Last Updated: March 15, 2024

Business Partner Code of Conduct

KnowBe4, Inc. and its subsidiaries (“KnowBe4”) take pride in fostering a culture that encourages high ethical standards of business conduct. KnowBe4 is committed to carrying out business in a legal, ethical, transparent, and socially responsible manner. As a company with global operations, ensuring compliance with all applicable laws in all countries in which we conduct business, promoting honest conduct and creating a positive environment for our employees is a top priority. Gaining the trust of customers, vendors, employees and the community starts with a culture based on these fundamental values. This Code of Conduct (“Code”) applies to all businesses, suppliers, vendors, contractors, consultants, partners (including channel partners) and other third-party providers (“Business Partner”) that provide goods or services to, or on behalf of, KnowBe4. Any questions concerning this document should be directed to KnowBe4’s Legal Department at: compliance@knowbe4.com.

Purpose

Business Partner is committed to deterring wrongdoing and promoting:

  1. fair and accurate financial reporting;

  2. compliance with applicable laws, rules and regulations including, without limitation, full, fair, accurate, timely and understandable disclosure in reports and documents filed with, or submitted to, government agencies and in other public communications;

  3. honest and ethical conduct, including the ethical handling of actual or apparent conflicts of interest; and

  4. a culture of honesty and accountability.

This Code serves as a guide, and KnowBe4 expects everyone to use good judgment and adhere to the high ethical standards to which KnowBe4 is committed.

1. Compliance with the Law 

Business Partner complies with the laws, regulations, rules, controls, and orders applicable to our business in all jurisdictions in which we conduct business including, but not limited to, the following:

  • Bribery and corruption 

  • Fair competition

  • Trade controls and anti-money laundering

  • Charitable and political contributions

  • Data privacy and information security

  • Conflicts of interest

  • Marketing and advertising

  • Fair dealings

Bribery and Improper Advantages

Business Partner conducts all business with integrity and transparency. Business Partner strictly prohibits all forms of bribery and corruption, regardless of whether they involve a public official or private person. Business Partner is truthful in its business interactions and does not tolerate the promise, acceptance, or offering of bribes, kickbacks and all other means of obtaining an undue or improper advantage, such as gifts, payments, fees, services, discounts, valued privileges or other favors where these would, or might appear to, improperly influence a business transaction.

Business Partner does not tolerate any form of extortion or embezzlement. Business Partner believes in fair business dealings and does not partake in unfair business advantages through the abuse of privileged information, misrepresentation of material facts, or any other unfair or dishonest practices.

Gifts, Meals & Entertainment

Business Partner must not accept or provide any gift, meal or entertainment if it will obligate, or appear to obligate, the recipient. Business Partner must exercise good judgment, discretion, and moderation when giving or accepting gifts or entertainment in business settings. 

There are more stringent rules concerning gifts and entertainment provided to government officials. Offering anything of value to a government official is, in many cases, prohibited by law. 

Fair Competition

Business Partner supports free and fair competition, and complies with antitrust/competition laws applicable to its business activities in all jurisdictions in which it operates. Accordingly, Business Partner does not unlawfully: (i) enter into any agreement with any of its competitors with regard to price, terms or conditions of sale, production, distribution, territories, customers or employee wages; or (ii) exchange or discuss with any of its competitors pricing, marketing plans, manufacturing costs, or other competitive information, amongst other measures required by applicable law.

KnowBe4 is dedicated to complying with the numerous laws that govern competition. Any activity that undermines this commitment is unacceptable. 

Trade Controls and Anti-Money Laundering

Business Partner complies with the various economic sanctions programs, anti-money laundering and export control requirements administered by the United States and other jurisdictions where it conducts business. Such laws prohibit Business Partners from participating in certain transactions involving restricted countries or parties, be it directly, or indirectly through third parties.

