Trust & Compliance
This page records how Knowlee handles security, data protection, AI governance, and certifications. It exists to give a procurement team enough information to complete a vendor questionnaire and decide whether to proceed.
No marketing language. Where a control is in production, we describe it. Where a control is on a roadmap, we mark it with a target date. Where a certification has not been started, we say so. Buyers comparing Knowlee to vendors with a fully certified posture (AutogenAI's FedRAMP High, Tonkean's SOC 2 Type II, Noxtua's ISO 27001 + ISO 42001 + BSI C5) deserve a flat statement, not a softened one.
If anything here contradicts another vendor document, contact security@knowlee.ai and we will respond with the source artifact.
1. Current security posture
The controls in this section are in production today, sourced from the architectural rules in the engineering project's CLAUDE.md. A buyer's security team can request configuration files and run logs as part of a paid evaluation.
1.1 Per-vertical data isolation
Each Knowlee vertical product (4Sales, 4Talents, 4Marketers, 4Legals, 4Projects, 4Procurement, 4Finance, 4Operations) runs against its own dedicated Supabase project. A vertical is, by construction, one Supabase project plus a lightweight frontend. There is no shared multi-tenant table that mixes data across verticals; the blast radius of any single credential or misconfiguration is bounded by its vertical.
Cross-vertical reasoning happens exclusively through the Enterprise Brain (a Knowledge Graph + RAG accessed via the memoryGraph MCP server), which receives only entities, relationships, and patterns each vertical chooses to publish. Raw rows do not leave their owning Supabase project. For customer-hosted deployments, each vertical maps to a Supabase project the customer controls; Knowlee operators do not hold direct database credentials in the customer's tenancy unless explicitly granted for an incident or scoped engagement.
1.2 Secrets management
Tenant secrets — Supabase access tokens, Apify tokens, captcha API keys, provider API keys, Neo4j credentials — live in a git-ignored .env file at the repository root of each Knowlee instance. The orchestration server loads it at startup and passes only the variables a given child process needs at spawn time. Secrets are never echoed to the operator UI, never written into job logs, and never templated into prompts. The repository is, by policy, secret-free.
1.3 fabric-native authentication and subagent boundaries
All third-party access — database, search, scraping, knowledge graph, calendar, email — is brokered through MCP (Model Context Protocol) servers. Single source of truth is .mcp.json in the Knowlee repository.
Subagents (short-lived agent contexts the parent session spawns for fresh-context work) operate under hard rules from CLAUDE.md §"Subagent Constraints":
- No database object creation (
CREATE FUNCTION,CREATE TABLE,CREATE EXTENSION, buckets, migrations). - No bypassing MCP via direct API or RPC. PostgREST endpoints, the Supabase Management API, and any HTTP endpoint a service exposes are off-limits even when credentials are present.
- No exposing local files via tunnels (
cloudflared,ngrok,localtunnel, ad-hoc HTTP servers). - No service role key use (
SUPABASE_SERVICE_KEY,SUPABASE_DB_PASSWORD,SUPABASE_ACCESS_TOKEN) unless the parent explicitly hands the credential over for a specific use. - If an assigned approach is infeasible, stop and report rather than improvise.
These rules were codified after a 2026-04-11 internal incident in which four parallel subagents independently invented unsafe workarounds (database extension creation, public tunnels, direct service-key use) when an oversized SQL payload exceeded an MCP tool's parameter size limit. Rules are now enforced at the parent-session level.
1.4 Job-level governance metadata
Every automated job — scheduled, manual, or triggered by an operator-approved flashcard — is declared in the automation registry. Each entry carries fields designed to align with the EU AI Act's deployer obligations:
- risk level — the deployer's classification of the job's risk tier (minimal, limited, high, prohibited).
- data categories — declarative list of data types the job processes (e.g.,
contact_data,contract_terms,employee_records). - human-oversight required — boolean. When true, the job cannot transition from draft to running without an approval signature.
- approver / approval timestamp — identity and timestamp of the approver.
Production runs of "human-oversight required" set to true jobs without approver and approval timestamp are surfaced by an audit pass and treated as compliance incidents.
1.5 Audit trail
Every job run produces a complete record: raw stdout/stderr under the audit trail; per-step LLM reasoning streamed in JSON (the agent runtime wrapper uses stream-json so every tool call, model response, and error is recorded); structured outputs in the structured report store; open incidents in state/jobs/alerts/. Customers can request the log bundle for any execution ID.
Additional production controls: prompt templates in scripts/prompts/ are version-controlled; each job declares an allowedTools allow-list enforced at the MCP layer and maxTimeout / idleTimeout / maxTurns so runaway agents are terminated by the runner. All work — strategic tasks, scheduled jobs, flashcard-originated drafts — appears on one kanban backed by the automation registry. No shadow queue.
