Trust Center

Trust Center

KnoxCall takes security seriously. This page is the single canonical source for our security posture, certifications, sub-processors, and incident history.

Last updated: 2026-05-26

Compliance

Certifications & Frameworks

Audit reports and certificates marked "under NDA" are available to customers and prospects — email [email protected].

Framework Status Evidence
ISO/IEC 27001:2022 In progress Internal audit complete; Stage 1 audit scheduled. Statement of Applicability available under NDA.
ISO/IEC 27017:2015 (cloud) In progress Controls implemented. Shared-responsibility matrix available on request.
ISO/IEC 27018:2019 (cloud PII) In progress Controls implemented. See the Privacy Policy; self-service DSAR endpoints are built into the product.
ISO/IEC 27701:2019 (PIMS) In progress Records of Processing Activities maintained; available under NDA.
SOC 2 Type II In progress Observation period H2 2026. Report under NDA: [email protected].
GDPR Compliant Data Processing Addendum
NZ Privacy Act 2020 Compliant Privacy Policy
HIPAA Optional via BAA Business Associate Agreement available on Pro+ plans.
PCI DSS Out of scope Cardholder data is handled by Stripe.

Controls

Live Security Controls

Encryption at rest

AES-256-GCM envelope encryption; per-tenant master keys; BYOK supported.

Encryption in transit

TLS 1.2+ everywhere; HSTS preload; mTLS for agent control plane and customer-pinned routes.

Authentication

OAuth 2.1 + DPoP; passkeys (WebAuthn); SSO (Google, Microsoft, GitHub); workload identity for service accounts.

Multi-factor authentication

Required for owners and admins on Pro+ plans.

Audit logging

SHA-256 hash-chained immutable audit log; nightly chain integrity verification; OTLP export to customer SIEM (Enterprise).

Access reviews

Quarterly privileged-access reviews; ad-hoc reviews on role changes.

Vulnerability management

Dependabot, CodeQL, and container scanning on every PR; quarterly penetration test by an independent third party.

Backups

35-day Postgres point-in-time recovery; weekly off-region snapshots retained 90 days; quarterly restore drills.

Incident response

24/7 on-call rotation; documented runbook; 72-hour customer notification SLA for confirmed breaches per GDPR Art. 33.

Suppliers

Sub-processors

The canonical list of sub-processors lives at /legal/sub-processors. We notify customers 30 days before adding a sub-processor.

Disclosure

Reporting a Vulnerability

Email [email protected]. We acknowledge within 24 hours. Our coordinated disclosure window is 90 days. We do not currently run a paid bug bounty, but we publicly acknowledge contributors.

Documents

Documents Available Under NDA

  • SOC 2 Type II report (when published)
  • Penetration test reports (most recent + previous)
  • Internal audit reports
  • Business continuity test results
  • Customer-specific architecture diagrams

Email [email protected].

Incidents

Incident History

When we have a customer-impacting security incident, we publish a postmortem on this page within 5 business days.

Date Severity Summary Postmortem
No customer-impacting security incidents on record.

Resources

Quick Links

Privacy Policy

How we collect, use, and protect personal data.

Data Processing Addendum

Our GDPR-aligned DPA, including SCCs for international transfers.

Sub-processors

Every third party that processes customer data on our behalf.

Security Architecture

Encryption, zero-trust controls, and audit logging in depth.

Status Page

Live platform availability and historical uptime.

Terms of Service

The agreement governing use of the KnoxCall platform.