Security & Compliance

Security & Compliance

Enterprise-grade security built for the most demanding compliance requirements. Pass audits with confidence.

SOC 2 Type II
Comprehensive security controls audited annually by independent third parties. Trust, confidentiality, and availability validated.
PCI-DSS Level 1
Payment Card Industry compliance for handling payment credential proxying. Secure cardholder data at the highest standard.
HIPAA Ready
Business Associate Agreement (BAA) available. Encrypted credential storage and de-identified audit logging for healthcare APIs.
GDPR Compliant
EU data residency options, right to deletion, data portability, and comprehensive privacy controls for European customers.

Architecture

Security Architecture

AES-256 Encryption at Rest

All API credentials are encrypted using AES-256-GCM before storage. Each tenant has a unique encryption key derived from a master key using HKDF. Even in the unlikely event of database compromise, credentials remain protected.

Technical Implementation
  • AES-256-GCM authenticated encryption
  • Unique initialization vectors (IVs) per credential
  • Master key rotation without service interruption
  • Hardware Security Module (HSM) backed keys
  • FIPS 140-2 Level 3 compliance

TLS 1.3 Encryption in Transit

All API communication uses TLS 1.3 with perfect forward secrecy. Credentials are never transmitted in plaintext. Automatic certificate rotation and HSTS enforcement prevent downgrade attacks.

Transport Security
  • TLS 1.3 with ChaCha20-Poly1305 / AES-256-GCM
  • Perfect Forward Secrecy (PFS) enforced
  • HSTS with 1-year max-age and preload
  • Certificate pinning for critical endpoints
  • A+ rating on SSL Labs

Zero-Trust Architecture

Every request is authenticated and authorized independently. No implicit trust based on network location. IP allowlisting, client identification, and route-level access controls ensure only authorized requests succeed.

zero-trust.js 
// Every request requires multi-layer authentication
const request = {
  headers: {
    'X-KnoxCall-API-Key': 'kc_...',        // API key auth
    'X-KnoxCall-Client-ID': 'device-123', // Client tracking
    'X-KnoxCall-Route': 'stripe-charge'  // Route authorization
  }
};

// Automatic checks before proxying:
// 1. API key valid & not revoked
// 2. Client IP in allowlist (if configured)
// 3. Route exists & tenant has access
// 4. Rate limits not exceeded
// 5. Request signing validated (if enabled)

Immutable Audit Logs

Every API request, credential access, and configuration change is logged with cryptographic integrity protection. Logs are append-only and retained for compliance requirements (30-365 days configurable).

Audit Trail Features
  • Tamper-evident logging with hash chains
  • Request/response pairs with timestamps
  • IP address, user agent, and client identification
  • Configuration change attribution
  • SIEM export (Splunk, Datadog, ELK compatible)
  • Real-time anomaly detection

Compliance

Compliance Checklist

Here's what KnoxCall automatically handles for your compliance requirements:

Credential Encryption at Rest (Required: SOC 2, PCI-DSS, HIPAA)

AES-256-GCM encryption with HSM-backed keys and automatic rotation. Meets or exceeds all major compliance standards for data encryption.

Access Control & Authorization (Required: SOC 2, HIPAA, GDPR)

Role-based access control (RBAC), IP allowlisting, and client-level restrictions. Audit trail shows who accessed what and when.

Audit Logging (Required: SOC 2, PCI-DSS, HIPAA, GDPR)

Comprehensive logging of all API calls, configuration changes, and credential access. Tamper-evident logs with configurable retention (30-365 days).

Data Residency (Required: GDPR, Some HIPAA)

Multi-region deployment with data residency guarantees. EU customers can ensure data never leaves European servers.

Incident Response (Required: SOC 2, PCI-DSS)

Real-time alerts for suspicious activity, rate limit violations, and authentication failures. Multi-channel notifications (Email, SMS, Slack).

Right to Deletion (Required: GDPR)

Customers can delete all data on demand via API or dashboard. Cryptographic erasure ensures data cannot be recovered.

Penetration Testing (Required: SOC 2, PCI-DSS)

Annual third-party penetration testing by certified security firms. Vulnerability scanning and remediation tracking included.

Business Associate Agreement (Required: HIPAA)

BAA available for healthcare customers. De-identified logging and encrypted PHI handling compliance guaranteed.

Additional

Additional Security Features

Automated OAuth Token Refresh

OAuth2 tokens are automatically refreshed 5 minutes before expiration. Refresh tokens are encrypted and stored separately from access tokens. Supports Google, Microsoft, Salesforce, and custom OAuth2 providers.

Rate Limiting & DDoS Protection

Configurable rate limits per route, per client, or globally. Automatic DDoS mitigation with challenge-response for suspicious traffic patterns. Cloudflare integration for additional protection.

Request Signing & Verification

HMAC-SHA256 request signing prevents tampering and replay attacks. Configurable signature headers and nonce validation ensure requests are fresh and authentic.

Pass your next audit with confidence

Start securing your APIs with enterprise-grade compliance. SOC 2, PCI-DSS, HIPAA, and GDPR coverage included.

Start free trial View pricing