or data practices. This is a deal breaker and disqualifies the product from certification.

Additional privacy requirements:

• Disclosure - the product's Vulnerability Level is clearly disclosed to the user before purchase.
• Data Collection - the product clearly discloses what data it collects, stores, or transmits, and under what circumstances.
• User Authorization - no data leaves the user's device without explicit user authorization.
• No Tracking - the product does not track, profile, or build behavioral models of the user without explicit consent.
• No Sale - user data is never sold to third parties.

Pillar 3 - Transparency (33 points)

Requirements are weighted equally within this pillar.

• Plain Language - terms of service are written in plain language, free of legal obscurement.
• Cost Disclosure - all costs are clearly disclosed upfront with no hidden fees or surprise charges.
• Duration Disclosure - the duration of the license is clearly disclosed, including what the user owns and for how long.
• Data Disclosure - data practices are clearly disclosed, including what is collected, stored, transmitted, and by whom.
• Notice of Change - terms of service do not change without notice to the user.
• No Hidden Terms - there are no terms that contradict or supersede the plain-language disclosure.
• Third-Party Disclosure - any third-party services that handle user data are clearly identified.

Certification

APEX certification is granted by the APEX governing body upon review of the applying product and company. The governing body reviews the product against all deal breakers and pillar requirements and assigns a score.

Certified products display their APEX score and Vulnerability Level publicly. A public registry of certified products is maintained at [apex registry URL].

Certification may be revoked if a product or company is found to be in violation of the standard. Revocation is published in the public registry.

To apply for APEX certification, contact [contact information].

Governing Body

APEX is currently governed by Flowster. An independent foundation is forthcoming. The standard is published openly so that any company may review the requirements before applying.

Code License

The Flowster Framework, on which Flowster is built, is released under the MIT License. Products built on the Flowster Framework may be open source or proprietary. APEX certification is available to both.