Security

Built for teams that take access control seriously

Knowharbor is designed with enterprise security controls — data isolation, permission inheritance, and encrypted transit. We think about security the same way your IT team does: as a first principle, not an afterthought.

Talk to our team

Security controls

Security controls that ship with the product

Not a compliance checklist for later. Every control below is how Knowharbor is built today — because an enterprise knowledge tool that handles your internal docs needs to get security right from the first connector.

Encryption in transit and at rest

All data transmitted between your sources and Knowharbor uses TLS 1.3. Indexed content is encrypted at rest using AES-256. Your knowledge doesn't travel in plaintext.

Permission inheritance

Knowharbor reads and enforces the access controls from your source systems. If a user doesn't have access to a document, they will not receive answers drawn from it — period.

US data residency

All data is stored and processed in US cloud regions. No cross-border data transfer for US-based organizations. Custom data residency available on Scale tier.

Designed with SOC 2 controls

Our infrastructure and operations are designed with SOC 2 controls in mind — including access control, availability, confidentiality, and change management.

SSO / SAML 2.0 designed support

Knowharbor is designed with SSO and SAML 2.0 integration support, so user identity is tied to your existing identity provider. Available on the Scale plan.

Source removal and data deletion

Disconnect a source and Knowharbor purges all indexed content from that source within 24 hours. No residual data. No shadow copies. Confirmed via deletion audit log.

Architecture

How your data flows

From source to answer — with encryption and permission checks at every step.

Every step in the pipeline enforces confidentiality and access controls. Data never leaves the authorized path.

Security FAQ

The questions IT and security teams ask us first

Does Knowharbor store copies of our documents?

Knowharbor stores a searchable index of your documents' content — not verbatim copies. The index contains text embeddings (numerical representations used for semantic search) and excerpts needed to construct answers. We do not store binary files, attachments, or media from your source systems. Indexed text is encrypted at rest with AES-256.

Can Knowharbor employees read our indexed content?

Access to customer data by Knowharbor employees is governed by least-privilege access controls. No employee has routine access to indexed content. Access is limited to engineering personnel responding to active security incidents or to troubleshoot a support issue you've escalated — and all such access is logged. We do not conduct data analysis on customer content for product improvement without explicit permission.

What happens when we revoke a source integration?

When you disconnect a source, Knowharbor stops all syncing immediately. All indexed content from that source is purged within 24 hours. If you revoke the OAuth token directly from the source system (e.g., Confluence's "Connected apps"), Knowharbor will detect the revocation at the next sync attempt and automatically mark the source as disconnected. Purge is then triggered on the next cleanup cycle.

Do you support IP allowlisting?

IP allowlisting for Knowharbor's outbound indexing agents is available on the Scale plan. We provide a stable set of egress IP addresses that you can add to your source system's allowlist — ensuring only authorized Knowharbor infrastructure can connect. Contact us for the current egress IP range.