Security Certifications and Compliance Frameworks

Akuity maintains independent validation against widely recognized security and compliance frameworks:

• SOC 2 Type II

  Independently audited controls covering the Security Trust Service Criteria, with operational effectiveness validated over time.

• ISO/IEC 27001:2022

  Certified Information Security Management System (ISMS) aligned with international best practices for risk management and governance.

• PCI DSS v4.0.1 (Service Provider)

  Report on Compliance (ROC) completed, validating platform and operational controls against the latest PCI standard.

• HIPAA

  Administrative, technical, and operational safeguards aligned with HIPAA requirements.

• CSA STAR Level 1

  Public self-assessment aligned with the Cloud Controls Matrix (CCM).

• GDPR Alignment

  Platform and operational practices designed to support data protection and privacy principles under GDPR.

  
  

  Audit reports and supporting documentation are available in our Trust Center: https://trust.akuity.io

Security Philosophy

Akuity follows a security-by-design and privacy-by-design approach. Security is embedded throughout the lifecycle of our platform, from design and development to deployment and operations.

Our program emphasizes least privilege, defense in depth, continuous monitoring, independent validation, and continuous improvement.

Shared Responsibility Model

Akuity is responsible for securing the Akuity Platform, including the managed control plane, supporting infrastructure, and internal operations.

Customers are responsible for securing their own environments, credentials, configurations, and workloads managed through the platform. This shared responsibility model aligns with standard cloud security practices and is consistent with SOC, ISO, PCI, and HIPAA frameworks.

Cloud Infrastructure and Platform Security

The Akuity Platform is hosted on Amazon Web Services, leveraging AWS physical, environmental, and infrastructure security controls.

Environment Isolation

• Separate environments for production, staging, and development

• Segmented networks and access boundaries

• Logical isolation between customer environments

Network Security

• All external communication encrypted using TLS 1.2 or higher

• Strictly controlled network access

• Web application firewall and DDoS protection

Data Residency and Regional Architecture

Akuity operates multiple regions to support data residency and regulatory requirements.

United States Region

• Designed for US-based customers

• Deployed across multiple availability zones

European Union Region

• Fully self-contained EU region

• Primary region in Frankfurt, Germany with a secondary backup region in Ireland

• Customer data, including logs and telemetry, remains within the EU

Customers select the region that best aligns with their regulatory and operational needs.

Data Security, Encryption and Key Management

Encryption

• In transit: TLS 1.2 or higher

• At rest: AES-256 encryption for databases, object storage, and backups

Key Management

• Encryption keys managed using AWS Key Management Service (KMS)

• Separation of duties enforced

• No shared or hard-coded encryption keys

Customer Data Usage and Access

Akuity does not sell customer data and does not use customer data for advertising or marketing purposes.

Access to customer data is limited to authorized personnel on a need-to-know basis, is time-bound when required, and is logged and audited in accordance with internal policies and compliance requirements.

Customer data is used solely to provide and support the Akuity Platform.

Support Access Controls

When access to customer environments is required for support purposes, Akuity follows controlled access procedures:

• Access is limited, approved, and time-bound

• All access is logged and monitored

• Access is revoked once the support activity is complete

These controls align with least-privilege and auditability requirements across all compliance frameworks.

Secure Software Development Practices

Akuity follows disciplined secure software development practices:

• Mandatory peer review for all code changes

• Version-controlled change management

• Automated testing and security checks in CI/CD pipelines

• Dependency scanning and vulnerability detection

• Separation of duties between development and production access

Logging, Monitoring, and Incident Response

Monitoring and Logging

• Centralized logging across infrastructure and applications

• Audit logging for administrative and access activities

• Continuous monitoring for anomalous behavior

Incident Response and Notification

• Documented incident response plan

• Defined escalation and communication procedures

• Customers are notified of security incidents in accordance with contractual and regulatory obligations

Vulnerability Management

• Regular vulnerability scanning of public-facing assets

• Risk-based remediation timelines

• Periodic third-party penetration testing

• Verification and tracking of remediation efforts

Business Continuity and Disaster Recovery

• Continuous backups of customer data

• Backups stored in a secondary region

• Documented disaster recovery procedures

• Regular testing of recovery processes

Data Retention and Deletion

Akuity maintains documented data retention and deletion policies aligned with contractual and regulatory requirements.

Upon contract termination or customer request, customer data is securely deleted within defined timeframes. Confirmation of deletion can be provided upon request.

Employee Security

• Background checks conducted prior to granting access

• Mandatory security and privacy training

• Additional secure coding training for engineers

• Confidentiality and acceptable use policies enforced

Third-Party Risk Management

• Risk-based vendor assessment process

• Review of third-party security attestations

• Least-privilege access for vendors

• Contractual security and data protection requirements

AI and Data Usage

Akuity does not use customer data to train machine learning or AI models without explicit customer consent.

Akuity’s approach to AI is security-first: it uses platform context (live logs/events/manifests and deployment history) to make AI outputs accurate, and it can take controlled, auditable actions (like runbook-driven changes) with least-privilege and approvals where needed—while not using customer data to train AI models without explicit consent.

Akuity Intelligence adds AI-powered GitOps to Argo CD by summarizing what changed and the risk of a promotion (so teams aren’t deploying “blind”), and by accelerating troubleshooting with natural-language guidance grounded in the cluster’s real state.

For deploy, debug, and remediation, it closes the loop: AI detects common failure patterns, proposes or executes predefined runbooks (e.g., adjust resources, restart safely, patch configs), then re-checks health—shrinking MTTR from “wake up + investigate” to minutes.

Compliance Scope Clarification

• PCI DSS: Akuity is assessed as a service provider and does not store, process, or transmit cardholder data on behalf of customers.

• HIPAA: Akuity supports HIPAA-regulated workloads through aligned safeguards but is not a covered entity.

• CSA STAR: Level 1 self-assessment based on publicly available documentation.

Responsible Disclosure and Security Contact

Akuity encourages responsible disclosure of security vulnerabilities.

• Security contact: security@akuity.io

• Reported issues are reviewed, triaged, and addressed according to internal procedures.

Compliance Roadmap

Akuity continuously evaluates additional security and compliance frameworks based on customer needs, regulatory developments, and industry best practices.

Learn More

• Trust Center: https://trust.akuity.io

• For additional questions or access to specific reports, please contact our sales team.