2. EU AI Act readiness
The EU AI Act enters its main enforcement phases through 2026–2027. Knowlee was architected with the Act's deployer obligations in mind rather than retrofitting them. Knowlee's role is, in most customer deployments, that of a deployer; in some configurations Knowlee may also be a provider.
Article 6 — High-risk classification. The risk level field on each job is the deployer's record of classification at the job level — the granularity AI Act compliance officers actually need. A job classified risk level: high triggers the additional obligations below.
Article 13 — Transparency. Providers and deployers must give users sufficient information about the system's capabilities, limitations, and intended purpose. Knowlee satisfies this through the published job registry surface (every job a customer's operator runs is visible with its purpose, model, allowed tools, and recent runs), reasoning logs (per-step LLM reasoning preserved per run), and the published prompt templates that govern session jobs.
Article 14 — Human oversight. High-risk AI systems must be designed for effective human oversight. The human-oversight required boolean is the explicit gate: a job marked true cannot transition to running without a recorded approval. The flashcard mechanism — by which the system proposes new tasks for the operator's approval rather than auto-running them — is a second layer.
Article 17 — Quality management. A QMS covering the AI system's lifecycle. Knowlee ships: versioned prompt templates with full git history; a per-job change record (the entry in the automation registry is git-tracked); a pre-deployment review gate (approver / approval timestamp); recurring audit jobs that sweep execution history, cost, and output quality and surface findings as reports or human-in-the-loop approval flows. Not yet present: a formal ISO 42001 management-system audit (see §4).
Article 26 — Deployer obligations. Monitoring, log retention, and serious-incident reporting. Audit log retention is configurable per deployment; default ****. Logs are stored in the customer's tenancy in self-hosted shapes, or in the residency region the customer selects in the managed shape.
Article 50 — Transparency for AI-generated content. Users must be informed when content is AI-generated and, where applicable, AI-generated content must be marked as such. Roadmap:
- Provenance metadata in outputs. Every artifact will carry metadata identifying the producing job, the model, the prompt version, and the run timestamp. Target ****.
- Output watermarking for generative content. For verticals producing public-facing AI-generated text or media, C2PA-equivalent cryptographic provenance is planned. Target ****.
These are roadmap items, not shipped. Buyers needing Article 50 compliance today should request the engineering scoping document.
3. GDPR posture
Knowlee processes data on behalf of customers under standard GDPR processor obligations.
Data minimization. The data categories field is a declarative manifest of what personal data types each job touches. Audit jobs sweep the registry to produce a Record of Processing Activities (RoPA) view; a customer's DPO can request the current RoPA snapshot for their tenancy.
Per-tenant isolation. Each customer's data lives in the customer's own Supabase project(s), one per vertical. Knowlee operators do not maintain a shared cross-tenant operational database.
Right to erasure. Knowlee supports Article 17 erasure requests through a per-vertical purge job pattern. Each vertical declares a deterministic purge script (type: "script", no LLM in the loop, reproducible) that removes all rows matching a given data subject identifier and emits a confirmation report. Customers can request a sample.
Data Processing Agreement. A standard DPA is available on request, referencing EU Standard Contractual Clauses where international transfer applies. Custom terms are negotiable for enterprise contracts. Email legal@knowlee.ai with your legal entity name, deployed verticals, and residency requirements.
Breach notification. 72 hours from confirmed discovery, per GDPR Article 33. See §6. Sub-processors. See §5.
4. Certifications — current status and roadmap
Knowlee is candid about its certification posture. Competitors in adjacent categories ship a fully audited posture today (Tonkean: SOC 2 Type II; AutogenAI: FedRAMP High; Noxtua: ISO 27001 + ISO 42001 + BSI C5). Knowlee does not, yet.
