Passwordless authentication
No passwords are stored or transmitted anywhere in the Akili Suite system. All authentication uses magic-link email tokens, SHA-256 hashed before storage. The raw token exists only in the email link and is single-use with a 15-minute expiry. JWT sessions are HS256-signed and expire after 24 hours, with per-token revocation via KV blacklist.
Zero password attack surface
Tenant data isolation
Every database query is automatically scoped by tenant_id through the TenantDB wrapper - cross-tenant data access is structurally impossible without explicit use of the bypass method, which is restricted to superadmin operations. Row-level isolation, not schema separation.
Structural isolation - not policy-enforced
Cloudflare edge infrastructure
All API requests are handled by Cloudflare Workers running in V8 isolates - no shared memory between tenants, no traditional server processes to compromise. D1 (SQLite), R2 (object storage), and KV are all Cloudflare-native. TLS 1.3 enforced at the edge. No legacy TLS versions accepted.
V8 isolates · TLS 1.3 · Always-on
Input validation & injection prevention
All D1 queries use parameterised bindings - SQL injection is not possible through the standard query path. All user-rendered content passes through an HTML escape function covering <>&"'. File uploads are validated against a MIME type allowlist before storage.
Parameterised queries · XSS escaping
Rate limiting & abuse prevention
Per-tenant API rate limiting via Durable Object sliding-window counter (60–2,000 rpm depending on plan). Platform authentication is rate-limited per IP (5/15min) and per email (3/15min) using KV counters. Paystack webhooks are verified via HMAC-SHA512 signature before processing.
DO rate limiter · KV auth throttle
Impersonation controls
Superadmin impersonation tokens are issued as read-only by design - all write methods (POST, PUT, PATCH, DELETE) return 403 for impersonated sessions. The superadmin panel itself requires both a constant-time-compared platform key header AND a valid admin JWT - two independent gates.
Read-only impersonation · Double-gate admin
KDPA 2019
Kenya Data Protection Act. Data subject rights, purpose limitation, retention policies, and processor obligations addressed in architecture and privacy policy.
Compliant
GDPR
EU General Data Protection Regulation. Privacy by design, data minimisation, right to erasure, and DPA contact available via
[email protected].
SOC 2 Type II
Security, availability, and confidentiality trust service criteria. Audit preparation in progress. Available as part of Enterprise plan compliance package.
In progress
ISO 27001
Information security management system standard. Controls mapped and gap analysis complete. Certification pathway active for Enterprise clients requiring it.
Planned 2027
TLS 1.3
All traffic encrypted via TLS 1.3. Legacy TLS versions (1.0, 1.1) rejected at the Cloudflare edge. HSTS enforced. Certificate management handled by Cloudflare.
Enforced
No Ad Tracking
Akili Suite products are ad-free. No third-party advertising SDKs, no behavioural tracking pixels, and no advertiser data sharing in any Akili Suite product.
By policy
Database
Cloudflare D1 (SQLite-compatible) - relational data (matters, clients, invoices, users). All queries auto-scoped by tenant_id. No shared tables between tenants. D1 instances are managed by Cloudflare across their global network.
File Storage
Cloudflare R2 - documents, logos, and attachments. Keys namespaced per tenant: tenants/{slug}/matters/{id}/{file}. Download tokens are 15-minute single-use, stored in KV. Max 50MB per file, type allowlisted.
Cache & Sessions
Cloudflare KV - session tokens, rate limit counters, tenant config cache (5-min TTL), JTI revocation blacklist, Paystack event idempotency. KV has eventual consistency - not used for critical transaction data.
Real-time
Cloudflare Durable Objects - War Room chat sessions (one DO per matter) and per-tenant rate limiters. DO storage is the primary for War Room messages, with D1 as the mirror. Messages capped at 4,000 characters, last 100 stored.
Email
Resend (primary) + Brevo (fallback) - transactional email only. No marketing email. From address:
[email protected]. No email content is stored beyond what the platform logs in the messages table.
Payments
Paystack - card tokenisation and subscription management. Akili Suite never stores raw card data. Payment events verified via HMAC-SHA512. Paystack is PCI-DSS compliant.