Security First ยท Always

Your firm's data
is a fortress.

We built Akili Suite for legal professionals who handle confidential matters daily. Every architectural decision - from passwordless auth to tenant isolation - was made with your clients' confidentiality in mind.

All Systems Secure
TLS 1.3 Active
No Incidents
Security Architecture

Six layers of protection.

Every layer was built intentionally. None of this is box-checking - it's the security posture a legal platform demands.

Passwordless Authentication
Zero stored passwords. Access is granted exclusively via time-limited, cryptographically signed magic links. SHA-256 hashed tokens with a 15-minute expiry. No password = no password breach possible.
SHA-256 Tokens
Tenant Isolation
Every query is scoped to your firm's tenant ID at the application layer. Firm A cannot see Firm B's data under any circumstances. Enforced in every SQL statement, not just at the routing layer.
Row-Level Isolation
Encryption Everywhere
Data at rest is encrypted using AES-256 on Cloudflare D1 and R2. All data in transit uses TLS 1.2 or higher. HTTP is not supported on any endpoint.
AES-256 + TLS 1.3
Immutable Audit Logs
Every data access and modification event is recorded in an append-only audit trail. Who accessed what, when, from where. Available to Administrators in real time. Retained for 3 years.
3-Year Retention
Cloudflare Edge Security
All traffic passes through Cloudflare's WAF, DDoS mitigation, and bot management at the network edge before reaching the application. Rate limiting enforced per-tenant via Durable Objects.
Global Edge Defence
JWT Session Management
Sessions are cryptographically signed tokens. Each token can be individually revoked server-side. Sessions expire automatically after 30 days of inactivity.
Revocable Tokens
Technical Detail

Under the hood.

For the technically minded - and for your IT security team doing due diligence.

Infrastructure & Data
  • Cloudflare Workers - serverless compute, no persistent server process
  • Cloudflare D1 (SQLite) - AES-256 at rest, replicated globally
  • Cloudflare R2 - object storage, AES-256, zero egress fees
  • Cloudflare KV - ephemeral session state, sub-millisecond reads
  • No third-party analytics scripts loaded in the portal
  • All email delivery via Resend over TLS with SPF/DKIM/DMARC
Authentication & Access
  • Magic links generated with crypto.randomUUID() + UUID concatenation, then SHA-256 hashed before DB storage
  • Tokens are single-use - consumed and invalidated on first use
  • Role-based access control - admin, advocate, client with route-level enforcement
  • All API endpoints require a valid JWT - no public data endpoints in the portal
  • Magic links expire in 15 minutes - no persistent login URLs
  • Support team access to your data requires your explicit permission + full audit log
Compliance

Built to standards.

We comply with the frameworks your clients and regulators expect.

โš–๏ธ
KDPA 2019
Kenya Data Protection Act - data minimisation, lawful basis, and subject rights fully implemented.
๐Ÿ‡ช๐Ÿ‡บ
GDPR
EU General Data Protection Regulation - SCCs for international transfers, 72-hour breach notification.
๐Ÿ”’
TLS 1.2+
All connections use TLS 1.2 at minimum, TLS 1.3 where supported. HTTP is rejected at the edge.
๐Ÿ“‹
LSK Guidelines
Platform designed for compliance with Law Society of Kenya data protection guidelines for advocates.
Responsible Disclosure

Found a vulnerability? Tell us first.

We take security reports seriously and respond within 48 hours. If you discover a vulnerability, please report it to us privately before disclosing publicly. We commit to: acknowledging your report promptly, keeping you informed of our progress, crediting responsible researchers, and never pursuing legal action against good-faith researchers.

[email protected]

Security you can
build on.

Your clients trust you with their most sensitive matters. We've built the infrastructure worthy of that trust.

Start Free Trial Privacy Policy