Security
Last updated: 2026-04-11
IT Knows IT is built with security and privacy in mind from day one. This page summarizes how we think about protecting the service and the information you share with it.
Our principles
- Least privilege. Every component of the system runs with the minimum access it needs to do its job.
- No long-lived credentials. Where possible, we use short-lived, identity-federated tokens instead of storing static keys.
- Secrets separated from code. API keys, authentication secrets, and database credentials are managed outside of source control and injected at runtime.
- Strict build, strict runtime. Type errors fail the build. Production content security policies do not allow inline script evaluation. Rate limiting protects endpoints that do real work.
- Defense in depth. We assume any single layer can fail and design so that a single failure does not expose data.
Infrastructure
The service runs on a mainstream cloud provider behind a reputable content-delivery and DDoS-mitigation layer. All traffic is encrypted in transit with TLS. All persistent data is encrypted at rest by the underlying managed storage services. Databases are reachable only through private networking; they are not exposed to the public internet.
Application security
- Authentication. Sign-in uses a standard OAuth provider; we never see or store your password.
- Rate limiting. Endpoints that invoke the AI pipeline are rate-limited per client to prevent abuse.
- Input handling. User input is sanitized before logging and is never echoed unescaped into templates.
- Dependency hygiene. We track vulnerabilities in our dependencies and update promptly when fixes are available.
Data handling
See our Privacy Policy for what we collect and how we use it. In short: we don't sell your data, we don't use your questions to train large language models, and we don't serve advertising. Questions you submit are processed only for the purpose of answering them and, in aggregate and anonymized form, for measuring answer quality.
Responsible disclosure
If you believe you've found a security vulnerability in IT Knows IT, please report it privately rather than filing a public issue. You can open a private security advisory on our project repository, or contact the maintainer directly.
We commit to:
- Acknowledging receipt of your report within 48 hours.
- Working in good faith to validate and address verified issues.
- Not pursuing legal action against good-faith security researchers.
- Crediting reporters in release notes, if they wish.
What we ask of researchers
- Do not access, modify, or delete data that isn't yours.
- Do not run denial-of-service tests against the live service.
- Give us a reasonable window to fix issues before public disclosure.
- Respect the privacy of other users at all times.
Compliance
IT Knows IT is a free community tool and does not currently carry formal security certifications such as SOC 2, ISO 27001, or HIPAA. If your organization requires a certified environment for a specific use case, please reach out — we're happy to discuss options.
This page describes our current security posture in good faith. It is not a formal warranty. See the Terms of Service for limitation of liability.