1. How do we prevent customers from accessing other customers' data?
We leverage logical database separation to ensure customer privacy and confidentiality in our multi-tenant architecture. These strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customer's data. This is done using unique account identifiers which attribute each user to a specific account. We have many unit and integration tests in place to ensure these privacy controls work as intended. We run these tests every time our codebase is updated. Even one single test failure will prevent new code from being shipped to production.
2. How often do we conduct backups?
Our backup and recovery infrastructure is hosted and utilizes the combination of Amazon Simple Storage Service (Amazon S3) and Amazon Relational Database Service (Amazon RDS), which provides resizable database capacity with scalable and efficient data storage infrastructure. The Amazon RDS service is set to back up the production database every day, maintains 35 days of backups, and stores the encrypted database backups in a high-availability data storage location. The Amazon RDS service also allows for a point-in-time restoration of the database for any point in time going back two weeks. Old copies of backups are deleted in accordance with our data retention schedule.
3. What is KnowBe4's RPO (Recovery Point Objective) and RTO (Recovery Time Objective)?
Our RPO is a few minutes to hours but will be no later than 72 hours. Our RTO is 72 hours.
4. What is KnowBe4's change control/management procedure?
We have implemented a formal change management process that allows staff to request, manage, approve, and control changes that modify services or systems within our environments. The change control process is designed to enforce key development controls each time a change is made to the software, including development and emergency changes. The change management process begins with the identification of what needs to be changed; recording and classification of the change; and continues with the review, approval, test, and staging for implementation of the change. Once implementation has been completed, measured, and reported, the change process is complete.
5. Is production data used in your test environment?
Production data is not copied to test environments. We have a daily process that anonymizes our entire production database. This process is overseen by our data privacy and infosec teams. This anonymized database includes anonymized customer account details, such as a customer's address, domain, company name, personal data, and other confidential information. This anonymized database is used for testing as necessary. We refresh this database daily so that when account data is deleted or purged, the account data is also purged from the anonymized database.
6. How is KnowBe4 employee access managed and monitored?
KnowBe4 follows the principle of least privilege and role-based access for its employees. All employee access is logged and monitored.
7. What kind of data is collected or processed by Knowbe4?
Data Collected Directly From Customer: First Name, Last Name, Manager First Name, Manager Last Name, Business Phone Number, Business Email Address, Mobile Phone Number, Employee Title, Employee Department, IP Address, Browser Information
Generated Information: Phishing Campaign Results and Metrics, Security Awareness Training Results, Risk Score
|PhishER||Email information submitted by customer|
|KCM GRC||Email address, browser information, strictly necessary cookie information, and information customers upload into the console (audit reports, compliance reports, etc.)|
8. Where can I find a list of your sub-processors?
A list of our sub-processors can be found here.
9. How does KnowBe4 ensure the availability of its product?
Our systems run in the cloud and do not run their own routers, load balancers, DNS servers, or virtual systems. Except for a few data sub-processors, services, and data, data is hosted primarily in Amazon AWS data centers. For US-based customers and customers wanting to keep their data residing in the US, we have systems in AWS data centers located in the US region in North Virginia. For customers based in the EU/EEA (including UK and Switzerland), we have systems located in AWS data centers that store production data in DC Dublin, Ireland with a failover in DC Frankfurt. However, a few data sub-processors will process a limited subset of data in the United States. A full accounting of data processing locations can be found in our sub-processor listing.
Our systems are built taking both business continuity and disaster recovery into consideration. Our IT infrastructure, including systems and databases, is spread across multiple Amazon AWS data centers (availability zones) for both the EU and US regions for continuity purposes. Systems are within our own virtual private cloud (VPC) with network access control lists (ACLs) to prevent unauthorized requests from gaining access to the internal network.
We use the AWS Fargate platform as a service. AWS Fargate is a serverless computer engine for Amazon Elastic Container Service (Amazon ECS) that allows KnowBe4 to run containers without having to provision, configure, and scale clusters of virtual machines (VMs). AWS Fargate manages the underlying infrastructure and clusters. It also automatically scales the application based on demand. AWS Fargate eliminates the need to scale, monitor, patch, and secure EC2 instances.
Data communication between our backend systems and our customers' backend systems is encrypted, which protects data in transit. Data is held in an encrypted Amazon Relational Database Service (Amazon RDS), which provides for availability and data durability. Storage is provided by encrypted Amazon Simple Storage Service (S3) buckets dedicated to KnowBe4. Encryption is enabled to protect data at rest.
10. How does KnowBe4 ensure the confidentiality of our data?
Our internal network is protected from public internet traffic via stateful inspection firewalls provided by Amazon AWS. A security group acts as a firewall and controls the traffic allowed into a group of instances. For each security group, custom rules are added that govern the allowed inbound traffic to instances in the group. All other inbound traffic is denied.
Encrypted communication is utilized to protect remote internet sessions to our applications and internal network. Encryption is used to ensure the privacy and integrity of the data being passed over the public network.
All data is transmitted over secure channels. This includes access to the Service Provider Training console website, information sent to third parties for processing, and logging. Data that is sent between the web server and the database is done within a virtual private cloud within AWS.
Data sent between our applications and our customers' applications is forced through at minimum HTTPS TLS 1.2 (it will default to the highest level of TLS available) connection using modern ciphers. The database instance is encrypted with the AES256 encryption standard.
If our customers choose to use KMSAT's Vishing feature, a third-party service called Twilio is used. A review of Twilio security controls is performed annually. A data protection agreement (including the standard contractual clauses according to the European Commission) is in place with Twilio.
For more information, see Appendix 3 of our DPA/Global Data Processing Addendum.
10. What's your data retention policy?
You can find our data retention policy here.
11. Will KnowBe4 sign a Business Associate Addendum as described in HIPAA regulations?
Business associate addendums are required for organizations that process PHI on behalf of a covered entity. Since KnowBe4 does not process PHI, we do not execute BAA’s with our customers. We understand that PHI may incidentally be submitted to one of our products or services. HIPAA specifies that incidental disclosures of PHI are outside of the scope of HIPAA. If any customer submits PHI to one of our platforms you can either delete the information yourself within the applicable product(s) or submit a ticket and we will delete the information on your behalf.
12. Is KnowBe4 HIPAA certified?
HIPAA is not applicable to KnowBe4 since we do not process PHI on behalf of our customers. Furthermore, no HIPAA certification currently exists for cloud service providers. Regardless of HIPAA applicability, KnowBe4 aligns its information security program with FedRAMP, NIST 800-53, and ISO 27001 requirements.