Business Partner does not provide, sell or transfer any products, services, technology, software or technical data to, or otherwise engage in business without the necessary government authorizations with, any of the following:

  • Parties targeted for boycotts, embargoes, sanctions, or other similar measures by the United Nations Security Council;

  • Parties appearing on the European Union’s Consolidated Sanctions List;

  • Parties appearing on the United Kingdom’s List of Consolidated Financial Sanctions Targets;

  • Parties appearing on the Denied Persons List, Entity List, and Unverified List administered by the U.S. Commerce Department; 

  • Parties appearing on the sanctions lists administered by the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) and the U.S. State Department; 

  • Countries or regions subject to U.S. embargoes or sanctions including, but not limited to, Cuba, Iran, North Korea, Syria, and the Donetsk, Luhansk and Crimea regions; or

  • Parties that are at least 50% owned or controlled by parties subject to sanctions programs administered by OFAC, whether individually or in the aggregate. 

Business Partner does not tolerate or engage in activity that directly or indirectly contributes to the Arab League Boycott or other prohibited boycotts during the course of  business dealings.

Business Partner complies with all applicable trade controls and will not cause KnowBe4 to be in violation of those laws. 

Business Partner complies with its obligations under Anti-Money laundering (AML) laws and regulations, specifically the risks associated with third parties. 

Charitable and Political Contributions

KnowBe4’s Business Partners are evaluated on a number of factors including but not limited to: price, quality, ability and availability to do the work, and previous performance (where applicable). These choices are not influenced by a Business Partner’s giving or not giving to any particular charity.  

KnowBe4 employees are strictly prohibited from soliciting Business Partner for a charitable donation or suggesting that a Business Partner’s charitable donation may affect their business or future with KnowBe4.  Business Partner shall refuse any requests for donations of this nature. If Business Partner receives a request for a charitable donation or if Business Partner has questions or comments regarding such requests, Business Partner may contact KnowBe4’s Legal Department by emailing compliance@knowbe4.com to seek further guidance or to report an incident.

Business Partner complies with U.S. federal law that prohibits Business Partner from making contributions or expenditures in connection with federal elections, as applicable. As each U.S. state has additional laws, rules, and regulations governing political contributions in state and local elections, Business Partner complies with the laws in the jurisdiction(s) in which it does business. Business Partner agrees not to make any contributions or expenditures in connection with federal elections nor any other U.S. state elections on behalf of KnowBe4. Additionally, Business Partner follows the laws, regulations, and orders applicable to the jurisdictions outside of the U.S. where it conducts business that prohibit similar activities. 

Data Protection and Information Security

Business Partner shall take and implement all appropriate technical and organizational security and confidentiality measures and regularly update them to ensure a level of security appropriate to the information provided to Business Partner by KnowBe4 over the standard course of business ("KnowBe4 Data"). Business Partner shall protect KnowBe4 Data against any actual or threatened unauthorized use, modification, loss, compromise, destruction, disclosure, or access (“Security Incident”). Business Partner shall implement and maintain policies and procedures to detect and respond to Security Incidents. Such measures shall require Business Partner to have regard to industry standards and costs of implementation as well as consider the nature, scope, context, and purpose of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals. A Business Partner with access to KnowBe4 Data that cannot adhere to this standard must utilize KnowBe4 managed devices to perform scoped work (if deemed necessary by KnowBe4), in addition to abiding by applicable KnowBe4 policies. A Business Partner using its own devices over the course of the engagement is subject to its devices being audited and reviewed for proper security configurations. Business Partner must have a defined address from where it will perform the work from. Working from a different remote location or changing locations altogether requires prior written notification to KnowBe4. KnowBe4 may object to any remote work location specified by Business Partner. Business Partner will work in good faith with KnowBe4 to determine an acceptable remote location for both Business Partner and KnowBe4. Business Partner is only authorized to perform scoped work from KnowBe4 approved accounts.

Business Partner acknowledges that KnowBe4 is relying upon Business Partner’s skill and knowledge to assess what is “appropriate” to protect KnowBe4 data against unauthorized or unlawful processing including, but not limited to, accidental loss, destruction, damage, alteration, or disclosure. Business Partner shall undertake regular reviews of the technical and organizational measures and the data processing activities connected with its operations to ensure compliance with all applicable data protection laws and to consider improving the technical and organizational measures such that they meet or exceed industry best practices. These practices include, but are not limited to:

