Security & controls

Security and controls built for regulated finance

AKRU maintains the official records of securities as an SEC-registered transfer agent. That obligation shapes every control on this page: identity before access, screening before transactions, logs behind every change, and recovery paths that don't depend on an investor safeguarding a private key.

Abstract concentric vault geometry in navy on warm white
SOC 2 examination underwayKYC / AML screeningPermissioned infrastructureEncryption in transit & at restAudit logging
Independent examination

SOC 2

A SOC 2 examination is underway with a national audit firm. The examination covers the controls described on this page — access, change management, monitoring, and data handling — evaluated against the AICPA Trust Services Criteria. Institutions in diligence can request current status and scope under NDA.

ASSURANCESTATUS
SOC 2 examinationUnderway, national audit firm
Transfer agentSEC-registered
Recordkeeping standardFederal
ReportsAvailable under NDA
Financial-crime controls

KYC / AML built into onboarding, not bolted on

No participant holds a position on AKRU without passing compliance first. The screening stack runs as part of onboarding and continues through the life of every account.

Identity verification

Every individual and entity is identity-verified before receiving platform credentials — document verification for individuals, entity verification (KYB) for organizations — powered by GBG.

Sanctions & watchlist screening

Participants are screened against sanctions and watchlists via GBG at onboarding and on an ongoing basis, so a status change after admission is caught, not grandfathered.

Transaction monitoring

Transaction activity is monitored for anomalous patterns, with review workflows that hold flagged activity for compliance disposition before it settles.

Permissioned infrastructure

Identity-bound by design

AKRU runs on permissioned infrastructure — a closed system where every participant is known, every wallet is registered, and every transfer is checked against compliance rules before it executes.

Identity-bound tokens

Securities on the platform are bound to verified identities. A position cannot move to an unknown counterparty because unknown counterparties cannot exist on the system.

Permissioned wallet registry

A registry of approved wallets gates every transfer. Compliance rules — accreditation, jurisdiction, transfer restrictions — are enforced at the protocol level, before execution.

Administrative controls

Multi-party administrative controls support credential revocation, account recovery for lost access, and — under appropriate legal process — forced transfer and re-issuance on the official register. Investors are never one lost key away from a lost position.

Data handling & continuity

Data protection and business continuity

Encryption

Data is encrypted in transit and at rest. Sensitive investor data — identity documents, tax records, banking details — is segregated with additional controls.

Access controls

Role-based access with least privilege as the default, multi-factor authentication on administrative functions, and periodic access reviews.

Audit logging

Administrative and record-affecting actions are logged in tamper-evident form. The register itself is append-only by construction — changes add history, they don't overwrite it.

Business continuity

Redundant infrastructure across availability zones, tested backup and restore procedures, and documented recovery objectives for the systems that maintain official records. Recordkeeping obligations don't pause for an outage, and the architecture reflects that.

Responsible disclosure

Found something? Tell us.

We welcome good-faith security research. Report suspected vulnerabilities to security@akru.com with enough detail to reproduce the issue. We acknowledge reports, keep researchers informed through remediation, and support coordinated disclosure. We do not pursue action against research conducted in good faith and within scope.

Questions institutions ask

Frequently asked questions

Is AKRU SOC 2 certified?

A SOC 2 examination is underway with a national audit firm. Institutions evaluating AKRU can request the current status and scope under NDA through their AKRU contact.

Can a lost or compromised investor account be recovered?

Yes. Because access is identity-bound rather than key-bound, administrative controls support account recovery, revocation of compromised credentials, and — under appropriate legal process — forced transfer and re-issuance of a holder's position on the official register.

Who can hold or transfer securities on the platform?

Only verified participants. Every entity on the platform passes identity verification and screening before it can hold a position, and a permissioned wallet registry means transfers can only occur between approved, identity-bound participants.

How do I report a security vulnerability?

Email security@akru.com. We acknowledge good-faith reports, work with researchers on coordinated disclosure, and do not pursue action against research conducted in good faith within scope.

Walk your security team through it

A working session with our team on controls, evidence, and diligence materials.