KnowBe4 currently uses third-party sub-processors to provide infrastructure services and to help us provide customer support and email notifications. Prior to engaging any third-party sub-processor, KnowBe4 performs due diligence evaluations to ensure their privacy, security, and confidentiality practices and executes a data processing agreement (DPA) to ensure compliance with applicable legislation.
Key Terms:
KSAT Console Administrator: Any user labeled an administrator in the KSAT console.
KSAT Console User: Any user located in KnowBe4’s KSAT software as a service (SaaS) platforms. This includes end-users, admins, partner users, or any other user that is created in the console(s). (This includes PhishER.)
KCM GRC Console User: Any user uploaded into KnowBe4’s KCM GRC SaaS platform. This includes end-users, admins, partner users, vendor users, or any other user that is created in the console.
Backup and Recovery Site: Secondary data centers. These are generally used for disaster recovery.
Console User Metadata: Summarizes basic user information. This includes general information such as date created, time error generated, or date modified. This does not always tie back to a specific user.
KSAT Console: KnowBe4’s flagship product that provides security awareness training and simulated phishing services.
KCM GRC: Knowbe4’s governance, risk, and compliance tool.
Primary Business Contact: This individual is generally the main point of contact for KnowBe4’s customer success managers (CSMs).
Ticket Requester: Any individual that submits a support ticket to KnowBe4.
KSAT Sub-Processor Listing
Infrastructure Sub-Processors
Name | Data Storage Location | Data Subjects | Categories of Data Processed | Privacy and Security Controls | Purpose |
Amazon AWS
Website: amazon.com
Address: 410 Terry Ave N Seattle, WA 98109, USA Method of Transfer: EU Standard Contractual Clauses
|
Option 1 (default): Amazon AWS Data Center in the United States, Northern Virginia (us-east-1)
Backup and Recovery Site: Amazon AWS Data Center in the United States, Oregon (us-west-2) ------------- Option 2: Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1)
Backup and Recovery Site: Amazon AWS Data Center Frankfurt, Germany (eu-central-1) ------------- Option 3: Amazon AWS Data Center in Montreal, Canada (central)
Backup and Recovery Site: Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1) ------------- Option 4: Amazon AWS Data Center in London, England (eu-west-2)
Backup and Recovery Site: Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1) -------------
Option 5: Amazon AWS Data Center in Frankfurt, Germany (eu-central-1) Backup and Recovery Site: Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1)
|
KSAT Console Users |
Data Collected Directly From Customer: First Name, Last Name, Manager First Name, Manager Last Name, Business Phone Number, Business Email Address, Mobile Phone Number, Employee Title, Employee Department, IP Address, Browser Information, Training and Coaching Information
Generated Information: Phishing Campaign Results and Metrics, Security Awareness Training Results, Risk Score
|
KnowBe4 has reviewed and annually reviews Amazon AWS's SOC II report and other related compliance and certification documentation as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement (DPA) with EC-approved standard contractual clauses for the purposes of processing data in the United States. |
Necessary for providing the infrastructure for KnowBe4’s application(s). The product will not be able to function without this sub-processor. |
Product Functionality Sub-Processors
Name and Address | Data Storage Location | Data Subjects | Categories of Data Processed | Privacy and Security Controls | Purpose |
Datadog
Website: datadoghq.com
Address: 620 8th Ave,45th Floor,New York, NY 10018, USA Method of Transfer: EU Standard Contractual Clauses
|
Production: Amazon AWS US Data Centers
Backup Data Storage: Amazon AWS US Data Centers |
Console Users |
First Name, Last Name, Email Address, IP Address, Browser Information, Logging Information
|
KnowBe4 has reviewed and annually reviews Datadog's SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EU-approved standard contractual clauses for the purposes of processing data in the United States. |
Necessary for application logs, system logging, and analytics. |
Pendo.io Website: Pendo.io
Address: 301 Hillsborough St, Raleigh, NC 27603, USA Method of Transfer: EU Standard Contractual Clauses
|
Production: GCP | Console Users | Name, Email, Phone Number, Company Number, IP Address, Usage Data |
KnowBe4 has reviewed and annually reviews Pendo.io SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EU-approved standard contractual clauses for the purposes of processing data in the United States. |
Allows capture of metrics to improve the product. |
Sub-Processors Used to Provide Support Services
Name | Data Storage Location | Data Subjects | Categories of Data Processed | Privacy and Security Controls | Purpose |
Zendesk
Website: Zendesk.com
Address: 989 Market St, San Francisco, CA 94103, USA
Method of Transfer: EU Standard Contractual Clauses
|
Production: Amazon AWS Data Centers (us-east-1)
Backup Data Storage: Amazon AWS Data Centers in the United States |
Console Administrators, Ticket Requesters
|
Ticket ID, Requester ID, Status, Assignee ID, Custom Fields |
KnowBe4 has reviewed and annually reviews Zendesk’s SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EC-approved standard contractual clauses for the purposes of processing data in the United States. |
Allows KnowBe4 to track support requests across channels to improve team performance. |
Salesforce
Website: Salesforce.com
Address: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Method of Transfer: EU Standard Contractual Clauses
|
Production:
Salesforce Data Centers in Chicago, Illinois
Backup Data Storage: Salesforce Data Centers in Washington, USA |
Primary Business Contacts, Ticket Requestors
**Does not have direct access to KSAT console information**
|
Name, Email, Contact Information, Device and Usage Data, Company Billing Information, IP Address, Job Title, Cookies (required, functional), Telephony Log Information |
KnowBe4 has reviewed and annually reviews Salesforce's SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EC-approved standard contractual clauses for the purposes of processing data in the United States. |
Used for Customer relationship management.