  • Never commingling KnowBe4 Data with data of other customers
  • Contracted organizations ensure that only personnel who have had suitable background checks, including criminal checks, performed upon hire and at least annually will be permitted to work on KnowBe4 projects
  • Full disk encryption must be enabled on all in-scope devices
  • Industry standard anti-malware must be loaded on in-scope machines
  • Devices must be patched regularly in accordance with a standard patch management program

Business Partner shall protect all KnowBe4 data that is likely to be transferred via the internet by encryption measures reasonably designed to ensure confidentiality. In the event Business Partner stores any KnowBe4 data on any mobile device (including, but not limited to, laptop computers, compact discs, tablet computers, external hard drives, backup tapes and/or removable diskettes), such KnowBe4 data shall be stored in an encrypted form.

Business Partner shall adopt and maintain a comprehensive written information security policy that describes its policies and procedures to comply with this Code of Conduct and shall provide a copy to KnowBe4 upon request. In the event that there is a web portal involved, Business Partner is expected to provide evidence of regular vulnerability scans and penetration tests against the system as well as any details of the system’s architecture.

In the event of a Security Incident arising during the performance of the services by a Business Partner, Business Partner shall notify KnowBe4 within 24 hours of becoming aware of the Security Incident. Business Partner, given the information available at the time, shall provide a description of the Security Incident including the nature of the Security Incident, the categories and approximate number of Data Subjects affected, the categories and approximate number of data records affected, the likely consequences of the Security Incident and the risks to affected Data Subjects. Business Partner shall provide regular updates as additional information becomes available. Business Partner will take all actions required by data protection laws as well as maintain all records relating to the Security Incident, including the results of any investigation performed and remediations made following the incident. Business Partner shall cooperate with KnowBe4 to prevent future Security Incidents.

Cross-border Data Transfers

Pursuant to the obligations under the EU General Data Protection Regulation (GDPR), UK Data Protection Act, and the Swiss Federal Act on Data Protection (FADP), as may be applicable, the parties hereby agree that the Standard Contractual Clauses (SCCs) shall govern all transfers of personal data. Specifically, the SCCs shall be applied as follows: Module Two or Three, as applicable, shall apply to Processor arrangements, and Module One shall apply to Controller arrangements. The optional docking clause (Clause 7) shall not be applied in any case. Where applicable, for Clause 9, Option 2 shall be selected, with the period for prior notice of Sub-Processor changes being ten (10) business days. The optional language provision in Clause 11 shall be excluded. Under Clause 17, Option 1 is selected, establishing that the governing law for the SCCs shall be Irish law for Processor arrangements, Dutch law for Controller arrangements, and Swiss law for arrangements under the Swiss FADP. Dispute resolution shall be conducted in the courts of Ireland, the Netherlands, or Switzerland, corresponding to the applicable legal framework as specified in Clause 18(b). Annexes I and II of the EU SCCs are considered completed with the details provided in the main agreement.

For data transfers governed by the UK Data Protection Law in the absence of a completed separate UK Addendum, references within the SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK Data Protection Act. Similarly, references to "EU", "Union", "Member State", and "Member State law" shall be construed as references to the UK and UK law. The competent supervisory authority for these transfers shall be the Information Commissioner's Office (ICO) of the UK. In case of any disputes arising from these transfers, the governing law shall be that of England and Wales, and disputes shall be resolved before the competent courts of London, England.

In the event of any discrepancies between the SCCs and any other provisions of this Code or other agreement, the SCCs shall prevail.

The parties may act either as a controller or processor in relation to the processing of personal data, depending on the nature of the services provided. The specific roles and responsibilities of each party, in compliance with applicable data protection laws and regulations, shall be determined by the context of the processing activities undertaken.

Conflicts of Interest

Business Partner will  immediately notify KnowBe4 if it becomes aware of any potential conflict of interest during the course of its business dealings with KnowBe4 or one of its representatives acting on its behalf. Business Partner agrees to avoid situations which could cause a conflict of interest.  

Marketing and Advertising

If Business Partner is marketing products, services, or other offerings on behalf of KnowBe4, Business Partner represents and warrants that Business Partner will comply with all applicable advertising and marketing laws, orders, rules, and regulations. Specifically, but not exhaustively, this provision shall include the Lanham Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM), the Telephone Consumer Protection Act, and other such laws, rules, orders, and regulations in all jurisdictions in which Business Partner conducts business for, and on behalf, of KnowBe4.

