Trust Center

If Akka fails to meet the uptime commitment or the latency commitment as defined Akka will credit back to Customer a “service-credit” for the period affected.

The service-credit is a percentage of the applicable fees for the affected period to be credited to Customer, if Akka approves the claim, as set forth in the table below.

Akka uses a custom internal platform to document their internal controls and continuously monitor their effectiveness. An assessment over the effectiveness and efficiency of the internal controls, processes and policies is reviewed by management on at least an annual basis and identified deficiencies are remediated accordingly.

A vendor management process has been implemented whereby management performs risk assessments of potential new essential vendors and evaluates the performance of essential vendors on an annual basis. Corrective actions are taken as required based on the results of the assessments.

A penetration test is performed on an annual basis to identify security exploits. Issues identified are classified according to risk, analyzed and remediated in a timely manner.

On an annual basis, management performs reviews of SOC (or other) reports from service providers/vendors to review the appropriateness of scope, impact of identified exceptions and applicable complementary user entity controls.

Evaluators performing ongoing and separate evaluations have sufficient knowledge to understand what is being evaluated.

Ongoing evaluations are built into the business processes and adjust to changing conditions.

Management varies the scope and frequency of separate evaluations depending on risk.

We perform an annual audit that evaluates our controls and their effectiveness and provides us with objective feedback.

Management and the board of directors, as appropriate, assess results of ongoing and separate evaluations.

Deficiencies are communicated to parties responsible for taking corrective action and to senior management and the board of directors, as appropriate.

Akka has established communication channels that allow employees to securely and anonymously report issues related to fraud, harassment and other issues impacting Akka’s ethical and integrity requirements.

The company requires employees to sign a confidentiality agreement during onboarding.

Akka has policies and procedures to protect confidential information from erasure or destruction during the specified retention period of that information.

Each customer’s data is logically isolated from customer belonging to other customers. This separation is maintained at all times, through all components.

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

Formal data retention and disposal policy and procedure are in place to guide the secure retention and disposal of information.

All equipment with data storage capabilities is disposed of or recycled securely.

Akka maintains documented policies and procedures to ensure the secure destruction of confidential information identified for disposal.

Our product and company processes employ both automated and manual methods—such as secure deletion, data wiping, and physical destruction—appropriate to the type of media and information involved.

Destruction is triggered by defined events, such as the expiration of retention periods or end of contractual obligations. Responsible roles are assigned to carry out and verify destruction, and records of all destruction activities are maintained to demonstrate compliance and support audits.

All company workstations have disk encryption and system passwords enabled.

A formal network diagram outlining boundary protection mechanisms (e.g. firewalls, IDS, etc.) is maintained for all network connections and reviewed annually by IT management.

The majority of the board of directors is comprised of non-executive directors independent from management. The board meets on at least a quarterly basis for oversight on internal controls, operations and business objectives. In the event that the board of directors consists of the same number of executive directors and non-executive directors, for any situations where voting needs a tie break, one non-executive director will hold two votes.

Akka’s executive team meets at least quarterly to discuss operations, issues relating to internal controls and delivery on key performance metrics.

Information security roles and responsibilities of employees, contractors, and the Company are stated in the Company’s security awareness training.

Akka’s board of directors and management sustain a culture of integrity by modeling ethical behavior and enforcing established Standards of Conduct across all levels of the organization. Integrity expectations are defined within these standards, communicated to all personnel, and validated through periodic performance evaluations. Deviations are identified and remedied in a timely, consistent manner, and all employees and third-party contractors operate under signed agreements that mandate adherence to Akka’s code of conduct, security, and confidentiality requirements.

The board of directors supplements its expertise relevant to security, availability, processing integrity, confidentiality, and privacy, as needed, through the use of a subcommittee or consultants.

The Board of Directors maintains documented oversight responsibilities that are formally acknowledged upon any modification. To ensure effective governance, the Board defines and periodically evaluates the specific skills and expertise required of its members, enabling them to provide informed challenge to senior management and execute commensurate actions based on organizational risk.

The board will augment its own expertise, if required, through the use of a subcommittee or consultants.

Responsible personnel perform control activities in a timely manner as defined by the policies and procedures.

Management periodically reviews control activities to determine their continued relevance and refreshes them when necessary.

Akka has developed documentation and user guides that describe relevant system components as well as the purpose and design of the system. These documents are made available to both internal and external users and updated as needed.

