Security at Knock
Knock was built with security and privacy in mind from day one.
Our security posture
Here's a little more about our security practices at Knock:
- We implement best practices around least privilege, with limited access to production data for our employees.
- Access to all systems is enforced by 2FA for our employees.
- All of our code changes are signed off by at least one other person, and tested in a staging environment before being deployed.
- We retain server logs for a maximum of 1 year, after which time they are permanently deleted.
- We have regular third party penetration tests and infrastructure audits.
- All data is encrypted at rest, and we use TLS 1.2 for all cross-service communication.
More information and responsible disclosure
We're always improving the security of our product. If you’d like to learn more about our data protection processes, you can email us as email@example.com.
If you are a security researcher and would like to disclose an issue, contact firstname.lastname@example.org. We are strong advocates for responsible disclosure by independent security researchers. We believe the best way to protect current and future customers is to encourage researchers to come forward with issues and reply promptly.
Our promise to you is:
- We will read and respond to all reported vulnerabilities.
- We will not take any harmful acton (including legal action) against researchers who act ethically and in good faith.
- We will highlight the contributions of security researchers who make significant reports.
In return we ask:
- That you do not attempt to access, modify, or delete data belonging to Knock customers.
- That you report issues promptly once discovered.
- That you do not attempt denial of service against the Knock service.