Fair Dealings

Business Partner does not seek competitive advantages through illegal or unethical business practices. Business Partner deals fairly with our customers, suppliers, competitors, business partners and employees, and does not take unfair advantage of anyone through manipulation, concealment, abuse of privileged information, misrepresentation of material facts or any unfair dealing practice. Business Partner shall use good faith efforts to perform contractual obligations and to comply with this Code even in the event of challenges that arise which are outside of Business Partner’s control.

2. Immigration, Hiring and Employment Practices

Business Partner complies with applicable national, federal, state, and local laws forbidding discrimination in employment based on protected characteristics, such as on the basis of race, color, religion (including religious dress and grooming practices), age, national origin, ancestry, ethnicity, sex (including pregnancy, childbirth, breastfeeding or related medical conditions), gender (including gender identity, gender expression, transgender status or sexual stereotypes), sexual orientation, marital or family care status, status as a victim of domestic violence, sexual assault or stalking, military/veteran status, physical or mental disability, medical information (including genetic information or characteristics, including those of a family member), immigration status or citizenship status, political affiliation or membership in any other group protected by national, federal, state, or local law as it may vary by jurisdiction. Business Partner also complies with applicable national, federal, state, and local laws forbidding retaliation against individuals who engage in protected activity. 

Business Partner is committed to maintaining a respectful workplace. This includes a working environment that is free from unlawful harassment based on protected characteristics, including sexual harassment.

Business Partner must:

  • Implement and maintain a reliable system to verify the identity and employment eligibility of all workers including, but not limited to, verification of age eligibility and legal status of foreign workers; and

  • Implement and maintain a reliable system to verify its workers are not a known risk to KnowBe4 in light of access such workers will have to confidential or proprietary information, facilities, network and systems, financial data and other data protected by privacy law or applicable agreements between Business Partner and KnowBe4 including, but not limited to, standard background checks or other such verifications that are common and lawful in our industry and jurisdiction.

Labor

All labor must be voluntary. Business Partner shall comply with all applicable laws, rules, and regulations related to labor and employment, including anti-forced labor and child labor. Without limiting its obligations hereunder, Business Partner shall not, and shall ensure that its partners do not support or engage in any: prison labor, indentured labor, bonded labor, or otherwise.  

Business Partner shall also comply with all applicable laws, rules, and regulations prohibiting human trafficking and slavery. This includes preventing employees and/or representatives from engaging in any human trafficking-related activities such as procuring commercial sex acts, using child labor, and using forced labor. Business Partner shall also avoid partaking in misleading or fraudulent employment practices.

Compensation

Business Partner must ensure that its employees are paid at least the minimum wage required by national, state and local laws, including overtime compensation at the rate applicable in their country, and shall be provided legally mandated benefits.

Health and Safety

Business Partner must provide a safe and healthy working environment to its employees to prevent accidents and injuries in accordance with national, state, and local laws. Proactive measures must be taken to prevent workplace hazards. 

Business Partner shall conduct business in compliance with all applicable national and international environmental, health, and safety regulations.

3. Confidentiality

“Confidential Information” means all information or material which: (i) would give a party some competitive business advantage, or the opportunity of obtaining some competitive business advantage, or the disclosure of which could be detrimental to the interests of KnowBe4; and (ii) which is either (a) marked “Confidential,” “Restricted,” or “Proprietary Information” or other similar marking, (b) known by Business Partner to be considered confidential and proprietary; or (c) from all relevant circumstances should reasonably be assumed to be confidential and proprietary. 

