Security & Compliance

Enterprise-grade security built for the most demanding compliance requirements. Encryption at rest and in transit, immutable audit, and a structural difference most platforms can't offer: your third-party API keys never enter your own workload at all.

SOC 2 Aligned
Security controls designed to meet SOC 2 Trust Service Criteria. SOC 2 Type II audit in progress. Contact us for our current security posture documentation.
PCI-DSS Aligned
Security architecture aligned with PCI-DSS requirements for handling payment credential proxying. Card data masked in logs per PCI-DSS guidance.
HIPAA Ready
Business Associate Agreement (BAA) available for healthcare customers. Encrypted credential storage and sensitive-field masking in audit logs for healthcare APIs.
GDPR Ready
EU data residency options, right to deletion, data portability export, and privacy controls for European customers.

Security Architecture

AES-256 Encryption at Rest

All API credentials are encrypted using AES-256-GCM before storage. Each tenant has a unique encryption key derived from a master key using HKDF. Even in the unlikely event of database compromise, credentials remain protected.

Technical Implementation
  • AES-256-GCM authenticated encryption
  • Unique initialization vectors (IVs) per credential
  • Per-tenant keys derived via HKDF from a master key
  • Master key rotation without service interruption
  • Secrets never stored or logged in plaintext

TLS 1.3 Encryption in Transit

All API communication uses TLS 1.3 with perfect forward secrecy. Credentials are never transmitted in plaintext. Automatic certificate rotation and HSTS enforcement prevent downgrade attacks.

Transport Security
  • TLS 1.3 with ChaCha20-Poly1305 / AES-256-GCM
  • Perfect Forward Secrecy (PFS) enforced
  • HSTS with 1-year max-age and preload
  • Automated certificate management and renewal

Zero-Trust Architecture

Every request is authenticated and authorized independently. No implicit trust based on network location. IP allowlisting, client identification, and route-level access controls ensure only authorized requests succeed.

zero-trust.js
// Every request requires multi-layer authentication
const request = {
  headers: {
    'X-KnoxCall-API-Key': 'kc_...',        // API key auth
    'X-KnoxCall-Client-ID': 'device-123', // Client tracking
    'X-KnoxCall-Route': 'stripe-charge'  // Route authorization
  }
};

// Automatic checks before proxying:
// 1. API key valid & not revoked
// 2. Client IP in allowlist (if configured)
// 3. Route exists & tenant has access
// 4. Rate limits not exceeded
// 5. Request signing validated (if enabled)

Immutable Audit Logs

Every API request, credential access, and configuration change is logged with cryptographic integrity protection. Logs are append-only and retained for compliance requirements (30-365 days configurable).

Audit Trail Features
  • Tamper-evident logging with hash chains
  • Request/response pairs with timestamps
  • IP address, user agent, and client identification
  • Configuration change attribution
  • SIEM-compatible log forwarding (Splunk, Datadog, ELK)
  • Real-time anomaly detection

It's not where your secret is stored. It's that it's in your process at all.

Encryption at rest protects the key in our database. But the question that decides your blast radius is different: once your app starts, where does the real Stripe, OpenAI, Twilio, or SendGrid key end up? Hardcoded in .env, injected at boot by AWS Secrets Manager or SSM, mounted as a Kubernetes Secret, or fetched just-in-time from a Vault sidecar — every path ends the same way: a live, long-lived bearer token sitting in your process memory or environment, readable by anything that runs there.

The key never enters your workload

KnoxCall injects the real provider credential at the egress wire — the moment the request leaves for Stripe or OpenAI, server-side, inside our proxy. Your app, CI runner, container, and function never receive it, and there is no value-GET path: nothing your workload can call returns the plaintext key. So the exposure paths every secrets manager leaves open are not mitigated — they are structurally absent, because there is nothing in your process to read.