|
Mixpanel
Website: mixpanel.com
Address: One Front St, Floor 28, San Francisco, CA 94111, USA
Method of Transfer: EU Standard Contractual Clauses
|
Production: Google Cloud Data Centers in the United States
Backup Data Storage: Google Cloud Data Centers in the United States |
Primary Business Contacts (past or present), Console Users
|
Name, Email, Postal Address, Phone Number, Company Number, IP Address, Usage Information |
KnowBe4 has reviewed and annually reviews Mixpanel's SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EC-approved standard contractual clauses for the purposes of processing data in the United States. |
Allows for the analysis, measurement, and improvement of our customer experience. |
Hubspot
Website: Hubspot.com
Address: 2 Canal Park,Cambridge, MA 02141, USA
Method of Transfer: EU Standard Contractual Clauses
|
Production: Amazon AWS Data Centers (us-east-1)
Backup Data Storage: Amazon AWS Data Centers in the United States
|
Console Administrators | Administrator emails |
KnowBe4 has reviewed and annually reviews Hubspot’s SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EU-approved standard contractual clauses for the purposes of processing data in the United States. |
Used for customer relationship management |
Insided
Website: Insided.com
Address: Singel 118, Amsterdam, 1015 AE, The Netherlands
Method of Transfer: EU Standard Contractual Clauses
|
Production: Amazon AWS Data Centers (us-east-1)
Backup Data Storage: Amazon AWS Data Centers in the United States
|
Community end users | Administrator email addresses, Usage Metadata, General Demographic Information, Ticket IDs |
KnowBe4 has reviewed and annually reviews Insided’s security certifications as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EU-approved standard contractual clauses for the purposes of processing data in the United States. |
Used for community engagement |
KCM GRC Sub-Processor Listing
Infrastructure Sub-Processors
Name | Data Storage Location | Data Subjects | Categories of Data Processed | Privacy and Security Controls | Purpose |
Amazon AWS
Website: amazon.com
Address: 410 Terry Ave N Seattle, WA 98109, USA Method of Transfer: EU Standard Contractual Clauses
|
Production:
Option 1: Amazon AWS Data Centers in the United States (us-east-1)
Backup Data Storage: AWS Data Center (us-west-1)
Option 2: Amazon AWS Data Centers in Europe located in London (eu-west-2)
Backup Data Storage: Amazon AWS Data Center Dublin, Ireland (eu-west-1) |
Customer Employees or Contractors (past or present) |
Data Collected Directly from Customer: First Name, Last Name, Email Address, IP Address, Browser Information Generated Information: Compliance, Risk, and Vendor Metrics and Documentation
|
KnowBe4 has reviewed and annually reviews Amazon AWS's SOC II and ISO 27001 certification as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EU-approved standard contractual clauses for the purposes of processing data in the United States. |
Necessary for providing the infrastructure for KnowBe4’s KCM GRC application. The product will not be able to function without this sub-processor. |
Product Functionality Sub-Processors
Name | Data Storage Location | Data Subjects | Categories of Data Processed | Privacy and Security Controls | Purpose |
Datadog
Website: datadoghq.com
Address: 620 8th Ave, 45th Floor, New York, NY 10018, USA Method of Transfer: EU Standard Contractual Clauses
|
Production: Amazon AWS Data Centers in the United States
Backup Data Storage: Amazon AWS Data Centers in the United States |
Console Users |
First Name, Last Name, Email Address, IP Address, Browser Information, Logging Information
|
KnowBe4 has reviewed and annually reviews Datadog's SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EU-approved standard contractual clauses for the purposes of processing data in the United States. |
Necessary for application logs, system logging, and analytics. |
Pendo.io Website: Pendo.io
Address: 301 Hillsborough St, Raleigh, NC 27603, USA Method of Transfer: EU Standard Contractual Clauses
|
Production: GCP | Console Users | KCM Metadata |
KnowBe4 has reviewed and annually reviews Pendo.io SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EU-approved standard contractual clauses for the purposes of processing data in the United States. |
Allows capture of metrics to improve the product. |
Sub-Processors Used to Provide Support Services for KCM GRC
Name | Data Storage Location | Data Subjects | Categories of Data Processed | Privacy and Security Controls | Purpose |
Zendesk
Website: Zendesk
Address: 989 Market St, San Francisco, CA 94103 USA
Method of Transfer: EU Standard Contractual Clauses
|
Production: Amazon AWS Data Centers (us-east-1)
Backup Data Storage: Amazon AWS Data Centers in the United States |
Console Administrators, Ticket Requesters
|
Ticket ID, Requester ID, Status, Assignee ID, Custom Fields |
KnowBe4 has reviewed and annually reviews Zendesk’s SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EC-approved standard contractual clauses for the purposes of processing data in the United States. |