Business Partner agrees it shall take reasonable measures to protect the secrecy of and avoid disclosure and unauthorized use of the Confidential Information of KnowBe4. Business Partner shall take at least those measures that it takes to protect its own Confidential Information of a similar nature, but in no case less than reasonable care. Business Partner shall ensure that its representatives who have access to KnowBe4's Confidential Information have signed a non-use and non-disclosure agreement  or are otherwise legally obligated not to disclose such Confidential Information, prior to any disclosure of Confidential Information to such representatives. Business Partner shall reproduce KnowBe4's proprietary rights notices on any such authorized copies, in the same manner in which such notices were set forth in or on the original. Business Partner shall promptly notify KnowBe4 of any use or disclosure of Confidential Information in violation of this Code of Conduct of which Business Partner becomes aware. Business Partner will cooperate with KnowBe4 in every reasonable way to help KnowBe4 regain possession of such Confidential Information and prevent its further unauthorized use. Business Partner agrees not to publish or publicly circulate Confidential Information of KnowBe4 received in the course of doing business.

Intellectual Property

KnowBe4 values its intellectual property rights and wishes to respect the intellectual property rights of others.  Business Partner shall maintain procedures that ensure KnowBe4’s intellectual property will not be improperly used or disclosed. Business Partner is required to sign a non-disclosure agreement prior to the transfer of any confidential or proprietary information between Business Partner and KnowBe4. Business Partner also represents and warrants that any such intellectual property it provides to KnowBe4 does not violate any laws governing intellectual property rights including, but not limited to, the protection of trade secrets, patents, copyrights, and trademarks. Business Partner is not permitted to use KnowBe4’s logo on business cards, websites, or other Business Partner printed materials without advanced, written approval from an authorized representative of KnowBe4.

4. Financial Reports and other Records - Disclosure

In some countries, including the United States, it may be a violation of law if a company fails to maintain accurate books and records. Therefore, all KnowBe4 Business Partners are required to fully and accurately record all business transactions and maintain those records per applicable retention guidelines. This is particularly important with regards to financial and operational reporting, business related transactions including timecard and expenses, and quality, safety, and procurement records.

5. Respect and Responsibility

Business Partner must treat others with respect, with professionalism, and in a friendly manner. This is what makes the KnowBe4 environment unique and contributes to having a fun place to work, and we believe our relationship with our partners should be built on that same level of respect. Aggressive, overly argumentative, and unprofessional behavior, including, without limitation, using profanity or expletive language, is strictly prohibited.

6. Speak up

KnowBe4 provides mechanisms for reporting, in good faith, suspected violations of the law. Such reports are treated as confidential to the extent reasonably possible for conducting an investigation. Concerns are raised with management. Should this not be possible or no satisfactory response is received, reports may also be made using the Whistleblower Hotline. As Whistleblower laws vary by country, we encourage those reporting to follow the reporting procedures as lawful and customary in the jurisdiction in which they are reporting from. 

knowbe4whistleblower.ethicspoint.com Mobile version: https://knowbe4.navexone.com/

Compliance with this Policy

All Business Partners are required to take reasonable steps to ensure compliance with this Code of Conduct.  Upon learning of any failure to comply with this Code of Conduct, Business Partner must report the non-compliance to KnowBe4 immediately.  A Business Partner’s failure to adhere to this Code of Conduct may be grounds for KnowBe4 to immediately terminate its relationship. Furthermore, violations of some provisions of this Code are illegal and may subject individuals to civil and criminal liability. It is the expectation that all Business Partners perform the necessary self-audits to ensure they are in compliance with this Code of Conduct at all times. KnowBe4 shall have the right to audit Business Partner including, but not limited to, Business Partner’s books and records for the purpose of verifying compliance under this Code of Conduct. Business Partner shall provide reasonable assistance in cooperating with all such audits. KnowBe4 may immediately terminate its business relationship (including any purchase order(s) and purchase contracts) with Business Partner without recourse if Business Partner or its representatives fail to meet the standards set forth in this Code of Conduct. KnowBe4 may, in its sole discretion, require recertification of this Code of Conduct by Business Partner throughout the term of any business dealings with Business Partner. 

This Code of Conduct is in no way intended to conflict with or modify the terms and conditions of any existing contract. Instead, this Code of Conduct is intended to supplement any such contract terms. In the event of a conflict, Business Partners must first comply with all applicable laws and regulations, then the contract terms, followed by this Code of Conduct, provided KnowBe4 will retain the termination rights outlined above.

KnowBe4 reserves the right to amend this Code at any time, for any reason, subject to applicable laws, rules and regulations.


Get the latest about social engineering

Subscribe to CyberheistNews