Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.akua.dev/llms.txt

Use this file to discover all available pages before exploring further.

Akua is built for deploying software to customer infrastructure (hospitals, banks, enterprises with strict compliance requirements). Security is foundational to the architecture, not an add-on.

Your data, your infrastructure

Unlike platforms that host your workloads on shared infrastructure, Akua runs your applications on your servers or dedicated clusters you control. 
Traditional PaaS:   Your app → Shared servers (provider controls data)
Akua:               Your app → Your servers  (you control data)
When a customer deploys through Akua, application runtime data stays on the customer’s infrastructure. Akua’s control plane stores configuration metadata (deployment settings, chart values, resource names) but does not store or process the data your applications generate at runtime.

Isolation model

Per-customer cluster isolation

Every managed cluster is a fully isolated with its own:
  • Kubernetes API server
  • Isolated state store (separate from other clusters)
  • RBAC and service accounts
  • Certificate authority
Cluster state is isolated: one customer’s workloads cannot see, access, or interfere with another customer’s workloads. Each virtual cluster has its own API server and data store, even though they share the underlying management infrastructure.

Workspace isolation

Workspaces are the organizational boundary in Akua. Each workspace has:
  • Separate Stripe billing (merchant account for marketplace sellers)
  • Independent resource quotas
  • Own cloud credentials (BYOM keys are workspace-scoped)
  • Separate clusters, products, and deployments

Secrets and credentials

Akua uses a workspace-scoped secret store for all runtime credentials (CEP-0041). This applies to cloud provider API keys, container registry credentials, webhook signing secrets, and agent provider keys. Key properties of the secret store:
  • Plaintext is never stored in configuration metadata. Secret values are stored in an external secrets manager; Akua keeps only a reference.
  • Versioned rotation. Secrets support append-only versioning: rotate by adding a new version and moving the current alias. Previous versions are accessible until explicitly disabled or destroyed.
  • Separate access scope. Reading secret metadata (secrets:read) and reading plaintext (secrets:access) are separate scopes. Every plaintext access attempt is audited.
  • Soft delete with recovery. Deleted secrets enter a 30-day recovery window before permanent removal.
See the Secrets API → for the full resource model.

Data residency

With BYOM (bring your own machine), the customer controls where data lives:
  • Choose your cloud provider: Hetzner (EU/US), AWS, GCP, or any supported provider.
  • Choose your region: Falkenstein, Frankfurt, Ashburn, or wherever your compliance requires.
  • Data stays on your servers: Akua’s control plane sends orchestration commands and does not store or process customer application data.
FeatureWhat passes through AkuaCustomer data visible?
AI code execution (Code Mode)Your code snippets and execution resultsYes (code you write is processed)
Custom dashboardsKubernetes API queries and responsesOnly resource metadata (pod names, statuses), not application data
Kubernetes API proxykubectl commands and responsesCluster metadata only (not application payloads or volumes)
Log streamingContainer stdout/stderrDepends on what your app logs; avoid logging sensitive data
Preview domainsHTTP traffic (TLS terminated at edge)Request/response passes through Cloudflare, not Akua servers
These features are opt-in. If your compliance requirements prohibit any data leaving your network, you can use Akua purely for orchestration and access your cluster directly via its kubeconfig.
For the strictest requirements, customers can run workers on their own on-premise servers. Run the bootstrap command → and the server joins Akua’s managed cluster. Your data never leaves your network.

Encryption

LayerProtection
Control plane ↔ workerTLS with automatic certificate rotation
API accessHTTPS only, TLS 1.2+
AuthenticationOAuth2, session tokens, ServiceAccount JWTs
Cloud credentialsStored as references to an external secrets manager (actual tokens are never in the configuration database)
Worker bootstrap tokensShort-lived, configurable expiry

Authentication and access control

  • Dashboard: OAuth2 via GitHub, Google, or email magic link.
  • API: Workspace API tokens or OAuth2 Bearer (JWT) tokens.
  • Internal services: Kubernetes ServiceAccount JWT with JWKS verification.
  • Workspace membership: Role-based (owner), scoped to workspace resources.

What Akua stores versus what stays on your infrastructure

Stored by Akua (configuration metadata):
  • Workspace settings, user accounts, billing state.
  • Product definitions, Helm chart references, deployment configurations.
  • Helm value overrides you configure in the dashboard.
  • Machine records, cluster metadata, quota usage counters.
Stays on your infrastructure (runtime data):
  • Your application runtime data (databases, files, user-generated content).
  • Your container images (stored in your registry; Akua only stores the image reference).
  • Your Kubernetes secrets (stored in your cluster’s isolated data store).
  • Your cloud provider API tokens (stored as references to an external secrets manager, not in Akua’s configuration database).

On-premise and air-gapped deployments

Akua supports deploying to servers behind firewalls and in restricted networks:
  1. The customer’s server initiates an outbound-only connection to the Akua control plane.
  2. No inbound ports need to be opened.
  3. The bootstrap command handles all setup (Kubernetes install, cluster join, certificate exchange).
  4. Once connected, the worker communicates through a secure tunnel back to the control plane.
This means hospitals, banks, and government agencies can use Akua without exposing their infrastructure to the internet.

Compliance roadmap

Akua does not yet hold SOC 2, ISO 27001, or other formal certifications. These are planned and in progress. We are transparent about our current state.
CertificationStatusTimeline
GDPRArchitecture supports EU data residency; formal assessment in progressCurrent
SOC 2 Type IIPlanned2026–2027
ISO 27001Planned2026–2027
DORA (Digital Operational Resilience Act)Under evaluationTBD
For enterprise customers requiring compliance documentation before formal certification, Akua provides:
  • Architecture security review documentation.
  • Data flow diagrams showing isolation boundaries.
  • Infrastructure audit support (we participate in your vendor assessment).
  • Custom DPAs (Data Processing Agreements).

Reporting vulnerabilities

If you discover a security vulnerability, report it to security@akua.dev. We take all reports seriously and will respond within 48 hours.

Add workers

Bootstrap command for connecting your own servers.

Secrets API

Manage workspace secrets and credential rotation.

Compute providers

Where your workloads run.

Enterprise

Custom limits, compliance support, dedicated infrastructure.