Security & Compliance
KnowU is built with enterprise-grade security controls and design principles to ensure user data remains confidential, private, and secure. We align our security infrastructure and data governance models with major industry standards, including ISO/IEC 27001:2022, SOC 2 Type II (Security & Confidentiality), and the HIPAA Security & Privacy Rules (45 CFR Parts 160, 162, and 164).
To minimize our attack surface and ensure platform security, detailed technical designs and network topologies are omitted from this public summary.
1. Security Architecture Summary
KnowU employs a modern, decoupled serverless architecture hosted on secure, certified cloud infrastructure.
- Defense in Depth: Access controls, transport security, and application-layer firewalls are implemented hierarchically.
- Service Isolation: Computing environments, authentication services, and data storage systems are fully decoupled.
- Infrastructure Security: Our hosting providers maintain industry-leading physical and network-level security controls (ISO 27001, SOC 2, and PCI-DSS certified data centers).
[!NOTE] Detailed network topology diagrams and infrastructure flowcharts can be provided to enterprise partners under a Non-Disclosure Agreement (NDA).
2. Compliance Mapping Matrix
The following matrix outlines the high-level security controls implemented within the KnowU platform:
| Control Category | ISO 27001 Control | SOC 2 Criteria | HIPAA Section | Public Implementation Summary |
|---|---|---|---|---|
| Access Control & Identity | A.5.15, A.8.20 | CC6.1, CC6.2, CC6.3 | §164.312(a)(1) | Secure user registration, hashed credentials, and federated Single Sign-On (SSO) are enforced. Access to user documents is restricted at the database layer using rules and at the API layer using token validation. |
| Data Encryption in Transit | A.8.24 | CC6.6, CC6.7 | §164.312(e)(1) | All communication with frontend interfaces, backend endpoints, and third-party APIs is enforced over secure HTTPS using TLS 1.2 or TLS 1.3. CORS policies are strictly configured. |
| Data Encryption at Rest | A.8.24 | CC6.6, CC6.7 | §164.312(a)(2)(iv) | All database entries, storage files, and analytics warehouses are encrypted automatically at rest using AES-256 under managed encryption keys. |
| Audit Logging & Logs | A.8.15, A.8.16 | CC7.1, CC7.2 | §164.312(b) | Centralized operations logging records backend invocations, system execution tracks, errors, and scheduled functions. Access to logs is restricted via strict IAM roles. |
| Least Privilege & Isolation | A.5.18, A.8.22 | CC6.3 | §164.312(a)(2)(ii) | Database security rules enforce that users can only read and write their own documents. Cross-user relations require mutual validation, and no user can access another's AI conversation history. |
| AI Safety & Data Governance | A.8.10, A.8.12 | CC6.5, CC8.1 | §164.502 | AI workflows run server-side using secure API channels. Prompt payloads are strictly validated. No PII/PHI is transmitted to unapproved models, and user prompts are not used for public model training. |
| Right to Erasure / Data Purge | A.8.10, A.8.11 | CC6.5 | §164.312(d) | A self-serve account deletion flow scrubs user credentials, permanently deletes user database records, related subcollections, friendships, and peer feedback references. |
| Vulnerability Management | A.8.8 | CC7.1 | §164.308(a)(1)(ii)(A) | Package dependencies are monitored during build time. Static analysis scripts execute automated vulnerability scans during the integration pipeline. |
3. Detailed Security Documentation Requests
To protect the integrity of the platform, specific API endpoints, database schemas, and codebase configurations are not disclosed publicly.
We can provide qualified partners, HR departments, and enterprise customers with our comprehensive security packet upon request. This packet includes:
- Detailed system architecture and network data flow diagrams
- Specific technical control implementations and database rules configurations
- Completed security questionnaires (e.g., CAIQ or custom spreadsheets)
- Data Processing Agreements (DPA) and Business Associate Agreements (BAA) for HIPAA compliance
Requesting the Security Packet
If you are an administrator, security officer, or HR lead evaluating KnowU for your organization, please contact us at security@knowu.app or support@knowu.app to request access to the security packet.