Security
Knoq recognizes that your personal and corporate data is very sensitive. We combine enterprise-grade security features with comprehensive audits of our applications, systems, and networks to ensure customer data is protected.
Data Center and Network Security
- Knoq hosts all its software in Amazon Web Services (AWS) facilities in the USA. Amazon provides an extensive list of compliance and regulatory assurances, including SOC 13, and ISO 27001. See Amazon’s compliance and security documents for more detailed information.
- All of Knoq servers are located within Knoq’s own virtual private cloud (VPC), protected by restricted security groups allowing only the minimal required communication to and between the servers.
- Knoq conducts network vulnerability scans at least annually. The last one was started on January 30, 2020.
Data Security
- Knoq regularly conducts internal audits to ensure continuous compliance with industry-standard best practices.
- All connections to Knoq are encrypted using SSL, and any attempt to connect over HTTP is redirected to HTTPS. We maintain an A+ grade for Qualys/SSL Labs.
- System passwords are encrypted using AWS KMS with restricted access to specific production systems.
- We use industry-standard PostgreSQL, Elastic Search and Mongo DB data storage systems hosted at AWS and/or by the respective vendors.
- Data access and authorizations are provided on a need-to-know basis and based on the principle of least privilege. Access to the AWS production system is restricted to authorized personnel and is carried out over a dedicated VPN connection.
Application Security
- Web application architecture and implementation follow OWASP guidelines.
- Knoq conducts application penetration testing.
- User passwords are salted, irreversibly hashed, and stored in Knoq’s database. Audit logging lets administrators see when users last logged in and when passwords were last changed.
Application Monitoring
- All-access to Knoq applications is logged and audited.
- Knoq maintains a formal incident response plan for major events.
Uptime
Knoq maintains a publicly available system-status webpage which includes system availability details.
Security Policies and Secure Development Life Cycle (SDLC)
- Knoq maintains security policies that are communicated and approved by management to ensure everyone clearly knows their security responsibilities.
- Code development is done through a documented SDLC process. Design of all new product functionality is reviewed by its security team. Knoq conducts mandatory code reviews for code changes and periodic in-depth security review of architecture and sensitive code. Knoq development and testing environments are separate from its production environment.
- Employee hiring process includes background screening.
- At least annually, engineers participate in secure code training covering OWASP Top 10 security flaws, common attack vectors, and Knoq security controls.
- Vulnerability Disclosure Process – Knoq considers privacy and security to be core functions of our platform. Earning and keeping the trust of our customers is our top priority, so we hold ourselves to the highest privacy and security standards. If you have discovered a security or privacy issue that you believe we should know about, we would love to hear from you. Please reach out to us at security@knoq.com and let us know.
Data Sharing
- Knoq never shares individual data points that are uploaded or created through the platform between customers.
- Knoq uses analytics data to improve the products and services that are provided to our customers.
- Analytics data will be used for modeling and identifying correlations in customer data sets. Those correlations can be shared with customers.
Correlation and dependence: In statistics, dependence or association is any statistical relationship, whether causal or not, between two random variables or bivariate data. In the broadest sense correlation is any statistical association, though it commonly refers to the degree to which a pair of variables are linearly related.