Allows KnowBe4 to track support requests across channels to improve team performance. |
Salesforce
Website: Salesforce.com
Address: Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, USA
Method of Transfer: EU Standard Contractual Clauses
|
Production: Salesforce Data Centers in Chicago, Illinois
Backup Data Storage: Salesforce Data Centers in Washington, USA |
Primary Business Contacts, Ticket Requestors
**Does not have direct access to KSAT console information**
|
Name, Email, Contact Information, Device and Usage Data, Company Billing Information, IP Address, Job Title, Cookies (required, functional), Telephony Log Information |
KnowBe4 has reviewed and annually reviews Salesforce's SOC II report as a part of its vendor due diligence process.
KnowBe4 has executed a data processing agreement with EC-approved standard contractual clauses for the purposes of processing data in the United States. |
Used for customer relationship management.
|
KnowBe4 affiliates used for providing customer (support) services
Name | Data Processing Location | Data Subjects | Categories of Data Processed | Purpose | Access Level |
KnowBe4, Inc. USA (HQ) Office Address: 33 N Garden Avenue, Clearwater FL, 33755 International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
USA |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to you.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
Storage; access for customer service and support; providing customer access and use of the services; abuse detection, prevention, and remediation; and maintaining, improving, and providing the services. | Need to know only. |
KnowBe4 NL B.V.
Registered address: Central Park, Stadsplateau 25, 3528 AZ ,Utrecht, The Netherlands
|
Netherlands |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to you.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers and shared service center activities, where required. | Need to know only. |
KnowBe4 Germany GmbH Registered address: Rheinstr. 45-46, 12161 Berlin, Germany International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
Germany |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to you. Any console, ticket, or audit log information processed by the support affiliates are on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only. |
KnowBe4 UK Ltd. Registered address: 1 Leeds City Office Park, Meadow Lane, Leeds, LS11 5BD United Kingdom International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
United Kingdom |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester
|
KSAT Console information, KCM GRC Data. Other information required to provide support services to customers.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only. |
KnowBe4 AU Pty Ltd (Australia) Registered address: International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
Australia |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to customers.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only. |
KnowBe4 Japan GK Registered Address: Nihonbashi 3 Chome Square 11F, 3-9-1 Nihonbashi, Chuo-ku, Tokyo, Japan 103-0027 International data transfer method: EC adequacy decision. |
Japan |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to customers. Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only. |
KnowBe4 Pte Ltd (Singapore) Registered address: International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
Singapore |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to customers.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only. |
El Pescador Softwares Ltda,, aka KnowBe4 Brazil Registered address: Avenida Ibirapuera, n° 2.315, conjunto 142, 14° andar, Edifício Platinum Tower, Indianópolis, CEP: 04029-200, na cidade de São Paulo, Estado de São Paulo International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
Brazil |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to you.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only |
KnowBe4 Africa (Pty) Ltd. Registered Address: International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
South Africa |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to customers.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only. |
KnowBe4 Middle East FZ-LLC Registered Address: International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
Dubai, UAE |
KSAT Console Administrator, KSAT Console User, KCM GRC Console User, Backup and Recovery Site, Console User Metadata, KSAT Console, KCM GRC, Primary Business Contact, Ticket Requester |
KSAT Console information, KCM GRC Data. Other information required to provide support services to customers.
Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
First level of support to customers, where required. | Need to know only. |
KnowBe4 India Private Limited
Registered Address: International data transfer method: Standard Contractual Clauses (SCC’s) with appropriate technical organizational privacy and security measures. |
India | Security Coach Data |
Security Coach Any console, information processed by this support affiliate is on a need to know basis and follow the principle of least privilege. |
Research and Development. | Need to know only. |