Security

Built for
institutional trust.

Every layer of Akha is engineered with the security expectations of regulated financial institutions.

Application

OWASP Top 10 · Input validation · CSRF protection · CSP headers

Authentication

MFA · RBAC · ABAC · JWT with rotation · Session management

Data

AES-256 at rest · TLS 1.3 in transit · Zero-knowledge VDR

Infrastructure

AWS VPC · WAF · DDoS protection · Automated patching

Legal

Security Details

Last updated: 4 April 2026

Security Overview

Akha is a platform that handles sensitive financial, compliance, and identity data. We treat security as a foundational requirement, not a feature. Our security posture is designed to meet the standards of institutional funders, regulated financial services, and POPIA compliance.

Encryption

At Rest

All data stored on our systems is encrypted using AES-256 encryption. This includes database records, uploaded documents in the Compliance Vault, assessment data, and audit logs. Encryption keys are managed through AWS Key Management Service (KMS) with automatic rotation.

In Transit

All communications between your browser and our servers are encrypted using TLS 1.3. We enforce HSTS headers, OCSP stapling, and certificate transparency monitoring. Older TLS versions are not supported.

Authentication & Access Control

  • Multi-factor authentication (MFA): Available for all accounts, required for administrative and funder accounts.
  • Role-based access control (RBAC): Permissions are assigned based on user role (Founder, Funder, Consultant, Admin).
  • Attribute-based access control (ABAC): Fine-grained permissions based on document type, data sensitivity, and user relationship.
  • Session management: Tokens are short-lived with automatic refresh. Sessions expire after inactivity and can be revoked remotely.
  • Brute-force protection: Account lockout after repeated failed attempts with progressive delays.

Virtual Data Room Security

The Compliance Vault (VDR) is the most sensitive component of the platform. Security measures include:

  • Per-document encryption with unique keys
  • Granular access permissions: view-only, download, or no access
  • Time-limited access links that expire automatically
  • Immutable audit trail recording every view, download, and share action
  • Watermarking on viewed documents to deter unauthorised sharing
  • Owner-controlled permissions: Akha staff cannot access your documents without explicit consent

Infrastructure Security

  • Cloud provider: AWS with VPC isolation, private subnets, and security groups.
  • Web Application Firewall (WAF): Protects against common web exploits and DDoS attacks.
  • Network segmentation: Application, database, and storage tiers are isolated.
  • Automated patching: Operating system and dependency updates are applied automatically.
  • Backup & recovery: Automated daily backups with point-in-time recovery and cross-region replication.

Application Security

  • OWASP Top 10: All development follows OWASP guidelines with automated scanning in CI/CD.
  • Input validation: All user inputs are sanitised and validated server-side.
  • CSRF protection: Token-based CSRF prevention on all state-changing requests.
  • Content Security Policy: Strict CSP headers prevent XSS and data injection attacks.
  • Dependency scanning: Automated vulnerability scanning of all third-party packages.
  • Rate limiting: API rate limits prevent abuse and credential stuffing.

AI & Data Boundaries

Akha uses AI for document validation, scoring, and matching. Important boundaries:

  • Your data is never used to train third-party AI models.
  • AI processing occurs within our secure infrastructure, not sent to external APIs for training.
  • All AI-generated outputs (scores, matches, roadmaps) are auditable and explainable.
  • Human review is available for any contested AI decision.

Monitoring & Penetration Testing

  • 24/7 infrastructure monitoring with automated alerting
  • Application-level logging with anomaly detection
  • Regular third-party penetration testing (at minimum annually)
  • Bug bounty programme for responsible security researchers

Incident Response

Our incident response plan follows five phases:

  1. Detection: Automated monitoring identifies potential incidents.
  2. Containment: Affected systems are isolated to prevent spread.
  3. Investigation: Root cause analysis determines scope and impact.
  4. Notification: Affected users and the Information Regulator are notified per POPIA Section 22.
  5. Recovery: Systems are restored and preventive measures are implemented.

Responsible Disclosure

If you discover a security vulnerability, please report it responsibly:

  • Email security@akhadigital.co.za with details of the vulnerability.
  • Do not publicly disclose the vulnerability until we have addressed it.
  • We will acknowledge your report within 24 hours and provide updates on our remediation progress.
  • We will not take legal action against researchers who act in good faith.

Compliance Standards

Akha's security practices align with the following standards and regulations:

POPIAProtection of Personal Information Act: full compliance
FICAFinancial Intelligence Centre Act: KYC and AML requirements
OWASPOWASP Top 10: application security best practices
ISO 27001Information security management: aligned practices
SOC 2Service organisation controls: aligned practices
NCANational Credit Act: applicable financial regulations

Security Contact

For security concerns, vulnerability reports, or questions:

Security Team
Email: security@akhadigital.co.za
Response time: Within 24 hours

Related: Privacy Policy · Terms of Use · POPIA Notice