In-workload exposure paths removed
  • Environment variables — printenv, ps auxeww, child-process inheritance
  • /proc/<pid>/environ — any local read of the process environment
  • Remote code execution — an RCE can't read a key that isn't there
  • Supply-chain dependency — a poisoned npm/pip package harvesting at install or runtime
  • Prompt-injected AI coding agent — an agent told to dump ANTHROPIC_API_KEY finds it absent
  • Core dumps and crash reports — no plaintext credential in the memory image
  • Verbose logs and error traces — the key was never a variable to accidentally log

The credential class you can't federate

OIDC and workload identity were supposed to end long-lived keys — and for cloud they do. You can federate an AWS, GCP, or Azure access key away entirely. But Stripe, OpenAI, Twilio, SendGrid, and Anthropic issue static bearer tokens with no token-exchange endpoint, so that one credential class cannot be federated and is forced to live long-lived in your workload anyway. KnoxCall closes exactly that gap from the other side: we hold the static vendor key, and hand your workload a short-lived token in its place.

what's in your process
// Secrets manager / .env / K8s Secret / Vault sidecar:
// the real key ends up live in your env, valid for years, usable from anywhere
process.env.STRIPE_SECRET_KEY = 'sk_live_51H...AbCdEf';  // readable by any code here

// With KnoxCall, the same process holds only this:
process.env.KNOXCALL_TOKEN     = 'kc_live_a_...';  // short-lived, scoped, DPoP-bound, revocable
process.env.STRIPE_SECRET_KEY = undefined;       // the real key never arrives

What this does not do (the honest part)

We don't ship security copy that won't survive a sharp review, so here is the precise boundary of the claim:

The residual, stated plainly
  • We don't stop your workload being compromised — we remove one high-value residual (the long-lived third-party bearer key), not the breach itself.
  • A KnoxCall token still lives in your workload; until you revoke it, it can route requests through KnoxCall.
  • The honest delta: that token is short-lived, scoped to specific routes, per-tenant, fully audited, and DPoP sender-constrained (a stolen copy without the private half is inert) — versus a Stripe key valid for years and usable from anywhere on earth.
  • KnoxCall becomes a trust dependency and adds a network hop — the same tradeoff you already accepted when you federated your cloud keys. Scope is the outbound third-party bearer key; your database credentials and app encryption keys are out of scope.

Compliance Checklist

Here's what KnoxCall automatically handles for your compliance requirements:

Credential Blast-Radius Minimization (Maps to: SOC 2 CC6.1 / CC6.6, PCI-DSS 3.x & 8.x)

Third-party provider keys are injected at the egress wire and never delivered to your application, CI, or containers, so a workload compromise can't exfiltrate a long-lived vendor credential. Workloads hold only short-lived, scoped, DPoP-bindable KnoxCall tokens that can be revoked from the dashboard.

Credential Encryption at Rest (Required: SOC 2, PCI-DSS, HIPAA)

AES-256-GCM encryption with HSM-backed keys and automatic rotation. Meets or exceeds all major compliance standards for data encryption.

Access Control & Authorization (Required: SOC 2, HIPAA, GDPR)

Role-based access control (RBAC), IP allowlisting, and client-level restrictions. Audit trail shows who accessed what and when.

Audit Logging (Required: SOC 2, PCI-DSS, HIPAA, GDPR)

Comprehensive logging of all API calls, configuration changes, and credential access. Tamper-evident logs with configurable retention (30-365 days).

Data Residency (Required: GDPR, Some HIPAA)

Multi-region deployment with data residency guarantees. EU customers can ensure data never leaves European servers.

Incident Response (Required: SOC 2, PCI-DSS)

Real-time alerts for suspicious activity, rate limit violations, and authentication failures. Multi-channel notifications (Email, SMS, Slack).

Right to Deletion (Required: GDPR)

Customers can delete all data on demand via the dashboard. Complete erasure of all routes, credentials, audit logs, and account data. GDPR Article 17 compliant.

Penetration Testing (Required: SOC 2, PCI-DSS)

Regular security assessments and vulnerability scanning. Annual third-party penetration testing scheduled. Contact us for the most recent security assessment summary.

Business Associate Agreement (Required: HIPAA)

BAA available for healthcare customers upon request. Sensitive field masking in audit logs and encrypted credential storage for healthcare API integrations.

