Product Privacy Notice
- Customer Terms of Service
- Product Privacy Notice
- CPRA Addendum
- Global Data Processing Addendum
- KSAT, KCM GRC, PhishER, and SecurityCoach DPIA
- Security
- System Status
- Maintenance Windows
- Documentation Page
- Federal
- Code of Ethical Business Conduct
- KnowBe4 Global Privacy Compliance
- Transparency Report
- Data Transfer Impact Assessment
- ICO UK SCC Addendum
- Free Downloadable Software Tools EULA
- KnowBe4 Mobile App License Agreement - iOS
- KnowBe4 Mobile App License Agreement - Android
Data Protection Highlights
These data protection highlights are intended to provide subscribing organizations (each, a “Customer”) and their Users (collectively, “you”) with a few key points from our data protection notices and will tell you how KnowBe4 (“we,” “us,” or “our”) use Personal Data (as defined below) collected through our Subscription Services and free tools (collectively, our “Services”). Our data protection notices will provide you with more detail on KnowBe4’s global data protection practices. All capitalized terms used herein, but not otherwise defined, shall have the meanings ascribed to them in our Terms of Service accessible at knowbe4.com/terms.
What is Personal Data?
“Personal Data” means personally identifiable information as defined by applicable law. In simple terms, this generally means personally identifiable information that can be linked back to a natural person, such as your name, email address, or IP address.
How Does KnowBe4 Collect Personal Data?
We collect Personal Data when you visit our websites, submit information through our submission forms, contact us, send information to us directly, or upload information to our Services. We also receive Personal Data collected by our affiliates, channel partners, service providers, and other third party providers (“TPPs”).
How KnowBe4 Uses Personal Data
KnowBe4 uses Personal Data to respond to your inquiries, to provide information about our Services to you, to run our Services, to improve our Services, for hiring/employment purposes, to comply with legal obligations, and as otherwise described in our data protection notice(s) and applicable agreements for Services.
Your Rights
If you are not a Customer or a User:
If you are not a Customer or a User, please email privacy@knowbe4.com to access, amend, delete, rectify, withdraw consent, or object to the processing of your Personal Data. Our data protection notices have more information about these options.
If you are a Customer or a User:
If you are a Customer, or a User of KnowBe4’s Services, where we provide the Services under an Agreement with your organization (i.e., your employer and our Customer), it is your organization that controls the information processed by the Services. If you do not agree with the use of your Personal Data, we recommend you reach out to your organization’s Account Admin (as defined in this Product Privacy Notice) to exercise your rights. You may also email privacy@knowbe4.com and we will reach out to your Account Admin for you. Please see our Product Privacy Notice for more information about these options.
Contact Us
If you would like more information on our data protection practices, you can review our full data protection notices contained on our website.
Please direct any complaints, requests, or inquiries to privacy@knowbe4.com. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA or other applicable jurisdictions, you have the right to lodge a complaint with the competent supervisory authority.
Full Product Privacy Notice
Important Information
We at KnowBe4 (“we,” “us,” or “our”) are committed to protecting the data of our subscribing organizations (each, a “Customer”), Customer Account Admin(s), and Customer Users (collectively, as applicable, “you” or “your”). The data protection practices set forth in this Product Privacy Notice (the “Product Privacy Notice”) are for our Subscription Services and free tools (collectively, the “Services”). This Product Privacy Notice tells you how KnowBe4 uses Personal Data collected through our Services. “Personal Data” means personally identifiable information as defined by applicable law. In simple terms, this generally means personally identifiable information that can be linked back to a natural person, such as your name, email address, or IP address. All capitalized terms used herein, but not otherwise defined, shall have the meanings ascribed to them in our Terms of Service.
By using our Services, you are accepting the practices described in this Product Privacy Notice. If you do not agree with the data practices provided in this Product Privacy Notice, you should not use the Services provided by KnowBe4. We may make changes to this Product Privacy Notice at our sole discretion at any time. We will alert you if there is any material change to this Product Privacy notice. Your continued use of the Services after we make changes to the Product Privacy Notice is deemed to be an acceptance of those changes.
For the avoidance of doubt, this Product Privacy Notice only applies to the extent we process Personal Data in the role of a processor on a Customer’s behalf. If you executed a Data Protection Agreement with us, the terms of such agreement will supersede this Product Privacy Notice.
