1. SCOPE

This KnowBe4 Data Privacy Impact Assessment (DPIA) is only applicable to the extent KnowBe4, Inc. and/or its affiliates (KnowBe4) is a processor of personal data for its KSAT and KCM GRC products and services. The purpose of this DPIA  is to provide information about KnowBe4’s personal data processing practices and to allow customers to complete their own data protection impact assessments on KnowBe4’s products and services. This DPIA only covers KnowBe4’s KSAT and KCM GRC products and services. 

Description of KnowBe4 Services

KnowBe4 is a B2B SaaS (software as a service) company that provides its customers with a variety of services. The services that will be included in this document are:

• KSAT Console: A simulated phishing and security awareness and compliance training platform.
• KCM GRC Tool: A tool designed to help manage company governance, risk, compliance, and audits.

Describe the data that will be stored, used, collected, or otherwise processed while using KnowBe4's services.

• KSAT Console: Name, email address, telephone number, title, security awareness training and simulated phishing campaign results and metrics, strictly necessary cookie information, IP addresses, web browser information, and information uploaded by customers.
• KCM GRC Tool: Email address, browser information, strictly necessary cookie information, and information that customers upload into the console (including audit reports, compliance reports, etc.).

Does KnowBe4 collect special categories of data (including criminal convictions, health information, etc.)?

No, KnowBe4 does not request nor provide appropriate fields for submitting special categories of data for any of its tools. Any special categories of data that may be received would be incidental and can be deleted upon request.

Where are KnowBe4’s servers located?

KnowBe4 operates instances within the United States, the European Union, the United Kingdom, Germany, and Canada. Customers may choose where data is stored during the course of the services. However, KnowBe4 leverages subprocessors in the United States and generally personal data will always be processed in the United States.

Does KnowBe4’s processing of personal data include automated decision making which can produce legal effects concerning data subjects?

No.

Do you provide notice to data subjects about the processing of their personal data?

KnowBe4 acts as a processor for its customers, so it does not initiate direct contact with data subjects unless specifically instructed to. When processing personal data, KnowBe4 adheres to the terms of our data processing agreements and data protection notices found here. Data stored in KnowBe4’s products and services are provided by customers. Our customers are responsible for making their users aware of how their data is being processed. 

2. ACCESS TO PERSONAL DATA

How is access to personal data handled?

KnowBe4 provides products and services that leverage role-based action control, or RBAC. Customer administrators are able to set users' roles and permissions to limit access. KnowBe4’s employees and other personnel are only granted access to data on a restricted basis. Access is only granted to fulfill KnowBe4’s contractual obligations, legal obligations, or legitimate business interests, such as meeting service-level agreements (SLAs) or upon a customer’s written permission. 

How do you ensure the security of KnowBe4's products and services?

KnowBe4 has security policies, procedures, and controls to ensure the security of its products and services. These controls may be found by reviewing KnowBe4’s SOC 2 Type 2. You may request KnowBe4's SOC 2 Type 2 by emailing your KnowBe4 point of contact after executing a non-disclosure agreement (NDA). You may also review KnowBe4’s public-facing SOC 3 report found here. 

How does KnowBe4 handle customer data subject access requests (DSARs)?

KnowBe4’s procedure for handling end-user DSARs for customers is to forward the request to the console or service administrator and provide assistance as requested.

3. INFORMATION FLOWS

International Data Transfer

You may also execute a Data Processing Addendum with standard contractual clauses (SCCs) with KnowBe4 by following the instructions found here.

Describe KnowBe4’s product data flows.

KSAT and KCM GRC are both built in the cloud leveraging Amazon Web Services (AWS). 

• KSAT Data Flow Description: Customer administrators are able to upload end-user information into the console. Personal data is also generated when users complete security modules or are subject to phishing campaigns. This data is then stored in KnowBe4’s cloud storage (AWS).
• KCM GRC Data Flow Description: Customers create a user account with their business email address. KCM GRC users then upload information into the KCM GRC console. This information is then stored in KnowBe4’s cloud storage (Amazon AWS).

What sub-processors does KnowBe4 leverage in order to provide services?

KnowBe4 leverages sub-processors that process personal data in order to provide services to customers. You may request a list of sub-processors by emailing your KnowBe4 point of contact. Data processing agreements (DPAs) have been executed with all sub-processors in order to ensure the protection of personal data. 

4. DATA SECURITY & PRIVACY BY DESIGN (PbD)

Where can I find KnowBe4’s security documentation?

KnowBe4 takes security seriously and takes appropriate measures to protect personal data. For more information about our security practices, you may visit our Security page found here. Additionally, our Consensus Assessment Initiative Questionaire (CAIQ) is available here. You may also request a copy of our SOC 2 Type 2 from your KnowBe4 point of contact after executing a non-disclosure agreement (NDA). Our public-facing SOC 3 report can be found here.

How does KnowBe4 incorporate privacy by design (PbD) into its products?

KnowBe4 conducts data privacy impact assessments and takes its data protection obligations into account when creating new products and services. 

Are KnowBe4 employees and agents bound by confidentiality agreements?

KnowBe4 employees and other personnel who may have access to personal data are required to sign confidentiality agreements.

Do KnowBe4 employees receive privacy and security awareness training?

Yes, KnowBe4 employees receive periodic privacy and security awareness training. 

Does KnowBe4 maintain a record of processing activities?

Yes, KnowBe4 maintains a record of processing activities. 

5. DATA RETENTION

How long does KnowBe4 store personal data for?

KnowBe4 retains customer personal data in accordance with its customer contracts (i.e. service agreements and data processing agreements) as well as in accordance with other legal obligations.

6. HAS KNOWBE4 APPOINTED A DATA PROTECTION OFFICER?

Yes, KnowBe4 has appointed a Data Protection Officer. You may contact KnowBe4’s Data Protection Officer by emailing privacymanager@knowbe4.com. 

7. WHO CAN I REACH OUT TO IF I HAVE MORE QUESTIONS?

If you have more questions, you can either contact your KnowBe4 point of contact or send an email to privacymanager@knowbe4.com.