Security at Knull

Encryption

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). API keys and third-party connector tokens are stored encrypted at the column level and decrypted only inside the server-side request handlers that need them.

Tenant isolation

Every table that holds customer data uses Row-Level Security policies scoped to the owning organisation. Server-side helpers attach the calling user's session so the database itself enforces isolation — application bugs cannot leak data across tenants.

Authentication

Email and OAuth sign-in via our authentication provider. Admin accounts require time-based 2FA. Sessions are short-lived and silently refreshed. Password reset flows are rate-limited and use single-use tokens.

Backups and continuity

The primary database is backed up continuously with point-in-time recovery. Storage buckets are versioned. We run restore drills against a separate environment.

Sub-processors

Knull processes data through a small set of named sub-processors: our managed Postgres provider, model providers (OpenAI, Anthropic, Google), Stripe (payments), Resend (transactional email), and ad-platform APIs the customer connects (Meta, Google, TikTok). A current list is maintained and provided on request.

Compliance posture

SOC 2 Type I is in preparation. We do not currently hold a finished certification and we won't claim one we don't have. GDPR and CCPA obligations are honoured today; see the privacy policy for details on data subject rights.

Responsible disclosure

If you believe you've found a security issue, please email security@knullos.lovable.app. We acknowledge reports within two business days and won't pursue legal action against good-faith researchers who avoid privacy violations, service disruption and data destruction.