Security – AKHA

1Security Overview

Akha was designed from inception with security as a first-class architectural concern. The Platform handles sensitive financial documents, regulatory compliance data, beneficial ownership records, and funding negotiation information. We treat this with the same care as a regulated financial institution.

Our security posture is built on three principles: least privilege (every user, service, and process gets only the access it needs), defence in depth (multiple independent security layers), and transparency (we tell you what we do and do not do).

2Encryption

At Rest

AES-256-GCM encryption for all stored documents
Google Cloud KMS-managed encryption keys
Per-object envelope encryption for VDR files
Database columns containing PII encrypted at application layer

In Transit

TLS 1.3 enforced on all API and web connections
HTTP Strict Transport Security (HSTS) with preloading
Certificate pinning on mobile clients
Internal service-to-service mTLS via Google Cloud service mesh

Encryption keys are rotated on a 90-day schedule and on demand after any security event. Key access is restricted to authorised services and audited through Google Cloud Audit Logs.

3Authentication & Access Control

Multi-factor Authentication

Firebase Authentication with email/password and OAuth (Google, LinkedIn)
One-Time Password (OTP) via SMS or authenticator app
Passkey / WebAuthn support for phishing-resistant login
Brute-force protection via progressive delays and account lockout

Role-Based Access Control (RBAC)

Distinct roles: FOUNDER, FUNDER, CONSULTANT, ADMIN, SUPER_ADMIN
Permissions enforced at both API gateway and database query level
No role can access another role's data unless explicitly authorised
Admin access requires MFA and is audited on a per-action basis

Attribute-Based Access Control (ABAC)

VDR document access is gated by resource-level policies, not just user role
A Funder can only see a VDR if the SME has explicitly shared it with them
Document-level ACLs allow sharing specific files without exposing the full vault
All access grants carry an optional expiry date

Session Management

JWT access tokens with 15-minute expiry
Refresh tokens stored in HttpOnly, Secure, SameSite=Strict cookies
Session invalidation on password change, account lock, or manual sign-out
Concurrent session alerts for unusual login patterns

4Virtual Data Room Security

The Virtual Data Room (VDR) is built on a zero-trust model. No party, including Akha staff, can view the contents of a VDR without explicit, auditable authorisation from the document owner.

Signed URLs

All document access uses time-limited signed URLs (max 1 hour). Direct storage URLs are never exposed.

Granular Sharing

Share individual documents or folder subsets. Funders see only what you choose and nothing else.

Full Audit Trail

Every view, download, share, and revocation is logged with timestamp, IP, and user identity.

Instant Revocation

Access grants can be revoked in seconds. Existing signed URLs expire on the next rotation cycle.

Malware Scanning

All uploads are scanned for malware and malicious content before storage.

Document Integrity

SHA-256 checksums are recorded at upload time and verified on access to detect tampering.

5Infrastructure Security

Akha is hosted on Google Cloud Platform (GCP), which maintains ISO 27001, SOC 2, and PCI DSS certifications. Our primary data region is africa-south1 (Johannesburg) to ensure data sovereignty for South African users.

Network Isolation

All services run inside private VPC networks. Public internet exposure is limited to load balancers with firewall rules restricting inbound traffic.

Identity & Access Management

GCP IAM follows least-privilege. Service accounts are scoped to individual services with no cross-service over-permissioning.

Database Security

Cloud SQL instances are deployed in private VPC subnets with no public IP. Connections are authenticated via IAM and mTLS. Automated backups with point-in-time recovery are retained for 30 days.

Secret Management

All secrets (API keys, DB credentials, encryption keys) are stored in Google Secret Manager, never in source code or environment variable files.

Container Security

Docker images are scanned for CVEs at build time via Artifact Registry and Container Analysis. Images are signed and verified before deployment.

6Application Security

Our development process embeds security checks at every stage of the software development lifecycle (SDLC).

OWASP Top 10

All application code is reviewed against the OWASP Top 10, including injection, broken authentication, XSS, SSRF, and insecure deserialisation. Automated SAST tools run on every pull request.

Input Validation

All inputs validated and sanitised at the API boundary using schema-based validation (Zod). SQL queries use parameterised statements via Prisma ORM, with no raw SQL interpolation.

