our commitment
Security at Knowtions
Customer trust and security are critical to everything we do at Knowtions Research
Introduction
Knowtions Research believes that ensuring security and protecting data is one of our most important responsibilities. Dedicated members of each department are responsible for education, implementing and management of our security program. We're committed to being transparent about our security practices and helping you understand our approach.

Our security practices are aligned with the widely accepted standards and regulations including ISO 27001, 27017, 27018 and SOC 1 and SOC 2.
Key Security Principles
Security is multifaceted and our procedures control covers various aspects of how we operate internally and deliver our products.
Product Security
  • Establish secure development practices and standards
  • Ensure project-level security risk assessments
  • Provide design review and code review security services for detection and removal of common security flaws
  • Train developers on secure coding practices
Security Operations
  • Build and operate security-critical infrastructure including Lydia AI's public key infrastructure, event monitoring, and authentication services
  • Maintain a secure archive of security-relevant logs
  • Consult with operations personnel to ensure the secure configuration and maintenance of Knowtions's production environment
Security Incidents
  • Respond to alerts related to security events on Lydia AI systems
  • Manage security incidents
  • Acquire and analyze threat intelligence
Risk and Compliance
  • Coordinate penetration testing
  • Manage vulnerability scanning and remediation
  • Coordinate regular risk assessments, and dene and track risk treatment
  • Manage the security awareness program
  • Coordinate audit and maintain security certifications
  • Respond to customer inquiries
Version Control and access for documentation
  • Knowtions maintains a set of policies, standards, procedures and guidelines ("security documents") that provide the Knowtions Research workforce with the "rules of the road" for Lydia AI.
  • Our security documents help ensure that Lydia AI customers can rely on our workers to behave ethically and for our service to operate securely.
  • Security documents include, but are not limited to:
    • Fair, ethical, and legal standards of business conduct
    • Acceptable uses of information systems
    • Classification, labeling, and handling rules for all types of information assets
    • Practices for worker identification, authentication, and authorization for access to system data
    • Secure development, acquisition, configuration, and maintenance of systems
    • Workforce requirements for transitions, training, and compliance with ISMS policies
    • Use of encryption
    • Description, schedule, and requirements for retention of security records
    • Planning for business continuity and disaster recovery
    • Classfication and management of security incidents
    • Control of changes
    • Regular use of security assessments such as risk assessments, audits, and penetration tests
    • Use of service organizations
  • These policies are living documents: they are regularly reviewed and updated as needed, and made available to all workers to whom they apply.
    Organizational Security
    We believe building a secure organization is fundamental to protecting security. We have introduced tools and policies to ensure compliance with the highest standards of security.
    Access Management
    • All Knowtions Research internal corporate workstations issued to workers are configured by Knowtions Research to comply with our standards for security;
    • These standards require all workstations to be properly configured, kept updated, run monitoring software, and be tracked by Knowtions's Security Team;
    • Knowtions default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle;
    • Workstations run up-to-date monitoring software to report potential malware and unauthorized software and mobile storage devices.
    Employee Security Clearance Protocols
    • Upon hire, each Knowtions Research employee is required to complete a background check, sign a security policy acknowledgement and non-disclosure agreement, and receive security training;
    • Only individuals that have completed these procedures are granted physical and logical access to the corporate and production environments, as required by their job responsibilities;
    • In addition, all employees are required to complete annual security training, and they receive regular security awareness training via informational emails, talks and presentations, and resources available on our intranet;
    • Employee access to the Knowtions Research environment is maintained by a central directory and authenticated using a combination of strong passwords, passphrase-protected SSH keys, two-factor authentication, and OTP tokens;
    • Remote access requires the use of VPN protected with two-factor authentication, and any special access is reviewed and vetted by the security team;
    • Access to corporate and production networks is strictly limited based on defined policies.
    • For example, production network access is SSH key-based and restricted to engineering teams requiring access as part of their duties;
    • Firewall configuration is tightly controlled and limited to a small number of administrators;
    • In addition, our internal policies require employees accessing production and corporate environments to adhere to best practices for the creation and storage of SSH private keys;
    • Access to other resources, including data centers, server configuration utilities, production servers, and source code development utilities is granted through explicit approval by appropriate management. A record of the access request, justification, and approval are recorded by management, and access is granted by appropriate individuals;
    • Knowtions employs technical access controls and internal policies to prohibit employees from arbitrarily accessing client related information and to restrict access to metadata and other information about users' accounts. In order to protect end user privacy and security, only a small number of engineers responsible for developing core Knowtions Research services have access to the target client environment;
    • Employee access is promptly removed when an employee leaves the company;
    • Physical access to Knowtions Research corporate facilities, other than public entrances and lobbies, is restricted to authorized Knowtions Research personnel and registered visitors who are accompanied byKnowtions Research personnel;
    • A badge access system ensures only authorized individuals have access to restricted areas within the corporate facilities;
    • Access to areas containing corporate servers and network equipment is restricted to authorized personnel via elevated roles granted through the badge access system;
    • The lists of authorized individuals approved for physical access to corporate and production environments are reviewed at least quarterly.
    Lydia AI Code of Ethics
    Knowtions Research has adopted principles to protect client data and ensure the responsible and transparent use of artificial intelligence and other transformative information. See our principles here.