What This Notice Covers:
This Product Privacy Notice applies to the processing of Personal Data collected by us when Customers (or potential Customers) use our Services or create a free account to use our free tools (where we act as a processor of Personal Data).
Personal Data KnowBe4 Collects:
The Personal Data that we collect directly from customers includes the following:
- Customer Contact information: first name, last name, organization, title, department, phone number, third party integration data, and organization email addresses.
- Automatically collected information: information collected via cookies and web beacons, including IP address, browser name, operating system details, domain name, date of visit, time of visit, pages viewed, or other similar information.
- Customer Data: simulated phishing, security awareness testing and training results, risk score, security assessment results, training and coaching information, and information uploaded to the Subscription Services.
We use common information-gathering tools, such as tools for collecting usage data, cookies, web beacons, and similar technologies to automatically collect information that contain Personal Data from your computer or mobile device as you navigate our website, use our Services, or interact with emails we send to you.
How Personal Data is Collected
Personal Data is collected by KnowBe4 when it is shared by your organization’s account administrator (the “Account Admin”), at the discretion of your organization. Personal Data will also be requested from you through our Services by your Account Admin at your organization’s discretion. The Personal Data that KnowBe4 collects is limited to the purposes for which they are processed, such as to provide the Services.
How We Use Your Personal Data
1. We collect and process your Personal Data for the purposes, and on the legal bases, identified in the following (where we act as a processor of your Personal Data):
Where we have entered into a contract, such as:
- for your use of our free tools, Subscription Services, or other Services provided to you that are under the Agreement for Subscription Services between you, or your organization, and KnowBe4;
- for the use of our website, including any free tools or Services;
- for managing payments in order to complete a transaction with you;
- for any Support Services that we provide to you from time to time;
- for webinars that you have registered to attend; and
- for KnowBe4 contests or promotions.
A legitimate interest is the legal basis for processing the following:
- to assess and improve your experience on the Subscription Services (such as analyzing trends or tracking your usage and interactions with our Services in order to improve your overall experience);
- for security purposes such as investigations of suspicious activity or for compliance purposes (such as investigating fraud or misuse of our website).
KnowBe4 processes and discloses Personal Data when cooperating with appropriate regulatory and government authorities. When KnowBe4 processes Personal Data for this purpose, the legal bases for processing shall be for compliance with a legal obligation to which KnowBe4 is subject.
Cookies, web beacons, and other tracking technologies on our Services
KnowBe4 uses cookies and other tracking technologies when users interact with our Services. Cookies are small text files that are placed on your computer by a website. Each one of these cookies contain an identification number, IP address, and the time and date last accessed. KnowBe4 does NOT use these cookies contained within our Services for targeted advertising to users.
Below are the two types of cookies that are used on our Services.
- Session based cookies - these are only used to determine how long you remain on the Subscription Services and immediately expire when you leave the Subscription Services or logout.
- Support cookies - these cookies allow us to track onboarding times and other metadata in order to provide better service to our Customers and their Users.
Most browsers are set up to accept cookies. If you choose, you may refuse to accept cookies or set up your browser so that it notifies you when you receive a cookie.
Who Do We Share Personal Data With?
We use third party providers (“TPPs”) to assist in provision of the Services and perform specialized services for data processing. When we provide Personal Data to these TPPs, they are not permitted to use the Personal Data for any reason outside of the scope for which we contracted them.
The ways in which we share your Personal Data include the following:
- When we use our TPPs (such as Amazon Web Services) in the performance of our Services. This is required for us to provide our Services to you. We execute contracts with our third parties to ensure they fulfill their data protection obligations. A list of our TPPs may be found here: support.knowbe4.com/hc/en-us/articles/1500007523981-KnowBe4-Subprocessors.
- When you register for a webinar it is generally done through one of our TPPs. In these circumstances, your information will be subject to such TPPs’ or sponsors’ privacy statements and/or our Website Privacy Notice located here. If you do not wish for your information to be shared, you may choose to not opt-in via the applicable event/webinar registration.
- With KnowBe4 Affiliates and other companies that become part of KnowBe4 in the future.
- We will disclose your information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding. In accordance with applicable laws, we will use reasonable efforts to notify you of any transfer of Personal Data to an unaffiliated third party, and you may request to have your Personal Data deleted from our systems, where possible.
- Finally, we will disclose your information for other legitimate business purposes.
