SECURITY ASSESSMENTS & COMPLIANCE
Last updated: October 2019
Knudge is a web-based client communication application designed for financial advisors and their firms to track their clients’ action list and collaborate to get work done. The Knudge product is designed, developed, operated, supported, and owned by Knudge, Inc., based in Boston Massachusetts.
Knudge follows best practices of application development and prevents common web software attacks. We use modern technologies and consistently update our application framework for newly discovered security vulnerabilities. Our development process includes continuous vulnerability scanning to ensure our team is maintaining this high level of security in our codebase. Additionally, a comprehensive test suite is regularly run after every software change to validate that privacy constraints and access restrictions continue to function properly.
Knudge’s physical infrastructure is hosted and managed within Google’s secure data centers and utilize the Google Cloud Platform (GCP) technology. Google continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Google’s data center operations have been accredited under:
- FIPS 140-2 Validated
- CSA Star
- ISO 27001, ISO 27017, and ISO 27018
- SOC 1, SOC 2, and SOC 3
- PCI DSS
- SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c)
Our application traffic runs entirely over 256-bit encrypted TLS (https). User credentials are salted and hashed using bcrypt before being stored. Application credentials are kept separate from the database and our code base. Communications over the Internet to our public cloud services are encrypted in transit. Data stored on Google’s infrastructure is automatically encrypted at rest and distributed for availability and reliability. This helps guard against unauthorized access and service interruptions.
RELIABILITY & BACKUP
Google’s network and infrastructure have multiple layers of protection to defend against denial-of-service attacks.
All of your data is backed up daily. Knudge maintains at least 30 days of backup data at any given time. In addition, we continuously take snapshots of the database. Knudge can restore data to any point in time between the earliest backup and typically within 5 minutes of the current time.
Knudge replicates customer data to at least two different locations at any given time to protect against failure or local disaster.
The Knudge platform is designed for stability, scaling, and inherently mitigates common issues that lead to outages while maintaining recovery capabilities. Our platform maintains redundancy to prevent single points of failure, is able to replace failed components, and utilizes multiple data centers designed for resiliency. In the case of an outage, the platform is deployed across multiple data centers using current system images and data is restored from backups. Knudge reviews platform issues to understand the root cause, impact to customers, and improve the platform and processes.
PCI – PAYMENT DATA
Knudge uses PCI compliant payment processor Stripe for encrypting and processing credit card payments. Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available. Credit card numbers are not stored on the Knudge platform.
Google data centers feature a layered security model with custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors, and biometrics. The data center floor features laser beam intrusion detection. Google data centers are monitored 24/7 by high-resolution interior and exterior cameras that can detect and track intruders. Only approved employees with specific roles may enter.
System configuration and consistency is maintained through standard, up-to-date images, configuration management software, and by replacing systems with updated deployments. Systems are deployed using up-to-date images that are updated with configuration changes and security updates before deployment. Once deployed, existing systems are decommissioned and replaced with up-to-date systems.
Operating system access is limited to Knudge staff and requires username and key authentication. Operating systems do not allow password authentication to prevent password brute force attacks, theft, and sharing.
ACCESS TO CUSTOMER DATA
Knudge staff does not access or interact with customer data as part of normal operations. There may be cases where Knudge is required to interact with customer data at the request of the customer for support purposes or where required by law. Knudge may also inspect customer data to debug and troubleshoot platform issues.
Knudge will investigate any reported vulnerability. If you would like to report a vulnerability or have a security concern regarding Knudge services, please email firstname.lastname@example.org. Please provide full details of the suspected vulnerability so the Knudge security team may validate and reproduce the issue.