Security overview.

We are not SOC 2 certified. ISO 27001 isn't on the wall either. Saying otherwise would be a lie, and other vendors who say otherwise on day one are usually lying too. SOC 2 is a v3 milestone for us, planned for year 2 post-seed. Until then, we follow the same baselines auditors check against, we just don't have the audit report yet.

What that means in practice: encryption everywhere, least privilege by default, observability you can audit, a real incident response process, and a written disaster recovery plan we test.

Application servers and the primary Postgres database run on Hetzner in Germany and Finland (EU). Cloudflare sits in front for CDN, DDoS protection and SSL on customer custom hostnames via Cloudflare for SaaS. Object storage uses Cloudflare R2 with EU data residency.

In transit: TLS 1.2 or 1.3 on every public endpoint. HSTS preloaded. Internal service-to-service calls use mutual TLS.

At rest: AES-256-GCM on Postgres volumes and object storage. Per-cell encryption keys held in 1Password Connect, never in source control, never in environment files committed to disk. Customer secrets (OAuth tokens, API keys for connected integrations) are encrypted with a per-cell key before they hit the database.

Postgres row-level security is the default isolation model. Every workspace's data lives behind an RLS policy keyed to the workspace ID. The application connects as a role that cannot bypass RLS. A separate, locked-down role exists for migrations and for incident-response read access.

All admin access (Hetzner console, Cloudflare dashboard, Stripe, Postgres, 1Password) requires MFA. SSH to servers uses keys, not passwords, and the key list is rotated each quarter.

Production access is logged. Anyone with admin keys is named in an internal access register reviewed monthly.

Sentry collects unhandled exceptions and slow transactions. Inngest fires alerts on workflow failures. Dependency scans run on every push (npm audit and a separate SCA pass). Debug routes, admin panels and any test fixtures are stripped from production builds at compile time.

Inputs from connected integrations are treated as untrusted. Output to LLMs is rate-limited and quota'd per workspace to prevent both accidental and adversarial cost blow-ups.

1Password Connect is the source of truth for every secret. No long-lived secrets in the codebase, no secrets in CI environment variables that aren't fetched from 1Password at build time. Quarterly rotation across the board, with a dual-key window during rotation so deploys never break mid-cycle.

Daily Postgres snapshots to Backblaze B2 cold storage, encrypted client-side before upload, 30-day retention. Restore drills run monthly: we pick a snapshot at random, restore it to an isolated environment, and confirm the dataset is intact. Last drill: April 2026, recovery time 41 minutes for a 12 GB database.

Sentry, Inngest and Cloudflare alerts page Discord, which pages Kyle. Mean time to acknowledgement: 4 hours during UK business hours, 8 hours overnight. Mean time to mitigation depends on the incident, but we publish post-incident reviews for anything customer-affecting.

For personal data breaches we notify affected customers within 72 hours of becoming aware. Details in the DPA.

We don't have an external pentest yet. We will commission an annual third-party pentest after we hit 50 paying customers. Until then, dependency scanning, internal review and the bug bounty (below) are our coverage.

Email security@knave.app with a clear repro. We'll respond within 24 hours. Valid reports get credited (with your consent) on a public hall of fame once we have one. Cash bounties start once we close our seed round; until then, credit and our genuine thanks.

Out of scope: anything requiring physical access, social engineering of staff, denial-of-service testing, or testing against a customer workspace that isn't yours.

• Sell your content. Not to ad networks, not to data brokers, not to anyone.
• Train our models, or any third party's models, on your content without your explicit opt-in. Default is off.
• Retain your data after deletion beyond the legal minimum (currently 6 years for tax records, applied only to invoices, not to your content).
• Add a sub-processor without 30 days notice and a right to object.
• Claim a certification we don't hold.

• Year 1: SOC 2 Type 1 readiness work. Internal access register tooling. First external pentest at 50 paying customers.
• Year 2: SOC 2 Type 2 audit. ISO 27001 readiness. Cash bug bounty programme.
• Ongoing: monthly restore drills, quarterly secret rotation, annual pentest.

• Terms of service
• Privacy policy
• Data Processing Addendum
• Cookie policy