KnowBe4 reserves the right to disclose your Personal Data under the following conditions: (1) where permitted or required by law; (2) when trying to protect against or prevent actual or potential fraud, unauthorized transactions, or other suspected illegal activity; or (3) when investigating suspected fraud or other suspected illegal activity which has already taken place.
Sale of Personal Data
KnowBe4 will never sell your Personal Data.
Account Admin(s)
Your Account Admin will use your Personal Data to communicate with you for support purposes or to follow up on requests made by you or another User of the Subscription Services as well as your use of the Services. An Account Admin runs the Services and delivers the Services to their Users. When you or your Account Admin upload information (such as organization email addresses) into our Services, it has been done at the discretion of your organization, or our Customer, that you or your Account Admin belong to. The Account Admin’s organization is the “controller” of the Personal Data and KnowBe4 acts as a “processor” of the Personal Data. KnowBe4 is legally bound by the applicable terms for the Services purchased, such as the KnowBe4 Terms of Service, other applicable agreements for the Services between KnowBe4 and your organization, and/or Data Processing Agreements, to only process data as authorized by the agreement(s) and upon the instruction of the controller. If you have any detailed questions regarding these agreements, please contact your Account Admin or KnowBe4 directly and we will forward your request to your appropriate organizational contact.
Subject to legal and contractual requirements, you can refuse our collection of your data or withdraw consent to further collection. Your Personal Data will never be used outside of the scope for which KnowBe4 was contracted.
Opt Out
Since the Services provided are at the request of your organization, you can contact your organization’s Account Admin to opt out of the Services provided. Additionally, you can contact your Account Admin to make changes to your Personal Data. KnowBe4 does not have control over how your organization uses your Personal Data for their purposes. You can also contact us to contact your organization on your behalf by emailing privacy@knowbe4.com.
International Transfers of Personal Data
Your Personal Data will be collected, transferred to, and stored by us in the United States or by our Affiliates in other countries where we operate. In the event that your Personal Data is processed outside the European Economic Area (EEA) or other applicable jurisdiction, we will ensure that the recipient of your Personal Data offers an adequate level of protection by entering into an agreement to abide by Standard Contractual Clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR) or another mechanism approved by appropriate regulatory bodies.
Data Security and Retention
Your Personal Data is kept secure. Only our authorized employees, agents, and contractors (who have agreed to keep information secure and confidential) have access to this information. To provide our Services, we use TPPs to perform specialized services for data processing. When we provide data to these TPPs, they are not permitted to use data outside of the scope for which we contracted them.
We (and our TPPs) use a variety of industry standard security measures to prevent unauthorized access, use, or disclosure of your Personal Data. These security measures consist of, but are not limited to, data encryption and physical security. No method of transmission or method of electronic storage over the internet is 100% secure. Therefore, while we strive to use industry standard means to protect your Personal Data, we cannot guarantee its absolute security.
KnowBe4 will retain your Personal Data for the period necessary to fulfill the purpose outlined in this Product Privacy Notice or until you request its deletion, unless a longer retention period is required by applicable data privacy law.
We take reasonable steps to ensure that your Personal Data is accurate, complete, current, and otherwise reliable for its intended use. We will not process Personal Data in a way that is incompatible with the purposes for which it was collected. If your Personal Data has been disclosed to a TPPs and it has been deemed incorrect by you, KnowBe4 will make reasonable efforts to contact your Account Admin and will work with the TPPs (such as our subprocessors) to request a correction to the information.
If KnowBe4 obtains knowledge that one of our employees or TPPs are in violation of this Product Privacy Notice, KnowBe4 will take industry standard steps to prevent or stop the unauthorized use or disclosure of your Personal Data. KnowBe4 takes data privacy seriously. Therefore, we agree to take industry standard measures to ensure the proper handling of your Personal Data by our employees and TPPs.
Your Rights
You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws and, in particular, if you are located in the EEA or other applicable location, these rights may include:
- accessing, correcting, amending, deleting your Personal Data;
- objecting to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
- not being subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making");
- to the extent we base the collection, processing, and sharing of your Personal Data on your consent, withdrawing your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal; and
- requesting to limit the use or disclosure of your Personal Data.
How to exercise your rights
To exercise your rights, please contact us at privacy@knowbe4.com.
More Important Information
EU-U.S. Data Privacy Framework Notice
On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework entered into force.
