Knock Security & Privacy FAQ

What is the foundation of your security program?

Knock leveraged the ISO 27000 Series and CIS Critical Security Controls to define its security program governance and control set.

How are access controls determined and maintained?

Knock employs role-based access controls based on need-to-know and least privilege. Each team member is assigned a primary role at hire or transfer which determines their access to systems and applications. Each role is formally defined, as is its access. In order to gain access outside an individual’s role, a support ticket must be submitted, approved, and provisioned.

Access control reviews are performed twice annually as part of routine internal audits.

How do you respond to incidents?

Knock has established a formal Incident Management Program based on ISO 27035 that covers security and privacy incidents. For both types of incident, there are reporting, response, and retrospective requirements and supporting materials. Customer notifications are a formally documented requirement of response procedures.

Do you employ Intrusion Detection and/or Intrusion Prevention Systems (IDS/IPS)?

Yes, Knock employs host-based IDS and IPS in both corporate and service environments, and infrastructure-based IDS in its service environments.

Do you have a Security Incident and Event Management (SIEM) system?

Yes, Knock employs a centralized SIEM, monitoring both service and corporate environments.

How is remote access to your service and corporate environment handled?

Knock employs a multifactor VPN for remote network access to both corporate and service environments. Administrative access to critical service providers, such as AWS, is also gated by multifactor authentication.

What do you do to mitigate DDoS (Distributed Denial of Service) attacks?

Knock’s service environment is protected by AWS Shield for DDoS protection and hosted across multiple availability zones for scalability and reliability.

Is secure software development and OWASP Top 10 training required for your developers?

Yes. Each software developer undergoes annual secure software development training, plus additional training relevant to their area of development.

What physical security controls are implemented for your service environments?

Knock employs AWS for its service environment infrastructure, and their data centers utilize proximity badges with access logging, 24/7 video surveillance, 24/7 staffing, and formal visitor management procedures.

Where can I find your privacy policy?

Knock’s privacy policy is available here.

How can I make a privacy-related request?

You can contact our privacy team at privacy@knockcrm.com.