| Certification | Status | Target | Why this matters |
|---|---|---|---|
| SOC 2 Type II | Not started | Q4 2026 (Type I), Q2 2027 (Type II) | Required for US enterprise; near-table-stakes for Series B+ B2B SaaS |
| ISO/IEC 27001 | Not started | Q1 2027 | Required for EU enterprise procurement |
| ISO/IEC 42001 (AI Management) | Designed for; not started | Audit Q3 2027 | AI-specific management standard; AI-Act-conscious EU buyer differentiator |
| BSI C5 (Germany) | Evaluating | TBD | Required for many DACH public-sector and regulated-industry buyers |
| FedRAMP (Moderate or High) | Out of scope this cycle | — | Not in target market this cycle. Buyers needing FedRAMP today are better served by competitors with that posture (e.g., AutogenAI). |
| TISAX (Automotive) | Evaluating | TBD | Conditional on Knowlee opening an automotive vertical |
| HIPAA Business Associate | Not in scope | — | Knowlee does not currently process PHI |
| PCI-DSS | Not in scope | — | Knowlee does not store, process, or transmit cardholder data |
| Cyber Essentials Plus (UK) | Not started | TBD | UK public-sector procurement minimum |
Notes. SOC 2 Type I is the readiness audit; Type II requires a 6+ month observation window; auditor not yet selected. The architecture is designed for ISMS alignment (per-tenant isolation, secrets management, audit logs) but no ISO 27001 Stage 1 audit is scheduled. The job-registry governance metadata, allowed-tools enforcement, prompt versioning, and approval gates were designed against ISO 42001 controls; the formal audit is contingent on ISO 27001 readiness. BSI C5 has overlap with ISO 27001 and the sequencing decision is pending.
On candor. Procurement teams prefer "not started, target Q4 2026" over a marketing softening. We choose the opposite posture deliberately. If a specific certification is gating your decision, contact us — the order of certs is partly customer-signal-driven; a paid customer making ISO 27001 a contractual milestone accelerates the audit timeline.
5. Data residency and sub-processors
5.1 Residency
- Self-hosted (the dominant shape today). Customer-controlled. The customer chooses Supabase, object-storage, and Neo4j hosting regions. Knowlee does not move data out of those regions.
- Managed shape (roadmap). EU customers default to EU regions (Frankfurt or Dublin); US customers default to a US region. Customer choice across at least two regions per market is committed for general availability.
LLM inference is, by default, routed via the model provider's regional endpoint where one is available. Where a customer requires that no data leave a specific region for inference, Knowlee supports model-routing to regional endpoints (Anthropic EU, AWS Bedrock regional, Vertex AI regional).
5.2 Sub-processors
Third-party services that may process customer data in a default deployment. A specific deployment may use a subset; deployments may opt out of optional sub-processors.
| Sub-processor | Purpose | Region(s) | Necessity |
|---|---|---|---|
| Supabase | Per-vertical Postgres + storage + auth | Customer-chosen | Required |
| Neo4j AuraDB (or self-hosted Neo4j) | Enterprise Brain graph | Customer-chosen | Required |
| Anthropic | LLM inference (default: Claude Opus / Sonnet) | US / EU regional endpoints | Required for session jobs |
| Apify | Web data extraction | EU / US | Optional (scraping only) |
| Steel Browser | Browser automation | Self-hosted | Optional |
| 2Captcha | CAPTCHA solving | Vendor-side | Optional (CAPTCHA-protected sources only) |
| Cloudflare | DNS + Cloudflare Tunnel for the operator's public URL | Global | Optional (published-URL shape only) |
| n8n (self-hosted) | Vertical-specific workflow orchestration | Self-hosted | Optional |
A current sub-processor list with version, region, and purpose is maintained at /trust/sub-processors. Customers with executed DPAs receive 30-day advance notice of material changes.
5.3 LLM data handling
Knowlee uses Anthropic's API by default with the standard data-handling terms (no training on customer prompts). Customers may configure other providers (OpenAI, Google Vertex AI, AWS Bedrock, self-hosted models) per their own contract terms. Knowlee does not, in any deployment shape, train or fine-tune models on customer data unless the customer has signed a specific, bounded fine-tuning engagement.
6. Incident response
Communication channels. Security disclosures: security@knowlee.ai. Status page: status.knowlee.ai. Customer-specific notifications go to the contact named on the executed DPA plus the technical contact in the deployment configuration.
Breach notification SLA. Knowlee commits to notifying an affected customer within 72 hours of confirmed discovery of a personal data breach, consistent with GDPR Article 33. The notification includes nature of the breach, likely consequences, mitigation, and contact for further information. Tighter SLAs (24 or 48 hours) are negotiable for enterprise contracts.
Customer-side incident assistance. If a customer experiences a security incident that may involve Knowlee-processed data, Knowlee provides reasonable forensic assistance (log retrieval, run-record export, configuration review) at no additional charge for the first **** of effort. The executed DPA governs precise terms.
Public incident disclosure. Material incidents affecting multiple customers are disclosed publicly on the status page. We do not name affected customers without their consent.
7. Penetration testing
Internal testing. The engineering team runs internal security review on every change touching authentication, secrets handling, MCP boundary enforcement, or data-isolation invariants. The 2026-04-11 subagent-boundary incident referenced in §1.3 was caught and remediated through internal review.
