1. Data isolation — the big one
Knockhaus is multi-tenant from day one. Every customer-data row in the database carries an org_id. Postgres row-level security policies scope every query to the caller's active organization, read from a signed JWT claim — not from a membership lookup a compromised client could tamper with. Switching orgs is an explicit RPC that re-issues the token.
Practically this means: a rep logged into one org cannot read, write, or even enumerate another org's pins, contracts, or commissions. Platform admins (Knockhaus engineers) have a separate bypass that is audit-logged.
2. Encryption
- In transit: TLS 1.2+ with HSTS preload.
- At rest: AES-256 for all primary databases, file storage, and backups.
- Secrets: stored in a managed secret store, rotated on a schedule, never checked into source control.
- Keys: managed by the underlying cloud KMS with separation of duty from engineering.
3. Access control
Internal access follows least-privilege. Production database access requires SSO + hardware-key MFA and is logged. Customer data is not accessed for debugging without an open support ticket from the owner of the affected org, and we record the reason.
In-product: role-based access (owner / manager / rep / guest) governs what each user can see and do. Row-level security is the ultimate backstop.
4. Application security
- Static analysis + dependency scanning on every pull request.
- Content Security Policy + strict same-origin on cookies.
- Input validation at trust boundaries (never at the “UI layer”).
- Secrets rotated on suspected exposure.
- Webhooks (Stripe, Resend, Dropbox Sign) verified with signature checks before processing.
5. Availability + backups
We rely on Supabase-managed Postgres, which provides point-in- time recovery, and on versioned object storage. We don't publish a formal SLA with numeric RTO/RPO commitments today — when we do, we'll update this section. If your procurement team needs specifics to close a deal, email sales@knockhaus.app and we'll share what we know.
6. Incident response
On suspected incident: detect → contain → eradicate → recover → write up. Affected customers are notified without undue delay and, for incidents involving Personal Data of EU/UK data subjects, within 72 hours of confirmation per our DPA and GDPR Art. 33.
7. Audits + certifications — the honest picture
We are notSOC 2 certified today. We have not completed a third-party penetration test. When we pursue either of those, we'll say so here with a date, and the report will be available under NDA on request.
Our subprocessors are a different story — we picked them partly because they do hold those certifications. See the subprocessors pagefor each vendor's own compliance posture.
8. Responsible disclosure
If you've found a vulnerability, please email security@knockhaus.app with a proof of concept. We aim to:
- Acknowledge your report within 2 business days.
- Keep you updated as we triage, fix, and deploy.
- Credit you (if you want credit) once the fix is live.
- Not pursue legal action against researchers acting in good faith under this policy.
We don't run a paid bug-bounty program today. Out of scope: social-engineering our staff, physical attacks on our offices, denial-of-service testing, third-party services we don't control.
9. What you can do
Turn on SSO/MFA for your org. Set role permissions conservatively — give reps “rep”, not “manager”. Review the subprocessors list. Rotate API keys you generate.