How We Protect Your Data

Overview

Your financial data is sensitive. Learn how Akili Apps uses enterprise-grade encryption, security best practices, and compliance standards to keep your business information safe.

What You'll Learn

Encryption methods we use
How we protect data in transit and at rest
Security infrastructure and practices
Compliance certifications
What we do and don't have access to
Your role in security

Our Security Commitment

At Akili Apps, security is not an afterthought—it's fundamental to everything we build. Your trust is our most valuable asset.

Our promise:

🔒 Bank-level encryption
🔒 Zero-knowledge architecture where possible
🔒 Regular security audits
🔒 SOC 2 Type II compliance
🔒 GDPR and PIPEDA compliant
🔒 24/7 security monitoring
🔒 Transparent security practices

Encryption Standards

Data in Transit

TLS 1.3 Encryption:

All data transmitted between your device and our servers uses TLS 1.3
256-bit encryption (same as online banking)
Perfect Forward Secrecy (PFS)
Prevents man-in-the-middle attacks

What this means:

No one can intercept your data
Even on public Wi-Fi, your data is secure
All connections are encrypted automatically

HTTPS Everywhere:

All pages served over HTTPS
HTTP Strict Transport Security (HSTS) enabled
Automatic upgrade from HTTP to HTTPS

Data at Rest

AES-256 Encryption:

All data encrypted when stored on our servers
Industry-standard AES-256-GCM encryption
Separate encryption keys per account
Keys stored separately from data

What's encrypted:

✅ Expense details
✅ Invoice information
✅ Receipt images
✅ Client data
✅ Bank transaction details
✅ Personal information
✅ Chat conversations with Maple AI
✅ File attachments

Encryption at multiple layers:

Application level: Data encrypted before saving
Database level: Database encryption enabled
Disk level: Server storage encrypted
Backup level: All backups encrypted

Banking Data

Plaid Integration:

Banking credentials NEVER touch our servers
Plaid uses OAuth 2.0 authentication
Tokenized access (we receive tokens, not credentials)
Read-only access (we can't move money)

Transaction data:

Encrypted in transit from Plaid to us
Encrypted at rest in our database
Automatically redacted after account deletion

Infrastructure Security

Hosting

Amazon Web Services (AWS):

Infrastructure hosted on AWS (Canadian data centers)
AWS is SOC 1, SOC 2, SOC 3, PCI DSS Level 1 certified
Physical security: 24/7 monitoring, biometric access
Network security: DDoS protection, firewalls

Canadian Data Residency:

All data stored in Canadian AWS regions (Montreal, Toronto)
Complies with Canadian data sovereignty requirements
Backups also stored in Canada
No data stored in US or overseas (except during temporary processing)

Network Security

Firewalls:

Multi-layered firewall protection
Only necessary ports open
Regular penetration testing

DDoS Protection:

AWS Shield protection
CloudFlare CDN with DDoS mitigation
Rate limiting on API endpoints

Intrusion Detection:

24/7 monitoring for suspicious activity
Automated alerts for anomalies
Incident response team on standby

Access Controls:

VPN required for employee access to production systems
Multi-factor authentication (MFA) mandatory for all staff
Principle of least privilege (minimal access granted)
Regular access audits

Application Security

Secure Coding Practices:

Code reviews for all changes
Static analysis security testing (SAST)
Dynamic application security testing (DAST)
Dependency scanning for vulnerabilities

Input Validation:

All user input sanitized
Protection against SQL injection
Protection against XSS (cross-site scripting)
CSRF tokens on all forms

Authentication:

Passwords hashed with bcrypt (cost factor 12)
Salted hashes (unique salt per user)
Session tokens expire after 30 days inactivity
Secure session management

API Security:

API rate limiting
JWT (JSON Web Tokens) for authentication
Token expiration and rotation
OAuth 2.0 for third-party integrations

Access Controls

Who Can Access Your Data

You:

Full access to your data
Can view, edit, delete
Can export all data
Can delete account

Team Members (if using Growth plan):

Access based on role permissions
Can be restricted to specific features
Activity logged and auditable
Can be revoked immediately

Akili Apps Employees:

NO ACCESS to your data under normal circumstances
Only access if:
- You explicitly request support and grant permission
- Technical troubleshooting requires it (with your consent)
- Required by law (with legal process served)
All access logged and audited
Employees sign strict confidentiality agreements

Third Parties:

NO ACCESS without your explicit consent
Plaid: Only for bank connection (OAuth tokens only)
Payment processors: Only transaction amounts, not expense details
Analytics: Only anonymized, aggregated data

Support Access

When you contact support:

What support can see (with your consent):

Account metadata (plan, signup date)
Error logs (technical issues)
Limited data for troubleshooting

What support CANNOT see:

Your password (hashed, unreadable)
Full expense/invoice details (unless you share)
Receipt images (unless you share)
Bank account credentials (we never have these)

Granting temporary access:

You request support help
We ask permission to view your data
You grant limited-time access
Access automatically expires (24-48 hours)
All access logged and reviewable

Data Backups

Backup Strategy:

Continuous backups: Every transaction backed up in real-time
Daily snapshots: Full database snapshots daily
Weekly archives: Long-term storage
90-day retention: Can restore from any point in last 90 days

Backup Security:

