Built for advocate-client privilege.
Every conversation we've had with advocates considering AkiliLex starts with the same question: is my client's confidential information safe? Here is exactly how we protect it, in plain English a lawyer can show a client.
The five-layer model
Client confidentiality is protected by five independent layers, each of which would have to be broken simultaneously for data to be at risk:
- Network layer — data in transit encrypted with TLS 1.3.
- Storage layer — data at rest encrypted with AES-256.
- Identity layer — passwords + two-factor authentication.
- Authorisation layer — granular roles and tenant isolation.
- Audit layer — every action permanently logged.
Data hosted in Kenya
All AkiliLex data lives on servers physically located in Kenya, in compliance with the data localisation principles of the Data Protection Act 2019. Your client data does not leave the country. There are no cross-border transfers to the US, UK, or anywhere else outside Africa.
Encryption everywhere
Two independent layers of cryptography:
- In transit: TLS 1.3 with modern cipher suites between your browser/phone and our servers. The same encryption banks use.
- At rest: AES-256 full-disk encryption on every server. If a hard drive is physically stolen, the data on it is mathematical noise.
- Database column encryption: the most sensitive fields (KRA PINs, ID numbers, payment data) get additional column-level encryption.
- Backup encryption: daily backups are encrypted with separate keys, stored in a different physical location.
Two-factor authentication
Every account can — and Firm Admin accounts should — require a 6-digit code from a smartphone authenticator app (Google Authenticator, Microsoft Authenticator, Authy, 1Password) in addition to the password. Even if a password is leaked in a third-party breach, an attacker still cannot sign in without your physical phone.
Backup codes are issued so you can recover access if you lose your phone — one-time use, stored in a safe place.
Tenant isolation
AkiliLex is multi-tenant: many law firms share the same software instance, but their data is strictly separated. Every database query for firm data carries a tenant identifier, and every API endpoint checks that the user belongs to the requested tenant before returning a single byte. Cross-tenant data leakage is structurally impossible by design, not just by policy.
Role-based access control
Within your firm, you control exactly who sees what:
- Firm Admin — full access to firm data, financials, user management.
- Partner — firm-wide matters and financials, no user management.
- Advocate — matters assigned to them, their own time entries.
- Paralegal — matters they support, materials, calendar.
- Clerk — limited filing and update access only.
A clerk cannot see invoices. A paralegal cannot see other advocates' matters they aren't on. This is enforced at the database query level, not just hidden in the user interface.
Immutable audit trail
Every meaningful action on your firm's data is permanently logged: sign-ins, matter views and changes, time entries, document generation, communications sent, settings changes. The audit log:
- Records the user, timestamp (millisecond precision), IP address, and action.
- Cannot be edited or deleted by anyone — not even a Firm Admin, not even AkiliLex staff.
- Is retained for 3 years minimum.
- Is reviewable by Firm Admin or Partner at any time under Audit Log.
This means if there is ever a question about who saw what, you have unforgeable evidence.
Service Provider impersonation - controlled
For support purposes, an AkiliLex staff member can — with audit-logged justification — impersonate a user in your firm to diagnose a problem. When this happens:
- A red banner is permanently visible across every page during the session: "VIEWING AS: Your Firm".
- The session is logged in the audit trail with the AkiliLex staff name, reason, start time, end time.
- Write actions during impersonation are restricted by default.
- You receive an email notification each time impersonation begins.
This is in our terms because we won't pretend it doesn't happen — transparency is the alternative to deception.
AI processing privacy
When you use AkiliLex AI Document Services, your documents are processed by large language models. Here's how:
- No training data: we use AI providers (Anthropic) that contractually do not train models on customer data. Your documents do not improve a future model.
- Per-request processing: a document is sent for analysis, the result returned, and the source is not retained by the AI provider.
- Optional redaction: sensitive identifiers can be auto-redacted before AI processing.
- Audit logged: every AI request is in your firm audit log with what document, by whom, for what.
Breach response — the procedure
If a data breach affecting your firm ever occurs:
- Within 1 hour, the AkiliLex Data Protection Officer is notified.
- Within 24 hours, you are notified directly with the facts: what data, what users, what timeframe.
- Within 72 hours, the Office of the Data Protection Commissioner is notified, per Section 43 of the DPA 2019.
- A full incident report follows within 14 days.
Backup and recovery
- Daily backups taken at 02:00 EAT, encrypted, stored in a different physical location.
- 30-day retention by default.
- Quarterly restore drills — we don't just have backups; we test that they restore.
- RPO < 24 hours, RTO < 4 hours for catastrophic platform failure.
Account hardening features
- Failed login lockout — account temporarily locked after 5 failed attempts.
- Session timeout — auto-sign-out after 8 hours of inactivity.
- Email verification required — account inactive until email confirmed.
- Strong password policy — 12-character minimum enforced.
- Password reset via secure token — one-hour expiry, single use.
- CSRF protection — every form action requires a per-session anti-forgery token.
- SQL injection prevention — parameterised queries throughout, no string concatenation.
Our commitments to you
- We will never share your client data with any third party without explicit, written, per-instance authorisation.
- We will never use your client data to train AI, build advertising profiles, or for any purpose other than running the service.
- We will never sell, license, or transfer your data — not even in an acquisition scenario.
- You can export the entirety of your firm's data at any time in machine-readable format.
- You can request deletion of your firm's data within 90 days of subscription end (subject to legal hold for ongoing matters).
Compliance certifications & roadmap
- Today: Data Processor registered with the Office of the Data Protection Commissioner of Kenya. DPA 2019 compliant.
- 2026: ISO 27001 certification (in progress).
- 2026: Annual penetration testing by independent third-party.
- 2027: SOC 2 Type II attestation.
Talk to us about security
If your firm needs more detail — technical architecture diagrams, our data processing agreement, our incident response runbook, evidence of penetration testing — please contact:
- Data Protection Officer: dpo@akililex.com
- Security incidents: security@akililex.com
- 24/7 emergency line: +254 738 709 800