How does KnoxCall encrypt API credentials?

All API credentials are encrypted using AES-256-GCM before storage. Each tenant has a unique encryption key derived from a master key using HKDF. Keys are backed by Hardware Security Modules (HSM) with FIPS 140-2 Level 3 compliance. Even in the unlikely event of database compromise, credentials remain protected.

How are API credentials protected in transit?

All API communication uses TLS 1.3 with perfect forward secrecy. Credentials are never transmitted in plaintext. KnoxCall enforces HSTS with a 1-year max-age and preload, uses certificate pinning for critical endpoints, and holds an A+ rating on SSL Labs.

What is KnoxCall's zero-trust architecture?

Every request is authenticated and authorized independently with no implicit trust based on network location. KnoxCall enforces multi-layer checks including API key validation, client IP allowlisting, route-level access controls, rate limit enforcement, and request signing validation before proxying any request.

How does KnoxCall handle audit logging?

Every API request, credential access, and configuration change is logged with tamper-evident hash chains. Logs include request/response pairs with timestamps, IP addresses, user agents, and configuration change attribution, with configurable retention from 7 to 365 days depending on plan. Logs can be forwarded to SIEM tools via webhook integration.

What compliance standards does KnoxCall support?

KnoxCall's security architecture is aligned with SOC 2, PCI-DSS, HIPAA, and GDPR requirements. This includes AES-256-GCM credential encryption at rest, role-based access control, comprehensive audit logging, EU data residency options, incident response alerting, right to deletion, data portability export, and Business Associate Agreements for healthcare customers.

Does KnoxCall support GDPR right to deletion?

Yes. Customers can delete all their data on demand via the dashboard. This triggers complete erasure of all routes, credentials, audit logs, and account data, meeting GDPR Article 17 right to erasure requirements.

Does KnoxCall protect against DDoS attacks?

Yes. KnoxCall provides configurable rate limits per route, per client, or globally. Automatic DDoS mitigation includes challenge-response for suspicious traffic patterns, with Cloudflare integration for additional edge-level protection.

Security & Compliance - KnoxCall | HIPAA, GDPR, SOC 2 Aligned

Q: Does KnoxCall handle OAuth token refresh automatically?

Yes. OAuth2 tokens are automatically refreshed 5 minutes before expiration. Refresh tokens are encrypted and stored separately from access tokens. KnoxCall supports Google, Microsoft, Salesforce, and custom OAuth2 providers.

Security & Compliance

Enterprise-grade security built for the most demanding compliance requirements. Pass audits with confidence.

SOC 2 Aligned

Security controls designed to meet SOC 2 Trust Service Criteria. SOC 2 Type II audit in progress. Contact us for our current security posture documentation.

PCI-DSS Aligned

Security architecture aligned with PCI-DSS requirements for handling payment credential proxying. Card data masked in logs per PCI-DSS guidance.

HIPAA Ready

Business Associate Agreement (BAA) available for healthcare customers. Encrypted credential storage and sensitive-field masking in audit logs for healthcare APIs.

GDPR Ready

EU data residency options, right to deletion, data portability export, and privacy controls for European customers.

Architecture

Security Architecture

AES-256 Encryption at Rest

All API credentials are encrypted using AES-256-GCM before storage. Each tenant has a unique encryption key derived from a master key using HKDF. Even in the unlikely event of database compromise, credentials remain protected.

Technical Implementation

AES-256-GCM authenticated encryption
Unique initialization vectors (IVs) per credential
Per-tenant keys derived via HKDF from a master key
Master key rotation without service interruption
Secrets never stored or logged in plaintext

TLS 1.3 Encryption in Transit

All API communication uses TLS 1.3 with perfect forward secrecy. Credentials are never transmitted in plaintext. Automatic certificate rotation and HSTS enforcement prevent downgrade attacks.

Transport Security

TLS 1.3 with ChaCha20-Poly1305 / AES-256-GCM
Perfect Forward Secrecy (PFS) enforced
HSTS with 1-year max-age and preload
Automated certificate management and renewal

Zero-Trust Architecture

Every request is authenticated and authorized independently. No implicit trust based on network location. IP allowlisting, client identification, and route-level access controls ensure only authorized requests succeed.

zero-trust.js

// Every request requires multi-layer authentication
const request = {
  headers: {
    'X-KnoxCall-API-Key': 'kc_...',        // API key auth
    'X-KnoxCall-Client-ID': 'device-123', // Client tracking
    'X-KnoxCall-Route': 'stripe-charge'  // Route authorization
  }
};

// Automatic checks before proxying:
// 1. API key valid & not revoked
// 2. Client IP in allowlist (if configured)
// 3. Route exists & tenant has access
// 4. Rate limits not exceeded
// 5. Request signing validated (if enabled)

Immutable Audit Logs

Every API request, credential access, and configuration change is logged with cryptographic integrity protection. Logs are append-only and retained for compliance requirements (30-365 days configurable).

Audit Trail Features

Tamper-evident logging with hash chains
Request/response pairs with timestamps
IP address, user agent, and client identification
Configuration change attribution
SIEM-compatible log forwarding (Splunk, Datadog, ELK)
Real-time anomaly detection

Compliance

Compliance Checklist

Here's what KnoxCall automatically handles for your compliance requirements:

Credential Encryption at Rest (Required: SOC 2, PCI-DSS, HIPAA)

AES-256-GCM encryption with HSM-backed keys and automatic rotation. Meets or exceeds all major compliance standards for data encryption.

Access Control & Authorization (Required: SOC 2, HIPAA, GDPR)

Role-based access control (RBAC), IP allowlisting, and client-level restrictions. Audit trail shows who accessed what and when.

Audit Logging (Required: SOC 2, PCI-DSS, HIPAA, GDPR)

Comprehensive logging of all API calls, configuration changes, and credential access. Tamper-evident logs with configurable retention (30-365 days).

Data Residency (Required: GDPR, Some HIPAA)

Multi-region deployment with data residency guarantees. EU customers can ensure data never leaves European servers.

Incident Response (Required: SOC 2, PCI-DSS)

Real-time alerts for suspicious activity, rate limit violations, and authentication failures. Multi-channel notifications (Email, SMS, Slack).

Right to Deletion (Required: GDPR)

Customers can delete all data on demand via the dashboard. Complete erasure of all routes, credentials, audit logs, and account data. GDPR Article 17 compliant.

Penetration Testing (Required: SOC 2, PCI-DSS)

Regular security assessments and vulnerability scanning. Annual third-party penetration testing scheduled. Contact us for the most recent security assessment summary.

Business Associate Agreement (Required: HIPAA)

BAA available for healthcare customers upon request. Sensitive field masking in audit logs and encrypted credential storage for healthcare API integrations.

Additional

Additional Security Features

Automated OAuth Token Refresh

OAuth2 tokens are automatically refreshed 5 minutes before expiration. Refresh tokens are encrypted and stored separately from access tokens. Supports Google, Microsoft, Salesforce, and custom OAuth2 providers.

Rate Limiting & DDoS Protection

Configurable rate limits per route, per client, or globally. Automatic DDoS mitigation with challenge-response for suspicious traffic patterns. Cloudflare integration for additional protection.

Request Signing & Verification

HMAC-SHA256 request signing prevents tampering and replay attacks. Configurable signature headers and nonce validation ensure requests are fresh and authentic.

Pass your next audit with confidence

Start securing your APIs with enterprise-grade compliance. HIPAA and GDPR ready, SOC 2 aligned architecture included.

Start free trial View pricing