AKSTOOL Security Center
Enterprise-grade security for everyday digital tools. Explore our security architecture, encryption practices, incident response procedures, and responsible disclosure programme.
Last Reviewed: 8 June 2026 • Security Team: AKSTools Engineering
TLS 1.3
All traffic encrypted
AES-256
Data at rest
Zero-Log
PDF files deleted in 60s
2FA
Admin access protected
Security Overview
Security is foundational to every decision we make at AKSTOOL — not an afterthought applied at the end of development. Our engineering team follows a Security Development Lifecycle (SDL) modelled on industry best practices, integrating threat modelling, static analysis, and penetration testing into every release cycle.
We operate across a minimal attack surface. The vast majority of our tool functionality — including QR scanning, PDF processing previews, and AI-based breed detection — runs entirely on the user's device, ensuring that sensitive data never traverses a network path at all. Where server-side processing is required (such as advanced PDF OCR), we enforce the strictest possible data lifecycle: encrypted upload, isolated processing, immediate deletion.
Our infrastructure is built on containerised microservices with no persistent writable storage accessible from the public internet. All administrative access requires hardware security key authentication. Our systems are monitored 24/7 for anomalous activity with automated incident triggering.
Infrastructure Security
🏗️ Container Isolation
All services run in isolated Docker containers with read-only root filesystems. No service can access another service's data or file system directly.
🌐 DDoS Protection
We use Cloudflare's enterprise-tier DDoS mitigation and Web Application Firewall (WAF) to protect against volumetric attacks and application-layer exploits.
🔒 Network Segmentation
Production, staging, and development environments are on separate networks with zero cross-environment data flow. Database servers are not accessible from the public internet.
📊 Continuous Monitoring
Real-time monitoring of all production systems with automated alerting for unusual access patterns, error rate spikes, and latency anomalies. On-call rotation ensures 24/7 response capability.
🔑 Access Control
Production access requires a hardware FIDO2 security key plus time-based OTP. All access is logged and reviewed quarterly by our security lead.
🔄 Automated Patching
Operating system and runtime dependencies are automatically patched within 24 hours of critical security advisories. Our CI/CD pipeline includes automated dependency vulnerability scanning.
Encryption Standards
Data in Transit
All communication between clients and AKSTOOL servers is encrypted using TLS 1.3 with Perfect Forward Secrecy (PFS). We enforce HSTS (HTTP Strict Transport Security) with a max-age of 31536000 seconds and include our domain in browser preload lists. Cipher suites are limited to AEAD ciphers — no RC4, DES, 3DES, or other deprecated algorithms are accepted.
Data at Rest
Any data temporarily persisted to disk (such as queue jobs) is encrypted using AES-256-GCM. Encryption keys are stored in a hardware security module (HSM) and rotated on a 90-day cycle. Keys are never stored alongside the data they protect.
End-to-End for Local Processing
For features that run on-device (QR scanning, local PDF preview, AI breed detection), data never leaves the device at all. There is no encryption layer required because there is no network transmission.
Data Retention & Deletion
| Data Type | Retention Period | Deletion Method |
|---|---|---|
| Uploaded PDF files | 60 seconds post-processing | Secure overwrite (DoD 5220.22-M standard) |
| Crash reports | 90 days | Automated deletion after expiry |
| Support emails | 12 months | Manual deletion on request or auto after period |
| Analytics data | 24 months (aggregated only) | Aggregated — no individual records retained |
| Account data | Until deletion requested | Cascading delete across all tables within 48 hours |
| App store cache | 7 days | Rolling purge |
Incident Response Process
Detection
Automated monitoring detects anomaly and triggers PagerDuty alert to on-call engineer within 60 seconds.
Triage (< 30 min)
On-call engineer assesses severity, classifies incident (P1–P4), and activates incident channel if P1/P2.
Containment (< 2 hours)
Affected systems are isolated or taken offline. Traffic is rerouted. Root cause investigation begins.
Notification (< 72 hours)
For breaches involving personal data, affected users and the ICO are notified within 72 hours as required by UK GDPR.
Recovery
Systems are restored from clean snapshots after root cause is confirmed. Patch is deployed and verified.
Post-Mortem
Within 5 business days, a full post-mortem document is produced covering timeline, root cause, impact, and preventative measures.
Product Security Summary
- ✓On-device processing only
- ✓No network transmission of scan data
- ✓Camera permission scoped correctly
- ✓Scan history in encrypted local sandbox
- ✓TLS 1.3 upload channel
- ✓Files deleted within 60 seconds
- ✓No human access to file contents
- ✓Processing in isolated ephemeral containers
- ✓Approximate location only (city-level)
- ✓Location not stored or logged
- ✓Anonymised API requests
- ✓No persistent user identifier sent
- ✓On-device AI where hardware allows
- ✓Optional account — no forced sign-up
- ✓Community content moderated for harmful material
- ✓Marketplace payments via Stripe (PCI DSS Level 1)
🔎 Responsible Disclosure Programme
We welcome security researchers who act in good faith to identify and report vulnerabilities in our products. We commit to the following:
- →We will acknowledge your report within 24 hours.
- →We will provide a status update within 7 days.
- →We will not pursue legal action against researchers acting in good faith.
- →We will credit you in our release notes if you choose (and consent to public disclosure).
In scope: akstool.com and all subdomains, all published Android and iOS applications.
Out of scope: Social engineering attacks, physical security issues, DoS/DDoS attacks against our infrastructure, automated scanning without prior approval.
Report via security@akstool.com