Trust

Security at Akil

Last updated: May 21, 2026

Akil sits in the middle of your inbound revenue motion. We treat that responsibility seriously. This page describes the controls in place today, the controls we're building, and how to reach us with a security question or vulnerability report.

Encryption

In transit: all traffic to useakil.com, app.useakil.com, and api.useakil.com is served over HTTPS with TLS 1.2+.
At rest: the Postgres database, object storage, and backup volumes are encrypted at rest using AES-256 (provided by Railway's managed infrastructure).
Secrets: API keys, OAuth client secrets, and integration credentials are stored as environment variables in the deploy runtime, never committed to the repo.
Passwords: stored as scrypt hashes — never in plaintext.

Access controls

Each customer workspace is isolated by an org_id enforced at the API layer; cross-org reads are not possible through the public API.
Role-based access within a workspace: admin, member, and superadmin (Akil staff only). Member accounts cannot see logs, policies, or other admin-only data.
API keys are scoped to a single workspace and can be revoked from the dashboard at any time.
Google Calendar OAuth tokens are per-rep, isolated by org, and auto-rotated on refresh.
Production database access is limited to a small number of operators and is logged.

Data residency

Akil is hosted on Railway in the United States. Customer data, including leads and calendar event metadata, is stored in US Postgres. For cross-border transfers from the EEA / UK / Switzerland we rely on Standard Contractual Clauses through our sub-processors.

Sub-processors

See section 7 of the Privacy Policy for the current list of sub-processors and what data they process. We notify customers before material changes take effect.

AI & data training

We use OpenAI's models for three agents: Lead Profiler, Content & Outreach, Meeting Intelligence.
OpenAI does not train its models on data submitted via the OpenAI API; we do not opt in to any training program.
We send only the minimum lead context needed to produce the agent's output, and outputs are logged for the customer's own audit trail.

Authentication & sessions

Session cookies are HttpOnly, Secure, SameSite=Lax, and scoped to the appropriate domain.
Sessions expire after a fixed inactivity window and can be revoked server-side.
Public booking pages are unauthenticated by design (that's the product) but are read-only from a security standpoint and rate-limited.

Backups & availability

The Postgres database is backed up automatically by Railway. Recovery point and recovery time objectives follow Railway's managed-database SLAs.
The application is deployed as separate orchestrator + dashboard services with restart policies and health checks.
We monitor uptime and error rates and respond to alerts.

Logging & audit

Every pipeline execution (the route an inbound lead took, each agent's output, the assigned rep) is logged and visible to the customer in their dashboard.
Superadmin actions (cross-org administration) are recorded in an immutable audit log.
Application logs are retained for 90 days.

Secure development

All code lives in a private GitHub repository. Changes go through pull request review and CI (typecheck, lint, tests) before merge to main.
Dependencies are pinned via lockfile and reviewed when updated.
Database changes go through Drizzle migrations applied on deploy.

Vulnerability disclosure

If you discover a security issue in Akil, please report it to hello@useakil.com with the subject line "Security report".

We commit to acknowledging your report within 3 business days and to keeping you updated on remediation. Please give us a reasonable window to fix before public disclosure. We do not currently offer a paid bug bounty but will credit researchers who report responsibly.

In scope: useakil.com, app.useakil.com, api.useakil.com, and the embeddable widget. Out of scope: denial-of-service attacks, social engineering, physical attacks, and any third-party service we integrate with (report those to the third party).

Incident response

In the event of a security incident affecting customer data, we will (a) take immediate steps to contain and remediate, (b) notify affected customers without undue delay and in any case within the timeframe required by applicable law, and (c) provide a post-incident summary including what happened, what data was affected, and what we are doing to prevent recurrence.

What's on the roadmap

Akil is an early-stage product. We are honest about what we do not yet have. On the roadmap: formal SOC 2 Type II audit, expanded SSO options (SAML / OIDC), customer-controlled data residency, signed sub-processor list with email-based notification, and a published DPA template.

Contact

Security questions, customer security reviews, or vulnerability reports: hello@useakil.com.