Knowledgeable
Trust

Security at Knowledgeable

Knowledgeable is built for organisations handling sensitive market access, clinical and commercial information. Security and privacy are core design constraints, not an afterthought.

Last updated: June 2026Draft. Pending legal review

1. Hosting & infrastructure

  • Hosted on enterprise-grade cloud infrastructure with EU and UK regional options.
  • Logical isolation per customer tenant; production isolated from non-production.
  • High-availability architecture with automated failover.

2. Encryption

  • In transit: TLS 1.2+ for all external traffic, with modern cipher suites and HSTS.
  • At rest: AES-256 encryption for databases, object storage and backups.
  • Managed keys with rotation; customer-managed keys (CMK) available on enterprise plans.

3. Identity & access

  • SSO via SAML 2.0 and OpenID Connect; SCIM provisioning available.
  • Role-based access control with organisation- and workspace-level scoping.
  • Multi-factor authentication enforced for all internal staff.
  • Least-privilege production access, time-bound and fully audited.

4. Application security

  • Secure SDLC with peer code review, static analysis, dependency scanning and secret scanning on every change.
  • Continuous container and infrastructure-as-code scanning.
  • Annual third-party penetration testing; remediation tracked to closure.
  • Responsible disclosure programme, see contact below.

5. Monitoring & incident response

  • Centralised logging and anomaly detection with 24/7 alerting on critical events.
  • Documented incident response runbooks with defined severity, escalation and notification timelines.
  • Customer notification of confirmed personal data breaches without undue delay and within applicable regulatory timeframes.

6. Data handling

  • Customer content is processed only to deliver the service to that customer.
  • We do not use Customer Data to train shared or third-party foundation models.
  • Configurable data retention; deletion or export on request and on termination.
  • See the Privacy Policy for full data handling details.

7. Resilience & backups

  • Automated, encrypted backups with regular restore testing.
  • Documented Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets, available under NDA.
  • Disaster recovery plan reviewed and exercised annually.

8. Sub-processors

We use a small, vetted set of sub-processors for cloud hosting, observability, email and authentication. All are bound by written contracts requiring appropriate technical and organisational measures. The current list is available on request from security@knowledgeable.ai.

9. Compliance roadmap

  • UK GDPR and EU GDPR aligned; DPA available for all customers.
  • SOC 2 Type II, in progress.
  • ISO/IEC 27001, in progress.
  • HIPAA-aware processing controls available on request for applicable engagements.

10. Reporting a vulnerability

We welcome reports from the security community. Please email security@knowledgeable.ai with a description of the issue, reproduction steps and any relevant artefacts. Please do not publicly disclose until we've had a reasonable opportunity to investigate and remediate.