Security Architecture

Transport Security

All platform communications use TLS 1.2+ with HSTS enforcement. Content Security Policy headers prevent cross-site injection. CSRF protection on all state-changing operations.

Authentication & MFA

Multi-factor authentication is mandatory for all staff and superusers. Customer accounts support TOTP authenticator apps and email OTP. JWT-based single sign-on uses time-limited tokens with one-time use enforcement.

Attack Prevention

Honeypot traps for automated scanner detection, rate limiting on all API endpoints and public forms, permanent IP blocklisting for confirmed malicious actors, and exploit blocking for known scanner patterns.

Security Monitoring

Automated security monitoring with email alerts for anomalous activity. Daily security summaries for operations. Structured logging with full audit trails for authentication, API access, and billing events.

Data Storage

Production databases on managed PostgreSQL with automated backups. Media files on Azure Blob Storage with geo-redundancy. Passwords hashed with PBKDF2. Stripe handles all payment card data — no card data ever touches Aktirak servers.

Infrastructure

Deployed on Render.com with automated health checks, rolling deployments, and environment variable isolation. No secrets in source code. Environment-specific configurations prevent accidental exposure of production credentials.

Responsible AI Principles

Human Approval Required

AI specialists generate workflows and recommendations; they do not execute them autonomously. All workflows require explicit human approval before deployment. This is enforced at the platform architecture level, not just policy.

No Training on Customer Data

Customer business data, conversation history, and workflow artifacts are never used to train or fine-tune AI models. AI specialists are trained exclusively on methodology documentation, not customer operational data.

Explainability Standard

Every AI-generated workflow includes a rationale explaining the methodology applied, the process steps chosen, and the expected outcomes. Customers can always ask their AI specialist to explain any recommendation.

Multi-Provider Independence

AI capabilities are sourced from multiple providers (OpenAI, Anthropic, Google). No single AI vendor creates a single point of failure or undue dependency. Customers may choose their preferred AI engine for specialist sessions.

Compliance Framework

GDPR
EU data protection regulation — right to erasure, data portability, privacy notices
PIPEDA
Canadian federal privacy law — our baseline jurisdiction
CCPA
California Consumer Privacy Act — rights for California residents
PCI DSS
Payment card data — handled exclusively via Stripe; Aktirak is SAQ A eligible
OWASP Top 10
Application security — enforced in development as a baseline standard
WCAG 2.1 AA
Web accessibility — all public-facing platform pages maintain AA conformance

Security & Compliance Policies

Security Policy AI Usage Policy Data Protection Policy Acceptable Use Policy All Policies →

For security disclosures or compliance inquiries, use the corporate contact channel with the Security inquiry type.