Security

Akamas takes security seriously and build enterprise-grade software where customer data is kept safe at all times. This document provides security information for Akamas Insights, designed to help security teams and compliance officers understand the platform's security posture, data handling practices, and compliance considerations.

Data Management

Types of Data Handled

Akamas Insights processes and stores the following types of information:

System Configuration and Performance Metrics:

Akamas collects resource utilization and configuration data from your Kubernetes clusters and monitoring platforms. This includes CPU and memory usage patterns, pod and container metrics, node capacity information, workload configurations, and application runtime metrics such as JVM garbage collection statistics. The platform also captures metadata like cluster names, namespace identifiers, workload names, and resource request/limit configurations. This data enables optimization recommendations while containing no application-specific content or business logic.

User Account Information:

User authentication and session management data including email addresses, display names, and secure session tokens. This information is managed through our authentication partner (Auth0) and is used solely for access control and user identification within the platform.

Integration Credentials:

Akamas make use of API tokens, keys, and endpoint URLs for connecting to your monitoring platforms (Dynatrace, Datadog, Prometheus, etc.). When configured, the platform may also store credentials for Git providers (GitHub, GitLab) to facilitate recommendation deployment workflows. All credentials are encrypted at rest and transmitted only over secure channels. When accessing these integration endpoints we aim at minimizing the required permission scope to what is actually need to perform the integration actions.

Data Not Collected

Akamas Insights does not collect, process or store:

• Application logs or log content

• Application data or database content

• Secrets or passwords from Kubernetes resources

• Network traffic content

• User activity within applications

• Personal data beyond those mentioned above

Authentication and Access Control

Authentication

Akamas Insights uses enterprise-grade authentication powered by Auth0, a leading identity management platform. All authentication flows follow industry best practices and comply with modern security standards including OAuth 2.0 and OpenID Connect protocols.

Data Encryption

Data in Transit

HTTPS/TLS:

• All communication between browser and Akamas Insights uses HTTPS with valid SSL/TLS certificates

• TLS 1.2 or higher enforced

API Communications:

• Connections to monitoring platforms (Dynatrace, Datadog, etc.) use HTTPS or the encryption method suggested by the monitoring platform vendor

• No sensitive data is transmitted in URL parameters

Data at Rest

Storage Encryption:

• All metrics data and backup systems use encryption at rest

• Encryption keys are managed according to industry best practices

Credentials Storage:

• API tokens and keys stored in encrypted configuration files using secure key management

• Session tokens stored in browser cookies with Secure and HttpOnly flags

• No credentials stored in plain text or application logs

Industry Certifications

Akamas Insights does not currently hold specific security certifications (PCI-DSS, HIPAA, SOC 2). Considering the kind of data that is managed within Akamas (see section "Types of Data Handled"), specific security certifications like PCI or HIPAA are not required as the platform does not manage payment or health-related information.

Logging

Akamas Insights do not read and store any user application logs. Logs produced by the Akamas platform are managed by a log aggregation system that takes care of storing them in a secure way. Logs are collected in standard formats and contain necessary information to audit user action and inspect eventual security and functional incidents.

Code Scanning Policy

Akamas follows secure software development practices with automated code scanning integrated into the continuous integration pipeline. The development process includes:

• Automated Security Scanning: CVE analysis on every build and weekly scans

• Security Standards: Comprehensive checks against CVE, SANS Top 25, and OWASP Top 10

Security scan results are reviewed by the development team, and identified issues are prioritized based on severity and addressed according to established internal remediation timelines.