External penetration test. An external pentest by an independent firm is scheduled for ****, contingent on SOC 2 Type I readiness. Buyers requiring an external pentest report as a contractual condition should flag this early; scope and date can be accelerated for material deals. A summary — sensitive findings redacted — will be made available to customers under NDA.
Bug bounty / responsible disclosure. A formal bug bounty is not yet in place. Researchers reporting vulnerabilities to security@knowlee.ai receive acknowledgement within 3 business days, triage status within 10 business days, and coordinated disclosure on a mutually agreed timeline (default 90 days from triage). A formal program with published scope and reward schedule is targeted for ****.
8. Open-source transparency
A portion of the Knowlee codebase — utility libraries, MCP server examples, prompt-template patterns, sample skills — is published under an open-source license at github.com/KnowleeAI.
Reasoning. Audit-by-community — independent inspection of how Knowlee handles MCP boundaries, secrets, and subagent constraints is a stronger trust signal than a sealed binary; a buyer's security engineer can read the code. Ecosystem — MCP is a young protocol; published examples accelerate adoption and reduce integration cost.
Not open-sourced: vertical product implementations (4Sales / 4Talents / 4Marketers), Enterprise Brain graph schemas, customer-specific prompt libraries, and any artifact containing customer data.
9. Frequently asked questions
Is Knowlee SOC 2 certified?
Not yet. SOC 2 Type I is targeted for Q4 2026 and Type II for Q2 2027. Buyers requiring a SOC 2 report as a contractual condition for current deployments should contact us; we maintain a documented set of compensating controls (§1) and can walk through them with your security team.
Can I get a Data Processing Agreement (DPA)?
Yes. A standard Knowlee DPA is available on request and references EU Standard Contractual Clauses where international transfer applies. Custom terms are negotiable for enterprise contracts. Email legal@knowlee.ai with your legal entity name.
Where is my data stored?
In the self-hosted shape (dominant today), your data lives in the Supabase, object-storage, and Neo4j regions you choose. Knowlee does not move data out of those regions. In the managed shape (roadmap), EU customers default to EU regions (Frankfurt or Dublin); US customers default to a US region. See §5.
How does Knowlee handle EU AI Act compliance?
Every job carries explicit governance metadata (risk level, data categories, human-oversight required, approver, and approval timestamp) that maps onto Articles 6, 13, 14, 17, and 26. Output watermarking under Article 50 is on the roadmap. Full mapping in §2.
What is your sub-processor list?
Supabase, Neo4j, Anthropic, optionally Apify, Steel Browser, 2Captcha, Cloudflare, n8n. Full list with regions and necessity in §5. Customers with executed DPAs receive 30-day advance notice of material changes.
What is your breach notification policy?
72 hours from confirmed discovery, consistent with GDPR Article 33. The notification includes nature, scope, consequences, mitigation, and contact for follow-up. Tighter SLAs (24 or 48 hours) are available in enterprise contracts. Detail in §6.
Can I request a security questionnaire response?
Yes. We respond to standard security questionnaires (SIG, CAIQ, custom enterprise questionnaires). Response time is typically 5–10 business days depending on questionnaire length and whether a DPA is already in place. Email security@knowlee.ai.
What is your data retention policy?
In the self-hosted shape, retention is configured by the customer. In the managed shape, the default for job logs and reports is **** unless the customer specifies otherwise. Customer data tables follow the customer's own retention policy.
Is Knowlee ISO 27001 certified?
Not yet. Targeted for Q1 2027. The architecture is designed against the ISO 27001 control set (per-tenant isolation, secrets management, audit logs, change control via git) but no Stage 1 audit has been completed. Buyers requiring ISO 27001 today should weigh this against vendors who already hold the cert (Noxtua holds ISO 27001 + ISO 42001 + BSI C5).
How does Knowlee compare to vendors with full certifications today?
Vendors with FedRAMP (AutogenAI), SOC 2 Type II (Tonkean), or ISO 27001 + ISO 42001 + BSI C5 (Noxtua) ship a more mature certification posture than Knowlee does today. Where certs are a hard procurement gate, those vendors will pass and Knowlee will not. Where the question is broader — architecture, AI Act readiness, EU residency, cross-vertical orchestration — Knowlee is competitive on the merits described above. We expect the cert gap to close on the Q4 2026 / Q1 2027 / Q2 2027 cadence in §4.
Contact
- Security disclosures and incident reports:
security@knowlee.ai - DPA and legal questions:
legal@knowlee.ai - Procurement / vendor questionnaires:
security@knowlee.ai - Status page:
status.knowlee.ai - Responsible disclosure policy:
/trust/responsible-disclosure