Identity verification
Every individual and entity is identity-verified before receiving platform credentials — document verification for individuals, entity verification (KYB) for organizations — powered by GBG.
AKRU maintains the official records of securities as an SEC-registered transfer agent. That obligation shapes every control on this page: identity before access, screening before transactions, logs behind every change, and recovery paths that don't depend on an investor safeguarding a private key.

A SOC 2 examination is underway with a national audit firm. The examination covers the controls described on this page — access, change management, monitoring, and data handling — evaluated against the AICPA Trust Services Criteria. Institutions in diligence can request current status and scope under NDA.
No participant holds a position on AKRU without passing compliance first. The screening stack runs as part of onboarding and continues through the life of every account.
Every individual and entity is identity-verified before receiving platform credentials — document verification for individuals, entity verification (KYB) for organizations — powered by GBG.
Participants are screened against sanctions and watchlists via GBG at onboarding and on an ongoing basis, so a status change after admission is caught, not grandfathered.
Transaction activity is monitored for anomalous patterns, with review workflows that hold flagged activity for compliance disposition before it settles.
AKRU runs on permissioned infrastructure — a closed system where every participant is known, every wallet is registered, and every transfer is checked against compliance rules before it executes.
Securities on the platform are bound to verified identities. A position cannot move to an unknown counterparty because unknown counterparties cannot exist on the system.
A registry of approved wallets gates every transfer. Compliance rules — accreditation, jurisdiction, transfer restrictions — are enforced at the protocol level, before execution.
Multi-party administrative controls support credential revocation, account recovery for lost access, and — under appropriate legal process — forced transfer and re-issuance on the official register. Investors are never one lost key away from a lost position.
Data is encrypted in transit and at rest. Sensitive investor data — identity documents, tax records, banking details — is segregated with additional controls.
Role-based access with least privilege as the default, multi-factor authentication on administrative functions, and periodic access reviews.
Administrative and record-affecting actions are logged in tamper-evident form. The register itself is append-only by construction — changes add history, they don't overwrite it.
Redundant infrastructure across availability zones, tested backup and restore procedures, and documented recovery objectives for the systems that maintain official records. Recordkeeping obligations don't pause for an outage, and the architecture reflects that.
We welcome good-faith security research. Report suspected vulnerabilities to security@akru.com with enough detail to reproduce the issue. We acknowledge reports, keep researchers informed through remediation, and support coordinated disclosure. We do not pursue action against research conducted in good faith and within scope.
A SOC 2 examination is underway with a national audit firm. Institutions evaluating AKRU can request the current status and scope under NDA through their AKRU contact.
Yes. Because access is identity-bound rather than key-bound, administrative controls support account recovery, revocation of compromised credentials, and — under appropriate legal process — forced transfer and re-issuance of a holder's position on the official register.
Only verified participants. Every entity on the platform passes identity verification and screening before it can hold a position, and a permissioned wallet registry means transfers can only occur between approved, identity-bound participants.
Email security@akru.com. We acknowledge good-faith reports, work with researchers on coordinated disclosure, and do not pursue action against research conducted in good faith within scope.
A working session with our team on controls, evidence, and diligence materials.