    Audits, compliance, 3rd party assessments
    Audits
    • Knowtions evaluates the design and operation of its overall security infrastructure for compliance with internal and external standards;
    • Knowtions engages credentialed security assessors to perform external audits at least once per year;
    • Audit results are shared with senior management and all findings are tracked to resolution.
    Penetration testing
    • Knowtions engages independent entities to conduct regular application-level and infrastructure-level penetration tests;
    • Results of these tests are shared with Knowtions Research management;
    • Knowtions's Security Team reviews and prioritizes the reported findings and tracks them to resolution.
    Legal compliance
    • Knowtions employs dedicated legal and compliance professionals with extensive expertise in data privacy and security. These professionals are embedded in the development lifecycle and review products and features for compliance with applicable legal and regulatory requirements;
    • Knowtions also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values and defines standards for meeting those goals
    Code of Business and Conduct
    Knowtions Research Code of Business Conduct and Ethics are, at the most basic level, a description of the conduct we establish for all employees and contractors to comply with laws and ethical practices wherever we do business.

    It is a living document that we regularly review and update, as business and the world at large become more complex.
    Customer Security
    The focus of Knowtions Research's security program is to protect customer. To that end, Knowtions Research has built a robust and secure development and deployment lifecycle to ensure security by design.
    Deployment Models
    • Knowtions Research offers Lydia AI On-Premise and Lydia AI Private Cloud deployments;
    • Both Lydia On-Premise (bare-metal) and Lydia AI Private Cloud environments operate within the client's infrastructure for the client's use only;
    • Each environment offers the same service functionality and the security architecture remains consistent;
    • Because deployments are within the client's environment, Knowtions Research does not store client data internally.
    Lydia AI Trained Models
    • Knowtions Research deploys fully pre-trained predictive models for each customer;
    • Lydia AI is custom trained again based on client's data to resolve any biases and prejudices at the model level;
    • Client training data is used for continued development of the pre-trained predictive model for the client and only the client;
    • No client training data is used for the development or enhancement of other clients' models.
    Fine-Grained Access Management
    • Users of a Lydia AI deployment receive an access key;
    • Levels of access are provided:
      • Supervisor
      • Administrator
      • Investigator
      • Manager
    Physical Security
    • Physical access to client's organization facilities where production systems reside is restricted to personnel authorized by Knowtions, as required to perform their job function;
    • A record of the access request, justification, and approval are recorded by management, and access is granted by appropriate individuals;
    • Once approval is received, an authorized member of the infrastructure team will contact the client to request access for the approved individual;
    • The client enters the user's information into their own system and grants the approved Knowtions Research personnel badge access and, if possible, biometric scan access;
    • Once access is granted to approved individuals, it is the client's responsibility to ensure that access is restricted to only those authorized individuals.
    Data Encryption
    Knowtions Research has a policy of end-to-end encryption and employs the latest cryptographic technologies to protect client data. The Knowtions Research platform ensures that
    • End-to-end security for data in transit is implemented using TLS Version 1.2;
    • An optional mutual authentication certificate and/ or user name and password for added measure via mutually authenticated SSL;
      • For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token;
      • Knowtions Research also requires all personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviors that can reduce security;
    • Data in transit and at rest is secured using AES 256-bit encryption.
    Data centers and managed service providers
    • Knowtions Research internal corporate and production systems are housed at managed service providers located in different regions of the United States;
    • Our managed service provider for processing and storage, Amazon Web Services (AWS), is responsible for the logical and network security of Lydia AI services provided through their infrastructure;
    • Connections are protected through their firewall, which is configured in a default deny-all mode.Knowtions Research restricts access to the environment to a limited number of IP addresses and employees;
    • Knowtions Research also works with Amazon China for processing and storage for customers where this is a legal requirement.
    System monitoring, logging, and alerting
    • Knowtions monitors servers, workstations and mobile devices to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure;
    • Administrative access, use of privileged commands, and system calls on all servers in Knowtion's deployments are logged;
    • Knowtions Security Team collects and stores production logs from deployed environments for analysis. Logs are stored in a separate network;
    • Access to this network is restricted to members of the Security Team;
    • Logs are protected from modification and retained for at least two years;
    • Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel;
    • Alerts are examined and resolved based on documented priorities.
    Data Breach & Incident Response
    • Knowtions has incident response policies and procedures to address service availability, integrity, security, privacy, and confidentiality issues.
    • Clients submit incident responses directly through their dedicated Support Desk assigned on software installation
    • As part of our incident response procedures, we have dedicated teams who are trained to:
      • Promptly respond to alerts of potential incidents
      • Determine the severity of the incident
      • If necessary, execute mitigation and containment measures
      • Communicate with relevant internal and external stakeholders, including notification to affected customers to meet breach or incident notification contractual obligations and to comply with relevant laws and regulations
      • Gather and preserve evidence for investigative efforts
      • Document a postmortem and develop a permanent triage plan
    Disaster recovery and business continuity
    • Knowtions works with clients to ensure optimal balance between on-premise hardware requirements and high-availability of services and data.
    • Hardware requirements are doubled to increase redundancy and back-up options during catastrophic events.
    • A dedicated Emergency Response Team is assigned and protocols are described
    • Full backups are saved to back-up twice per day. Only back-ups for the last 3 days are saved.