Rate Limiting

API rate limiting is enforced per-user and per-IP to prevent abuse and denial-of-service. Adaptive limits kick in when anomalous patterns are detected.

CORS & CSP

Strict Cross-Origin Resource Sharing (CORS) headers on all API endpoints. Content Security Policy (CSP) and X-Frame-Options headers prevent clickjacking and script injection.

Dependency Management

Software dependencies are scanned weekly for known CVEs via Dependabot and Snyk. Critical vulnerabilities trigger an automatic patch workflow.

Code Review

All code changes require peer review before merging. Security-sensitive changes require a second security-focused review.

7AI & Data Boundaries

Akha uses AI models for scoring, document analysis, smart replies, and roadmap generation. We apply strict data governance to all AI processing:

AI models only receive de-identified or aggregated context unless processing a task explicitly initiated by the data owner

Wallet/credit checks are logged per-request so you can audit every AI action that consumed credits

Document content sent to external AI APIs is governed by data processing agreements with the respective providers

AI-generated outputs (scores, summaries, smart replies) are clearly labelled as AI-generated within the Platform

No user data is used to train third-party AI foundation models without explicit consent

AI-generated financial insights are not and should not be construed as regulated financial advice

8Monitoring & Penetration Testing

Continuous Monitoring

Google Cloud Security Command Center monitors our infrastructure continuously for misconfigurations, threats, and anomalies. Application logs are centralised in Cloud Logging with alerting for security-relevant events such as privilege escalation, mass data access, and login anomalies.

Penetration Testing

Akha conducts penetration tests against the Platform annually and after any major architectural change. Tests cover web application, API, and network layers. Findings are remediated on the schedule dictated by severity (Critical: 24h, High: 7 days, Medium: 30 days).

Security Information & Event Management (SIEM)

All security events feed into a centralised SIEM pipeline. Alerting rules detect brute-force attempts, credential stuffing, unusual data egress, and anomalous API usage patterns in real time.

9Incident Response & Breach Notification

Akha maintains a documented Incident Response Plan (IRP) aligned to NIST SP 800-61. In the event of a security incident:

Detection

Automated alerts trigger immediate incident triage. On-call engineers are paged within 5 minutes of a critical alert.

Containment

Affected systems are isolated. Compromised credentials are immediately revoked. Access logs are preserved for forensic investigation.

Notification

If personal information is compromised, the Information Regulator and affected data subjects are notified as required by POPIA, as soon as reasonably practicable and no later than 72 hours where feasible.

Remediation

Root cause is identified and fixes are deployed. Platform status is updated at status.akha.co.za throughout the incident.

Post-Incident Review

A formal post-mortem is conducted within 10 business days. Findings are incorporated into security improvements and documented in the internal incident register.

10Responsible Disclosure

We welcome responsible disclosure from security researchers. If you discover a vulnerability in the Akha Platform, please report it to us before public disclosure.

Report a Vulnerability

Email: security@akha.co.za

PGP key available on request for sensitive disclosures.

We commit to acknowledging reports within 2 business days, providing a timeline for resolution within 10 business days, and publicly crediting researchers (with their permission) after the issue is resolved. We do not pursue legal action against good-faith security researchers who comply with this policy.

11Compliance Standards

POPIA (Act 4 of 2013)

Full compliance with South Africa's primary data protection legislation. Information Officer registered with the Information Regulator.

FICA (Financial Intelligence Centre Act)

Customer due diligence, beneficial ownership verification, and suspicious transaction reporting obligations are built into platform workflows.

OWASP Top 10

Application security controls mapped against the current OWASP Top 10 list. Annual review and update.

ISO 27001 (via GCP)

Infrastructure hosted on ISO 27001-certified Google Cloud Platform. Akha inherits applicable controls from GCP's certification.

SOC 2 Type II (via GCP)

Google Cloud's SOC 2 Type II reports cover the infrastructure layer. Akha's application controls are independently reviewed.

NCA (National Credit Act)

Where relevant to credit-related data handling, Akha aligns document verification and credit information processing with NCA requirements.

12Security Contact

For security enquiries, vulnerability reports, or concerns about the security of your account, contact our security team:

Akha Integrated Platform: Security Team