Akka ensures that our financial reporting objectives are aligned with recognized accounting principles appropriate to our business, industry, and regulatory environment.

We select and document suitable accounting standards (such as US GAAP or IFRS), apply them consistently, and periodically review their continued appropriateness.

Management establishes objectives consistent with laws and regulations or standards and frameworks of recognized external organizations.

Akka ensures that all internal reporting accurately and completely reflects the underlying transactions and events within established thresholds for accuracy and timeliness.

We require that data collection, processing, and presentation processes are designed to capture all relevant activities without omission or distortion.

Akka determines its compliance objectives.

Akka systematically identifies, monitors, and incorporates all relevant external laws, regulations, and contractual obligations into our compliance objectives and operational practices.

We ensure that our product and internal processes reflect these requirements through regular risk assessments, policy updates, employee training, and ongoing compliance monitoring.

Akka reviews and updates compliance objectives as necessary to maintain alignment with evolving legal and regulatory standards.

Management determines which relevant business processes require control activities.

Akka applies a least-access approach to restrict access to all information assets, and requires authorized users to request access to suitable assets commensurate with their job responsibilities, and for such access to be reviewed by an authorized security administrator.

We maintain and follow a documented policy and process for the acquisition of all new technology solutions or infrastructure. Proposed solutions undergo an evaluation against our standards, and risks are noted. New solutions must be approved, and existing solutions reviewed at least annually.

Our consideration of the potential significance of the identified risks includes:

1. Determining the criticality of identified assets in meeting objectives;

2. Assessing the impact of identified threats and vulnerabilities in meeting objectives;

3. Assessing the likelihood of identified threats; and

4. Determining the risk associated with assets based on asset criticality, threat impact, and likelihood.

Our risk identification and assessment process includes:

1. Identifying information assets, including physical devices and systems, virtual devices, software, data and data flows, external information systems, and organiza- tional roles;

2. Assessing the criticality of those information assets;

3. Identifying the threats to the assets from intentional (including malicious) and unintentional acts and environmental events; and (4) identifying the vulnerabilities of the identi- fied assets.

Akka defines and documents clear operational and financial performance goals as part of our overall operations objectives.

We ensure that our product and organizational planning incorporate specific targets for operational efficiency, effectiveness, and financial outcomes, aligning these with our broader strategy and risk management processes.

This approach supports informed decision-making, resource allocation, and ongoing performance monitoring to ensure we meet our strategic goals and stakeholder expectations.

Management uses operational objectives as a basis for allocating resources needed to attain desired operations and financial performance.

Multi-factor authentication (MFA) is enforced for user accounts with administrative access to Akka’s production platform.

Encryption technologies are used to protect communication and transmission of data over public networks and between systems.

Each customer’s data is logically or physically isolated from customer belonging to other customers. This separation is maintained at all times, through all components.

Access to shared administrator/master/root accounts on the infrastructure supporting the application is restricted to authorized personnel via a group-based access scheme.

Processes are in place to remove credential access when an individual no longer requires such access.

Role-based access control is utilized to support segregation of incompatible functions.

When accessing our product or critical internal systems, Akka requires the use of additional authentication measures. Specifically, mfa or equivalent credentials must be enforced for all remote access methods, including vpn, web portals, and cloud services.

This ensures that users provide two or more forms of verification, mitigating the risk of unauthorized access from external locations. This control is applied consistently across all relevant entry points to our product and essential systems.

In order to protect your personal data we have implemented reasonable, commercially acceptable security procedures and practices appropriate to the nature of the personal data we store, in order to protect it from unauthorized access, destruction, use, modification or disclosure. Your personal data is contained behind secured networks and is only accessible by a limited number of people, who have special access rights and are required to keep the personal data confidential.

Please see our Trust Center for information about our Information Security standards and policies. We require all third-parties with whom we share your data for processing to have equivalent security measures to our own.

Akka ensures that any changes to our product — including new development, updates, or configuration modifications — are subject to a process that identifies affected business and security objectives.

Throughout the system development life cycle, we evaluate and document the ability of the modified system to continue supporting these objectives, including confidentiality, integrity, and availability. This evaluation is integrated into our change management and sdlc processes, with impact analyses and post-implementation reviews conducted to confirm that objectives are maintained and controls remain effective.

A process is in place for authorizing, designing, testing, approving, and implementing changes necessary in emergency situations (that is, changes that need to be implemented in an urgent time frame).

A process is in place to track system changes prior to implementation.

