In this article, you will learn about our commitment we have to the security of your data, common terms, and information on how Knack handles our security and infrastructure.
The most important commitment we have is to the security of your data. This commitment touches every part of our infrastructure, our product, and our policies.
This article covers the following topics:
Glossary of Terms
Encryption
Encryption means that your data is encoded in such a way that to the naked eye it looks like gibberish.
For example, if you encrypted this sentence it may look like this:
8WAtp8nUEOrzSu67t9tGITEzIdgr6huIpXqofo0rv2w9y3DzSu67A=
Any encrypted data must be decrypted in order to be read. By encrypting your data we're ensuring that only authorized parties (that's you!) can read it.
-
Encryption in transit - We encrypt all data as it moves between our servers and your web browser. Our API is fully encrypted so every request to view or update your records automatically encrypts that data behind the scenes.
-
Encryption at rest - We encrypt all data that's stored on our servers. This includes both the records stored in our databases and search indexes as well as any files and images you've uploaded to your Knack database.
-
Bank-level Encryption - We use both SHA-256 and AES-256 encryption, the strongest encryption available. This is the same level of encryption that banks use.
Fun fact: Efforts by the British to break German encryption during WWII led to the development of the first fully digital programmable computer!
Backups
Think of backups like a permanent safety net for your data.
We store multiple copies of every change ever made to your database in multiple locations.
Whether you accidentally delete a single record, or your intern deleted the entire database again when you weren't looking, we'll be able to find a backup and restore it.
Note: Restoring from a backup is free for Corporate plans and above.
-
Active Backups - All recent versions of your records are stored in active databases that can be found and retrieved almost instantly. The number of changes stored in active backups are based on the subscription plan.
-
Archives - Older versions of your records are stored in longer term archives. Restoring from these archives can take much longer but they serve as a great long-term backup.
-
Encrypted & Redundant - Both our active back-up and archives use the same redundancy and encryption as your database. This means even your backups will be completely secure and reliable.
-
Manual Backups - Knack includes export features so you can backup your data at any time. This will give you a CSV file of the data within the object you’re exporting.
-
How do I restore data from a backup?
Let us know and we will manage that process for you. We'll soon be automating our backups so you can control any restores right from your dashboard.
Fun fact: Toy Story 2 was almost erased before the film could be rendered for theaters when the backups stopped working without notice.
Redundancy
Redundancy is usually a negative word: it means no longer useful or necessary.
In the data world, redundancy is a very good word. A system with high redundancy means that there's no single point of failure. If any one component goes down, a redundant component can step right in with no noticeable difference.
For Knack, this means that if one database fails, you won't start hearing from your angry users - other databases will pick up the workload.
-
Multiple Databases - We mitigate database failures by storing your data in multiple databases, so if one database goes down the other databases can pick up the slack. Each change made to your database immediately propagates to these redundant versions.
-
Multiple Locations - Having multiple databases won't help if they are all stored in a single location. One well placed meteor landing and those databases are gone. We mitigate location failure by storing the extra databases in different geographic locations.
-
Offline Backups - We store physical backup files in a separate location from the servers as a final safeguard in case of major catastrophe. These backups are made on a daily basis and are encrypted using AES-256 encryption keys.
Fun fact: A maser (microwave emitting laser) can add redundancy for any end-of-world failures. Just beam your data into space and capture it later for use on another planet.
Infrastructure
We use Amazon Web Services to power everything that Knack has to offer. As a Knack customer, you inherit all the best practices of AWS policies, architecture, and operational processes. Amazon Web Services is considered the industry leader in cloud services and is trusted by organizations like DOW Jones, Pfizer, and the CDC.
Amazon's secure data centers enable the redundancy and scaling that equates to a secure and reliable service for your Knack databases.
-
Compliance - AWS environments are continuously audited, with certifications from accreditation bodies across geographies and verticals. Amazon has achieved compliance with the most strict compliance programs.