Additional Security Features

Automated OAuth Token Refresh

OAuth2 tokens are automatically refreshed 5 minutes before expiration. Refresh tokens are encrypted and stored separately from access tokens. Supports Google, Microsoft, Salesforce, and custom OAuth2 providers.

Rate Limiting & DDoS Protection

Configurable rate limits per route, per client, or globally. Automatic DDoS mitigation with challenge-response for suspicious traffic patterns. Cloudflare integration for additional protection.

Request Signing & Verification

HMAC-SHA256 request signing prevents tampering and replay attacks. Configurable signature headers and nonce validation ensure requests are fresh and authentic.

Per-Tenant Master Key (KCT1)

Every tenant gets its own master key. Crypto Keys, Vault tokens, webhook secrets, and ephemeral payloads are envelope-encrypted under it. Bring-your-own-key (BYOK) via AWS KMS, GCP KMS, or Azure Key Vault on Enterprise. Cryptographic erasure: destroy the master key and every dependent ciphertext becomes permanently unreadable.

Asymmetric Crypto + JWT

Crypto Keys v2 supports RSA-2048/3072/4096, ECDSA P-256/P-384, and Ed25519. Sign JWTs (RS256, ES256, EdDSA) with full alg-confusion defence: alg:none rejected unconditionally, header alg bound to key type, kid bound to verification version. Public keys exportable as PEM and JWK.

Format-Preserving Tokenization

Vaults swap PCI cards, SSNs, and emails for tokens that pass the same validation as the originals — Luhn-valid card tokens with BIN+last4 preserved, SSN tokens that always start with 9XX (never collide with real SSNs), email tokens with domain preserved for analytics. Drop-in replacement for sensitive columns; PCI scope reduction without schema changes.

Webhook Signature Verification + Replay Protection

Inbound webhooks from Stripe, GitHub, Slack, AWS-SNS, or custom HMAC schemes are verified at the edge using constant-time comparison. Formats with timestamps (Stripe, Slack) enforce a configurable replay window (default 300s, capped 86400s). Failed verifications audit with the precise reason code: replay_window_exceeded, no v1 signature matched, etc.

SSRF Defence on Every Egress

Routes, Ephemeral Proxy, and inbound-webhook forwarding all share the same SSRF guard: HTTPS only, hostname must resolve publicly, private (RFC1918) / link-local / loopback / metadata-IP (169.254.169.254) addresses blocked. DNS-pinning prevents TOCTOU rebinding attacks.

AI Gateway: DPoP-bound Capability Keys

Every AI Gateway agent issues kc_live_a_… capability keys with embedded scopes (provider, model, max-cost-per-day, IP CIDRs, valid time windows). RFC 9449 DPoP binds each key to a private key in the OS keychain — a stolen key without the matching private half is inert. Refresh rotation with theft detection invalidates the entire credential family on reuse.

Streaming PII Redaction (HIPAA / PCI / GDPR)

Per-stream finite-state machine + 96-char sliding hold-back buffer detects PII spanning SSE chunk boundaries before any token leaves the gateway. Aho-Corasick → regex+checksum → Microsoft Presidio sidecar runs in your VPC. Reversible mode tokenizes via FF3-1 with the per-tenant Vault key — the LLM only ever sees tokens; the customer sees the original PHI.

HIPAA / PCI / GDPR Compliance Packs

One-click recognizer sets for HIPAA Safe Harbor (18 identifiers + 30 common MRN/health-plan formats), PCI (PAN + CVV + ABA routing + 1-year retention), GDPR (EU national IDs + addresses + RTBF), SOC 2 (audit controls + access reviews). Every redaction logs entity type, span, recognizer, and confidence — never the plaintext value.

Prompt Firewall + Canary Leak Detection

Heuristics catch obvious "ignore previous instructions" patterns in microseconds. Per-tenant deterministic canary tokens injected into system prompts trip a critical alert if the model echoes them — extraction in flight is detected on the response stream and the request is killed before completion.

Read the AI Gateway brief →

Pass your next audit with confidence

Start securing your APIs with enterprise-grade compliance. HIPAA and GDPR ready, SOC 2 aligned architecture included.