Emergency change requests are documented and subject to the standard change management process but at an accelerated timeline. Prior to initiating an emergency change, appropriate approval is obtained and documented.

Changes to the application(s) and supporting infrastructure are documented, tested and approved by authorized personnel prior to implementation into the production environment in accordance with the change management process.

Changes to application and system infrastructure are developed and tested in a separate development or test environment before implementation.

Notifications regarding confirmed data breaches are provided to affected data subjects, regulators, and other parties (as applicable) within an acceptable timeframe to meet the Company’s confidentiality commitments.

A patch management process exists to confirm that operating system level vulnerabilities are remediated in a timely manner. Production servers are verified for patch compliance on at least a quarterly basis.

Detected security events are evaluated to determine whether they could or did result in the unauthorized disclosure or use of personal information and whether there has been a failure to comply with applicable laws or regulations.

The design of incident-response activities is evaluated for effectiveness on a periodic basis.

Procedures are in place to mitigate the effects of ongoing security incidents.

A patch management process exists to confirm that operating system level vulnerabilities for workstations are remediated in a timely manner. In addition, workstations are checked quarterly to ensure that auto updates are enabled.

Protocols for communicating security incidents and actions taken to affected parties are developed and implemented to meet our objectives.

Akka management will periodically review all incidents affecting security, availability, processing integrity, confidentiality, and privacy within our product and company.

This review will include analysis of incident records to identify patterns, trends, and root causes, with the goal of determining and implementing necessary changes to systems, processes, or controls.

All evaluations and corrective actions will be documented and tracked to completion to ensure continuous improvement of our security and compliance posture.

Upon detection of a security incident, Akka will promptly investigate to determine the method of occurrence, affected system resources, and the severity of the incident within our product and corporate environment.

Based on this assessment, we will establish an appropriate response time frame and implement a tailored containment strategy, which may include isolating affected systems, disabling compromised accounts, or blocking malicious activity. All actions taken will be documented to ensure effective incident control and to support further analysis and remediation.

Disaster recovery plans (including restoration of backups) have been developed and tested annually. Test results are reviewed and consequently contingency plans are updated.

Procedures are in place to end the threats posed by security incidents through closure of the vulnerability, removal of unauthorized access, and other remediation actions.

Remediation activities are documented and communicated in accordance with the incident-response program.

Incident-recovery plan testing is performed on a periodic basis. The testing includes:

1. Development of testing scenarios based on threat likelihood and magnitude;

2. Consideration of relevant system components from across the company that can impair availability;

3. Scenarios that consider the potential for the lack of availability of key personnel; and

4. Revision of resilience posture and continuity plans based on test results.

Akka provides a support system that allows users to report suspected defects, complaints, issues, and any other challenge through an appropriate channel.

Reported issues are addressed by our support staff in a timely manner, as detailed in this policy.

All company workstations must have IT-approved antivirus (AV), firewall and anti-malware/intrusion software installed and operational. Please see the list of approved antivirus software on the InfoSec Resources page in the Internal Wiki. Agent software to verify other requirements may also be required.

All Company Workstations must be patched with the latest operating system updates. Automatic updates must be enabled but can be scheduled so as to not interfere with business.

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

The company provides a description of its products and services to internal and external users.

Customer contracts are reviewed and approved to ensure that security and confidentiality commitment are met.

Akka provides an external-facing support system that allows users to report suspected defects, complaints, issues, and any other challenge through an appropriate channel. Reported tickets are addressed by Akka’s support staff in a timely manner.

Akka provides all personnel, including employees, contractors, and relevant third parties, with clear information on how to report system failures, security incidents, concerns, or complaints related to our product and organizational operations.

We maintain accessible reporting mechanisms — such as dedicated email addresses, ticketing systems, and internal portals — which are documented and communicated through onboarding, regular training, and internal resources.

Akka maintains a comprehensive security awareness training program for all personnel, including employees, contractors, and users of our product. We provide regular training — during onboarding and at least annually thereafter — covering topics such as identifying phishing attempts, handling sensitive data, reporting security incidents, and following secure operational practices.

Participation in the training is tracked to ensure compliance, and the program is designed to foster a culture of security awareness and model appropriate security behaviors throughout the organization.

External users are provided with information on how to report systems failures, incidents, concerns, and other complaints to appropriate company personnel.

Akka maintains separate, independent communication channels — such as whistle-blower hotlines and secure online portals — to enable confidential or anonymous reporting of concerns, misconduct, or policy violations when standard channels are unavailable or ineffective.