-
DDoS Mitigation - AWS provides a robust platform that is not only pre-built to mitigate some attacks, but it also allows us to react quickly to spread out impact if there is an attack. We've also added safeguards to underlying servers as an additional level of protection.
-
Built in Redundancy - Knack uses AWS features like Auto-Scaling and Elastic Load Balancing to ensure that our production systems remain online and traffic is always routed to healthy instances. We continuously replicate your data and have it ready to bring online if any primary nodes fail.
-
Geographic Distribution - Amazon operates data centers all over the world, adding redundancy and scaling to your data and backups.
-
SOC 2 Type II Certified - Knack undergoes an annual audit with a third-party to attest to higher security standards and practices.
-
Firewalls - We use firewalls to protect every virtual server, database, and load balancer to ensure that only authorized traffic is accessing those resources.
Fun fact: 1/3 of all Internet users visit a site hosted by Amazon Web Services each day.
Policies
Security doesn't stop with infrastructure. Without the right polices around privacy and access your data can still be susceptible to human error or compromise.
The same amount of attention to infrastructure and technology needs to be allocated to the people and policies responsible for running that technology.
We've carefully implemented security policies around your data's privacy and about how the Knack team can access that data.
Privacy Policies:
-
Privacy - We maintain a privacy policy here that outlines our commitment to respecting your privacy and the privacy of the information in your account. Ultimately, the data in your account is not accessible to anyone, unless you make it accessible.
-
Data Ownership - you are the sole owner of your data and completely responsible for it. We have no ownership of your data and can make no claims on it as long as you are following the terms of agreement.
-
Business Ownership - any business you generate with your Knack app is completely your ownership. You're free to sell access to your applications and charge for its usage. You simply are licensing the usage of the Knack software (which you do not have any ownership claims to).
Access Policies:
-
VPN Access - All access by Knack employees to customer data is governed by a secure virtual private network. This access is monitored and can be revoked at any time, so even a stolen laptop presents no privacy risks.
-
Development Silos - Knack engineers work in a development environment that is completely separated from any live data. This way no bugs or errors have even the slightest potential to affect your data.
-
Access Logging - Every access request to your data by a Knack employee is logged and time-stamped. We can confirm exact access by the Knack team to any data in the unlikely case that this log is needed.
Team Policies:
-
NDA and Confidentiality - Each Knack employee signs non-disclosure and confidentiality agreements that provide legal backing for our obligation to keep your data private and confidential.
-
Training - Each Knack employee undergoes training and instruction on data access and privacy and how to securely handle customer requests for account or billing access.
-
Support Access - The Knack team will sometimes need to access your data for support services. We only do this at your request and when necessary to resolve the issue to your satisfaction.
Fun fact: The giant 2014 breach of Target's customer data boiled down to human failure to implement an authentication policy for a low level contracting vendor.
Features
We've added the same level of security attention to the features you can add to your applications, so you can have confidence that the apps you build are secure. Additional security features like user logins, IP blocking, password, and login restrictions are available to integrate with your apps.
-
Password Protection - Password protect your apps with encrypted password technology, so that only authenticated users can access it. You can configure multiple registration options for adding new users.
-
Roles & Permissions - Assign roles for your users and define exactly which permissions each role has. Each page in your interface can be authorized for specific roles.
-
Record Level Security - Design your application so that each logged-in user can only access the records that are connected to them.
-
Password Encryption - All user passwords are double encrypted and hashed with a salt, which prevents dictionary attacks and adds an extra layer of security.
-
Advanced Logins - Integrate your Active Directory or LDAP users for Single Sign On to limit access to your established users.
-
Version Tracking - Knack stores every change to every record, whether that happened through your app, directly in the builder, or through the API.
-
IP Blocking - Optionally restrict access to your app to specific IP addresses or IP blocks.
-
Data Encryption - All data displayed in your app and updated back to the database is encrypted and secured with SSL.