Security Best Practices

Reading Time: 5-7 minutes

Overview

Understanding security best practices in Akili Apps to protect your business data and maintain compliance with privacy regulations.

What You'll Learn

• Privacy and security policies
• Data protection measures
• Your rights and controls
• Best practices for security
• Compliance requirements

Our Commitment to Security

Akili Apps takes data security and privacy seriously. We implement industry-standard security measures to protect your business information.

Security Principles

1. Data Encryption

   • All data encrypted in transit (TLS/SSL)
   • Data encrypted at rest (AES-256)
   • Secure key management

2. Access Controls

   • Role-based permissions
   • Principle of least privilege
   • Regular access audits

3. Infrastructure Security

   • Secure cloud hosting (AWS/Google Cloud)
   • Regular security updates
   • Network firewalls and monitoring
   • DDoS protection

4. Application Security

   • Secure coding practices
   • Regular security testing
   • Vulnerability scanning
   • Penetration testing

5. Data Privacy

   • Minimal data collection
   • Purpose-limited use
   • No selling of data
   • Transparent practices

Data We Collect

Information You Provide

Account Information:

• Name and email
• Business details
• Payment information (via Stripe)
• Profile preferences

Business Data:

• Expenses and receipts
• Invoices and clients
• Bank transactions (via Plaid)
• Categories and notes

Usage Data:

• Feature usage
• Performance metrics
• Error logs
• Device information

Information We Don't Collect

• Personal expenses (only business)
• Full credit card numbers (tokenized by Stripe)
• Social insurance numbers
• Bank login credentials (handled by Plaid)

How We Use Your Data

Primary Uses

1. Provide Service

   • Expense tracking and reporting
   • Invoice generation
   • Data analysis and insights

2. Improve Product

   • Feature development
   • Bug fixes
   • Performance optimization

3. Customer Support

   • Troubleshooting issues
   • Answering questions
   • Providing assistance

4. Security

   • Fraud detection
   • Abuse prevention
   • Security monitoring

We Don't

• ❌ Sell your data to third parties
• ❌ Share data with advertisers
• ❌ Use data for unrelated purposes
• ❌ Access your data without reason

Data Sharing

When We Share Data

Service Providers:

• Stripe (payment processing)
• Plaid (bank connections)
• AWS/Google Cloud (hosting)
• Email service (notifications)

All providers:

• Bound by strict agreements
• Only access needed data
• Meet security standards
• Cannot use for own purposes

Legal Requirements:

• Court orders
• Legal investigations
• Compliance with laws
• Protect rights and safety

With Your Permission:

• Export to accountant
• Share with team members
• Integration with other tools

We Never:

• Sell data to data brokers
• Share with marketers
• Give to competitors
• Use for advertising

Your Privacy Rights

Canadian Privacy Rights (PIPEDA)

Right to Access:

• Request copy of your data
• Understand what we have
• Export anytime

Right to Correction:

• Fix inaccurate data
• Update information
• Maintain accuracy

Right to Deletion:

• Request data deletion
• Close account
• Permanent removal

Right to Restrict:

• Limit data processing
• Opt out of analytics
• Control communications

Right to Portability:

• Export data in standard format
• Transfer to another service
• Take data with you

Right to Withdraw Consent:

• Change privacy preferences
• Opt out of optional features
• Revoke permissions

European Privacy Rights (GDPR)

If you're in EU/EEA, additional rights:

• Right to object to processing
• Right to lodge complaint with supervisory authority
• Rights related to automated decision-making

Data Protection

Encryption

In Transit:

• TLS 1.3 encryption
• HTTPS everywhere
• Secure API connections

At Rest:

• AES-256 encryption
• Encrypted backups
• Secure key storage

Payment Data:

• Never stored by us
• Tokenized by Stripe
• PCI-DSS compliant

Access Control

Authentication:

• Strong password requirements
• Two-factor authentication available
• Session management
• Automatic logout

Authorization:

• Role-based access
• Minimum necessary principle
• Audit logs
• Regular reviews

Monitoring

24/7 Security Monitoring:

• Intrusion detection
• Anomaly detection
• Log analysis
• Incident response

Regular Security Audits:

• Quarterly security reviews
• Annual penetration testing
• Code security scans
• Third-party assessments

Data Retention

How Long We Keep Data

Active Account:

• Data stored indefinitely while account active
• You control deletions

Cancelled Account:

• Data retained 6 months after cancellation
• Then permanently deleted

Backups:

• Retained for 90 days
• Then automatically purged
• For disaster recovery only

Legal Holds:

• Retained if required by law
• Litigation holds
• Regulatory requirements

Data Deletion

Deleting Your Data

Manual Deletion:

• Delete individual expenses, receipts, invoices
• Remove team members
• Clear data anytime

Account Deletion:

1. Export your data first
2. Contact support
3. Confirm deletion request
4. Account and data permanently deleted within 30 days
5. Cannot be recovered

What Gets Deleted:

• All expenses and receipts
• All invoices and clients
• All bank connections
• All team data (if owner)
• Profile information
• Backups purged

What's Retained:

• Anonymized usage statistics
• Financial transaction records (for accounting)
• Support ticket history (if relevant to other users)

Compliance

Privacy Laws

Canadian Compliance:

• PIPEDA (Personal Information Protection and Electronic Documents Act)
• Provincial privacy laws
• Anti-spam legislation (CASL)

International Compliance:

• GDPR (if EU users)
• CCPA (if California users)
• SOC 2 Type II (in progress)

Industry Standards

• PCI-DSS (via Stripe)
• ISO 27001 principles
• OWASP security guidelines
• CSA STAR (cloud security)

Security Best Practices

For Your Account

1. Strong Passwords

   • 12+ characters
   • Mix of uppercase, lowercase, numbers, symbols
   • Unique password (not reused)
   • Use password manager

2. Enable Two-Factor Authentication

   • Adds extra security layer
   • Use authenticator app (better than SMS)
   • Save backup codes securely

3. Review Activity Regularly

   • Check login history
   • Monitor active sessions
   • Review team access (if organization)
   • Log out from public computers

4. Keep Software Updated

   • Update browser regularly
   • Update operating system
   • Update security software

5. Beware Phishing

   • Verify email sender
   • Don't click suspicious links
   • Never share password
   • Report phishing to support

For Your Business

1. Limit Access

   • Give minimum necessary permissions
   • Use appropriate roles
   • Remove access when no longer needed
   • Regular access audits

2. Secure Devices

   • Use device passwords/biometrics
   • Enable disk encryption
   • Install antivirus
   • Lock screens when away

3. Secure Network

   • Use secure WiFi (WPA3/WPA2)
   • Avoid public WiFi for sensitive tasks
   • Use VPN on public networks
   • Keep router updated

4. Train Team

   • Security awareness
   • Recognizing phishing
   • Password hygiene
   • Incident reporting

5. Incident Response

   • Know how to report issues
   • Have contact information ready
   • Document incidents
   • Follow up on resolutions

Reporting Security Issues

If You Discover a Security Vulnerability

Contact Us:

• Email: security@akiliapps.com
• Subject: "Security Vulnerability Report"

Include:

• Description of vulnerability
• Steps to reproduce
• Potential impact
• Your contact information

Do Not:

• Publicly disclose before we fix
• Access others' data
• Damage systems
• Demand payment

Our Response:

• Acknowledge within 24 hours
• Investigate immediately
• Fix critical issues within 7 days
• Provide status updates
• Credit in security advisories (if desired)

Privacy Policy Updates

We may update our privacy policy:

• Posted at privacy.akiliapps.com
• Notification of significant changes
• Effective date clearly marked
• Continued use constitutes acceptance

Common Questions

Q: Do you use my data to train AI?

Only if you opt in. Anonymous usage data may be used to improve AI categorization. Financial details never used.

Q: Can Akili staff see my expenses?

Only with your permission for support issues, or as required by law. Staff access is logged and audited.

Q: What happens if Akili has a data breach?

We'd notify you within 72 hours (or as required by law), explain what happened, what data affected, and steps we're taking.

Q: Can I use Akili for clients in Europe?

Yes, we're GDPR compliant. Enable GDPR mode in settings if needed.

Q: Is my bank connection secure?

Yes, connections via Plaid using bank-level security. We never see your bank password.

Q: Can government access my data?

Only with proper legal process (warrant, court order). We'd notify you if legally permitted.

Q: Where is data stored?

Canadian and US data centers (AWS/Google Cloud). Can specify Canadian-only storage (Professional plan).

Q: Do you have a data processing agreement?

Yes, available for Professional and Enterprise customers. Contact sales.

Related Articles

• Password and Security
• Data Export
• Troubleshooting

Resources

• Privacy Policy: privacy.akiliapps.com
• Terms of Service: akiliapps.com/terms
• Security Page: akiliapps.com/security
• Status Page: status.akiliapps.com

Contact

• Privacy Questions: privacy@akiliapps.com
• Security Issues: security@akiliapps.com
• General Support: support@akiliapps.com
• Data Protection Officer: dpo@akiliapps.com

Akili Apps - Intelligent Expense Tracking for Canadian Businesses