All backups encrypted (AES-256)
Stored in separate AWS region
Encrypted in transit and at rest
Regularly tested for restoration

Disaster Recovery:

Recovery Time Objective (RTO): < 4 hours
Recovery Point Objective (RPO): < 15 minutes
Automated failover systems
Regular disaster recovery drills

Compliance & Certifications

SOC 2 Type II

Compliance achieved:

Independent audit completed
Security, availability, confidentiality verified
Annual audits conducted
Report available to Enterprise customers

GDPR Compliance

For EU users (and Canadian best practices):

Right to access data
Right to data portability
Right to deletion ("right to be forgotten")
Data processing agreements
Privacy by design
Consent management

PIPEDA Compliance

Personal Information Protection and Electronic Documents Act:

Canadian privacy law compliance
Consent for data collection
Limited collection (only necessary data)
Use limitation (only for stated purposes)
Safeguards (technical and organizational)
Openness (transparent practices)
Individual access
Challenging compliance

PCI DSS Compliance

Payment Card Industry Data Security Standard:

We don't store credit card numbers
Payment processing via Stripe (PCI Level 1 certified)
Tokenization for stored payment methods
Secure payment forms

What We Do and Don't Do

We DO:

✅ Encrypt all data in transit and at rest
✅ Use industry-standard security practices
✅ Regularly audit and test security
✅ Promptly patch vulnerabilities
✅ Notify you of any security incidents
✅ Allow you to export and delete your data
✅ Comply with privacy regulations
✅ Train employees on security

We DON'T:

❌ Sell your data to third parties
❌ Share data without your consent
❌ Use your data for purposes beyond app functionality
❌ Store passwords in plain text
❌ Have access to your banking credentials
❌ Read your data without permission
❌ Serve ads based on your financial data
❌ Share data with advertisers

Your Role in Security

Security is a partnership. Here's how you can protect your account:

Strong Passwords

Best practices:

Minimum 12 characters
Mix of upper, lower, numbers, symbols
Unique (not used elsewhere)
Use a password manager
Change if compromised

Avoid:

Common passwords ("password123")
Personal info (birthday, name)
Dictionary words
Reusing passwords

Enable Two-Factor Authentication (2FA)

Highly recommended:

Settings > Security > Two-Factor Authentication
Choose method:
- Authenticator app (most secure): Google Authenticator, Authy
- SMS (convenient but less secure)
Scan QR code or enter code
Save backup codes

Why 2FA matters:

Protects even if password stolen
Prevents unauthorized access
Required for some compliance standards

Be Alert to Phishing

Red flags:

Emails asking for password
Urgent security warnings (fake)
Links to fake login pages
Requests to call suspicious numbers

We will NEVER:

Ask for your password via email
Send you links to reset password (you initiate)
Request sensitive info via email
Threaten account closure via email

If suspicious:

Don't click links
Go directly to akiliapps.com and log in
Contact support@akiliapps.com
Report phishing attempts

Device Security

Protect your devices:

Use device passcode/biometric lock
Keep OS and apps updated
Install from official app stores only
Avoid public Wi-Fi for sensitive tasks (or use VPN)
Don't jailbreak/root devices

Log Out on Shared Devices

Public or shared computers:

Always log out when finished
Don't save passwords in browser
Clear browser history
Use private/incognito mode

Incident Response

If Security Incident Occurs

Our commitment:

Immediate investigation
Contain and resolve issue
Notify affected users within 72 hours
Full transparency about what happened
Steps taken to prevent recurrence

What we'll tell you:

What happened
What data was affected
What we've done to fix it
What you should do
How we're preventing future incidents

Your rights:

Full disclosure of incident details
Assistance with protective measures
Account monitoring
Free credit monitoring (if warranted)

Security Resources

Report Security Issues

Found a vulnerability?

Email: security@akiliapps.com
Bug bounty program for responsible disclosure
Response within 48 hours
Recognition and rewards

Please don't:

Disclose publicly before we fix
Test on production systems
Access other users' data

Security Updates

Stay informed:

Security advisories: security.akiliapps.com
Status page: status.akiliapps.com
Email alerts for critical updates
In-app security notifications

Common Questions

Q: Can Akili Apps employees see my expenses? A: No, not without your explicit permission for support purposes. All access is logged.

Q: What happens to my data if Akili Apps shuts down? A: You can export all data anytime. If we ever shut down, we'll provide advance notice and export tools.

Q: Is my data stored in Canada? A: Yes, all data is stored in Canadian AWS data centers (Montreal and Toronto).

Q: Can law enforcement access my data? A: Only with valid legal process (warrant, subpoena). We'll notify you unless prohibited by law.

Q: How do I delete all my data? A: Settings > Account > Delete Account. All data is permanently deleted within 30 days.

Q: Are receipt images encrypted? A: Yes, images are encrypted both in transit and at rest using AES-256.

Q: What if I lose my 2FA device? A: Use backup codes provided during 2FA setup, or contact support with identity verification.

Q: Do you ever access data for training AI? A: Only anonymized, aggregated data is used for improving AI features. Personal data is never used without consent.

Privacy Policy Explained - Privacy practices
GDPR Compliance - Data rights
Data Deletion - How to delete account
Security Best Practices - Protecting your account

Need More Help?

Contact support at support@akiliapps.com or security@akiliapps.com for security-specific questions.

Index Security Best Practices