KnowBe4 complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. KnowBe4 has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. KnowBe4 has certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. DPF Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Product Privacy Notice and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the EU.-U.S. DPF and/or Swiss-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, please visit dataprivacyframework.gov/.
To view our certification, please visit this page and search for ”KnowBe4”.
As required under the principles, when we receive information under the DPF program and then transfer it to TPPs acting as an agent on our behalf, we have certain liability under the DPF. If the agent processes the information in a manner inconsistent with the DPF, we are responsible for the event giving rise to the damage.
We encourage you to contact us at privacy@knowbe4.com if you have a DPF-related (or general privacy-related) complaint. If you have an unresolved privacy or data use complaint that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge). Through this third-party dispute resolution provider, we have also committed to cooperating and complying with the information and advice provided by an informal panel of data protection authorities in the European Economic Area, the Swiss Federal Data Protection, and/or the UK Information Commissioner (as applicable) in relation to unresolved complaints (as further described in the DPF program). You may also contact your local data protection authority within the European Economic Area or Switzerland (as applicable) for unresolved complaints.
Under certain conditions, more fully described on the Data Privacy Framework website, including when other dispute resolution procedures have been exhausted, you may invoke binding arbitration.
KnowBe4 is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (“FTC”). KnowBe4 may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Protected Health Information, Payment Card Information, and other Sensitive Information.
KnowBe4 does not need, nor does it request, any protected health information (“PHI”) governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”), nor does it need or request any non-public consumer personally identifiable information or financial information governed by the Gramm-Leach-Bliley Act (“GLBA”) or payment card information covered by the Payment Card Industry Data Security Standards (“PCI DSS”) in order to provide its Services. You should never disclose, or allow to be disclosed, PHI, information protected by PCI DSS or GLBA, or other sensitive information to KnowBe4. In the event that an end user discloses such information (which would be a violation of this Product Privacy Notice), you, on behalf of your organization, acknowledge that KnowBe4 does not take steps to ensure its Services are HIPAA or PCI DSS compliant. All obligations of the aforementioned regulations remain solely with you, on behalf of your organization.
Education Customers
COPPA and Parental Consent
If Customer allows Users under the age of 13 to use the Services, Customer consents as required under the Children’s Online Privacy Protection Act ("COPPA") to the collection and use of personal information in the Services, described in this Product Privacy Notice, from such Users (to the extent COPPA is applicable in Customer’s jurisdiction).
FERPA Compliance
The parties acknowledge that: (a) Customer Data may include personally identifiable information from education records that are subject to FERPA ("FERPA Records"); and (b) to the extent that Customer Data includes FERPA Records, KnowBe4 will be considered a "School Official" (as that term is used in FERPA and its implementing regulations) and will comply with FERPA. "FERPA" means the Family Educational Rights and Privacy Act (20 U.S.C. 1232g) and the Family Educational Rights and Privacy Act Regulations (34 CFR Part 99), as amended or otherwise modified from time to time.
California Consumer Protection Act
This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act (“CCPA”).
We do not provide services, or other items of value, as consideration for your, or your Users’, personal information protected by the CCPA. You are responsible for ensuring your compliance with the requirements of the CCPA in your use of the Services we provide to you and your own processing of personal information.
Here are a few things that KnowBe4 will NOT do with personal information in the scope of acting as a service provider, as defined by CCPA:
- sell, rent, or otherwise disclose your personal information to third parties in exchange for money or something else of value;
- use your information outside the scope of the agreement(s) for services that we have with you.
Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of Personal Data we collect (including how we use and disclose this Personal Data), to delete their Personal Data, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights.
California consumers may make a request pursuant to their rights under the CCPA by contacting us at privacy@knowbe4.com. We will verify your request using the information associated with your account, including email address. Consumers can also designate an authorized agent to exercise these rights on their behalf.
Contacting Us
To exercise your rights regarding your Personal Data, or if you have questions regarding this Product Privacy Notice or our data protection practices, please send an email to privacy@knowbe4.com. Alternatively, you may send notice by way of mail at the address listed below:
KnowBe4, Inc.
33 N. Garden Avenue, Suite 1200
Clearwater, FL 33755, USA
Attn: KnowBe4 Privacy Team
We are committed to working with you to obtain a fair resolution of any complaint or concern about your data. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.
