SOC 2 safe and secure
Knak is constantly building a culture of security, leveraging the latest technologies and industry best practices to continuously improve the security of our platforms, systems, and organization. We're proud to say that we're SOC 2 compliant, so you can rest assured that your data is safe and secure with us.
How we protect your service data
Key areas of focus for our security & compliance program include:
- Ongoing SOC 2, Type II compliance
- Regular third-party pen tests
- Protection of company personnel equipment (encrypted drives, virus scanners, screen saver lock, automatic OS updates, mobile device management software)
- Intrusion detection systems with 24/7 monitoring
- Firewalls and encryption on our server infrastructure
- Server uptime monitoring (see status page)
- Ongoing vulnerability scans
Employee background checks
New employees and contractors at Knak undergo both criminal background checks and reference checks before beginning work.
Confidentiality and privacy
Risk management plan
To help manage overall risk, Knak reviews our risk management policy, associated plan, and risk mitigation strategies at least annually. Risk management is part of our culture and our business decisions.
Knak has a robust vendor management process, involving security at the early stages of procurement to vet potential vendors for level of risk, type of data processed, and integrations to critical systems. We ensure our vendors have appropriate security controls in place to handle our customer and organization data, reviewing thorough security questionnaires and reports.
Knak currently supports signing into its product through Single Sign-on (SSO), leveraging Auth0. Customers can choose to enforce SSO authentication for all users, which offers the added security benefits of not having to use username/passwords.
User permissions and roles
Knak allows for the designation of various roles within its product including administrator roles, brand roles (for companies with multiple brands) and email or landing page creation or approval roles. This permissioning ensures that important information is seen by the appropriate people and administrators have the flexibility to customize how granular their user permissions are.
Knak sessions timeout after 30 minutes of idle, reducing risk of attackers hijacking the session, as per OWASP recommendations for low-risk applications.
Knak supports customers who don’t leverage SSO or who also use logins and passwords for authentication with password standards including minimum length, complexity and account lockout.
Knak encrypts all communications between its services including communication between our application and end users’ browsers (HTTPS). All data at rest is encrypted using AES 256 encryption and in transit via SSL/TLS 1.2 or higher.
Software development practices
Knak has secure software development practices in place, which include automated vulnerability scanning prior to a production deployment as well as manual peer reviews and approvals for all code. We have separate instances for production, staging and quality assurance, and a select few have access to the production account.
Network management security
Knak server infrastructure
Knak hosts its infrastructure on Amazon Web Services (AWS), deployed in multiple availability zones within the US and replicated in a different region of the US. Learn about AWS security here.
Backup of data
Knak backs up all data on its system using AWS and maintains backups for a period of 90 days. This allows the team to be able to restore information in the event of a failure (which we practice with both table top and technical simulations on an annual basis).
Disaster recovery & business continuity
Knak has a business continuity plan in addition to a disaster recovery plan. We conduct table top and technical simulations on an annual basis and have a “break glass” account if ever the unlikely worst is upon us. Our staff is always ready to serve our customers, with 99.95% uptime.
Knak has an incident response plan in place that is kept top of mind thanks to our partnership with a managed Security Operations Centre (SOC). This managed SOC as a service provides 24/7 continuous monitoring and maintains their own security posture with a SOC2 Type 2 and ISO27001 certification.
Knak uses a mobile device management tool to support endpoint security, and ensures that all devices are up to date and securely encrypted. We also ensure all devices are free from malware with centralized IT and Security tools. Non-technical employees do not have administrative access.
Knak has vulnerability scanning baked into the development process, automatically scanning code before it's pushed to production and involving security to support closing any tickets raised in line with our vulnerability management policy.
Third party penetration testing
Knak works with several external security firms to conduct penetration testing on our application and infrastructure configuration at least annually. Any potential vulnerabilities found are remediated within our vulnerability management SLAs and retested.
Responsible ethical disclosure
Knak is committed to guarding the safety and security of our customers. We follow best practices when it comes to Responsible Ethical Disclosure and receive any security concerns from researchers to firstname.lastname@example.org.
Access and identity
Permissions and authentication
Knak aligns its policies, processes, and internal security controls to ensure that only those who need access to critical services have access to them. We have complex password security requirements, use a company provisioned password manager, and enforce two-factor authentication and SSO where possible.
Knak tracks all access requests and conducts regular (at least annual) access control reviews. Access is only provisioned based on the principle of least privilege and role-based access controls (RBAC) are used.
SOC 2 compliance
Knak has completed its first SOC 2 Type II audit as of November 30, 2021. The SOC 2 report can be made available to current and prospective clients with a signed MNDA.
Knak takes a proactive approach to privacy, collecting limited personal identifiable information and aligning our hiring and sub-processing policies and practices to our GDPR compliant data processing agreements.