We ensure these channels are documented, their availability is communicated to all relevant parties, and their effectiveness is regularly tested.

All reports received through these channels are handled promptly, securely, and in compliance with applicable laws and Akka’s internal policies, with safeguards in place to protect against retaliation.

Akka communicates, to external users, vendors, business partners, and others whose products or services, or both, are part of the system, our objectives related to confidentiality and the protection of confidential information, as well as changes to those objectives

Akka prepares and communicates information about the design and operation of our system and its boundaries to authorized external users to permit users to understand their role in the system and the results of system operation.

Akka communicates the objectives of our product to relevant external users, including customers, partners, and regulators, through clear and accessible channels such as documentation, service agreements, user guides, and public-facing web pages. We ensure that information about the intended purpose, key functionalities, and security or privacy commitments of our product is accurate and tailored to the needs of each external audience, enabling them to make informed decisions and align their expectations with our commitments.

The IT team continuously monitors system capacity and performance through the use of monitoring tools to identify and detect anomalies that could compromise availability of the system operations. Incident management process is invoked for confirmed events and anomalies.

Antivirus software is in place on the production servers to prevent or detect and act upon the introduction of unauthorized or malicious software.

Baseline configurations are retained within the configuration management tool for rollback capability anytime an approved configuration change is made.

A log management process has been formalized to make sure that access to change the log configuration and access to modify logs is restricted.

A baseline configuration of IT and control systems is created and maintained.

Policy guidelines prohibit the use of production data in testing or development environments.

Boundary protection systems (for example, firewalls, demilitarized zones, intrusion detection or prevention systems, and endpoint detection and response systems) are configured, implemented, and maintained to protect external access points.

A formal change management process exists that governs changes to the applications and supporting infrastructure. The process document is reviewed by IT management on an annual basis and updated as needed.

We consider the technical competency of potential and existing personnel, contractors, and vendor employees when determining whether to employ and retain the individuals.

Employees are required to complete an information security and awareness training within 30 days of the the time of onboarding and annually thereafter.

Akka establishes and maintains clear performance measures, incentive structures, and reward systems for all employees, aligned with their specific responsibilities and reflecting both short-term and long-term organizational objectives.

We ensure that these measures promote ethical conduct, compliance, and achievement of strategic goals, with regular reviews to maintain their relevance and effectiveness.

Management and the board of directors align incentives and rewards with the fulfillment of internal control responsibilities in the achievement of objectives.

Akka has established an organization chart that defines organizational roles, reporting lines, and authorities as it relates to development, quality assurance, and security operations of its services. Akka’s organizational structure is reviewed and updated in case of significant changes.

Management and the board of directors consider requirements relevant to security, availability, processing integrity, confidentiality, and privacy when defining authorities and responsibilities.

Management and the board of directors consider the need for us to interact with and monitor the activities of external parties when establishing structures, reporting lines, authorities, and responsibilities.

System changes that affect responsibilities or the achievement of our objectives are communicated in a timely manner.

Our personnel with responsibility for designing, developing, implementing, operating, maintaining, or monitoring system controls receive communications about their responsibilities, including changes in their responsibilities, and have the information necessary to carry out those responsibilities.

We communicate our objectives and changes to those objectives to personnel in a timely manner.

Akka performs background checks on all new employees, and on any consultants who will have access to sensitive information.

Akka maintains comprehensive training programs to ensure that all personnel, including employees, contractors, and vendor staff, possess and retain the technical skills necessary for their roles.

We provide initial onboarding and ongoing continuing education to address evolving technologies, industry standards, and regulatory requirements. Training curricula are documented, participation and completion are tracked, and the effectiveness of training programs is periodically assessed to ensure continued competency and compliance.

Akka establishes baseline metrics to measure current system usage and performs periodic capacity forecasting—considering both peak demand and potential component failures—to ensure that infrastructure and software resources are scaled or adjusted through the formal change management process before capacity tolerances are exceeded.

Akka ensure that its selected vendors, where appropriate, have processes are in place to remove physical access to facilities and protected information assets when an employee, contractor, vendor, or business partner no longer requires access, even though it does not operate such facilities directly.

Logging is enabled to monitor activities such as administrative activities, logon attempts, changes to functions, security configurations, permissions, and roles. Automated alerts are configured to notify IT management.

The company uses an intrusion detection system to provide continuous monitoring of the company’s network and early detection of potential security breaches.