Security Statement
- Customer Terms of Service
- Product Privacy Notice
- CPRA Addendum
- Global Data Processing Addendum
- KSAT, KCM GRC, PhishER, and SecurityCoach DPIA
- Security
- System Status
- Maintenance Windows
- Documentation Page
- Federal
- Code of Ethical Business Conduct
- KnowBe4 Global Privacy Compliance
- Transparency Report
- Data Transfer Impact Assessment
- ICO UK SCC Addendum
- Free Downloadable Software Tools EULA
- KnowBe4 Mobile App License Agreement - iOS
- KnowBe4 Mobile App License Agreement - Android
Overview
As a security company built and operated by security-minded individuals, we respect your privacy and make significant effort to protect your data. We would never do anything with your data that we wouldn’t want you to do with ours.
Keeping our customers' data secure is the most important thing we do. We go to considerable lengths to ensure that all data provided to KnowBe4 is done so securely; keeping KnowBe4 systems and your data secure is fundamental to our business. Before you get started, we recommend you review our Terms of Service and Privacy Policy.
Compliance
The KnowBe4 Platform (KMSAT + PhishER) maintains FedRAMP Moderate ATO (Authorization To Operate) since 11/14/2023.
Moderate ATO
All KnowBe4 products are SSAE18 SOC 2 Type 2 certified. This includes KMSAT, PhishER, and SecurityCoach. If you require a copy of the full SOC 2 Type 2 report, please work with your sales representative or customer success manager. The SOC 3 report can be found here.
The KnowBe4 SOC 2 assessments include all of the Trust Services Criteria:
Security
Availability
Processing Integrity
Confidentiality
Privacy
Should you require a bridge letter for compliance purposes, please work with your representative or customer success manager.
You can find a copy of our recently completed Consensus Assessment Initiative Questionnaire (CAIQ) on our Cloud Security Alliance (CSA) STAR Registry page here: https://
KnowBe4 products are Cyber Essentials certified. You can review our certification here.
The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. KnowBe4 is audited against a variety of standards in the International Organization for Standardization 27001 (ISO 27001) family by its independent third party ANSI-ASQ National Accreditation Board (ANAB) accredited certifier. These standards which KnowBe4 has successfully been audited against include:
- The International Organization for Standardization 27001:2022 Standard covering information security controls
- The International Organization for Standardization 27701:2019 Standard covering privacy information management
- The International Organization for Standardization 27017:2015 Standard covering information security controls for cloud computing
- The International Organization for Standardization 27018:2019 Standard covering protecting PII in the public cloud for data processors
You may find the links to our aforementioned certifications here and here.
Information Security and Data Privacy Team
KnowBe4’s dedicated Information Security and Data Privacy teams hold relevant industry certifications detailed below.
Access and Authentication Controls
KnowBe4 restricts access to customer and confidential data on a business need to know basis. Access is granted based on one’s role within the organization. KnowBe4 enforces mandatory multi-factor authentication for all access to confidential data. Where applicable, access to systems is restricted by IP address.
Data Handling and Data Privacy
- KnowBe4 maintains compliance with the European Union’s General Data Protection Regulation 2016/679 (GDPR).
- We rely on the E.U. Commission approved standard contractual clauses for data transfer from the EEA to the United States. We have policies and procedures in place to comply with any applicable data privacy laws.
For more information on types of data and for what purpose, please refer to the product tab of our Privacy Policy.
Data Encryption
KnowBe4 leverages AWS for data encryption in transit (TLS) and at rest (AES-GCM 256). KnowBe4 currently uses Load Balancer and CloudFront Security Policies supporting TLS 1.2 and higher. Details of this can be found here. KnowBe4 uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS), and data stored within S3. AWS KMS uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys.
Data Center Location
KnowBe4 operates within Amazon Web Services (AWS). AWS follows the Shared Responsibility Model. AWS is responsible for the security of the cloud, and KnowBe4 is responsible for security in the cloud. Information regarding the compliance of AWS data centers can be found on the AWS compliance website here. If you are required to review the data center SOC report, you can review the latest AWS SOC 3 report located here: AWS SOC 3 Report.
We Use the Following AWS Regions
You are able to select your data storage location based on your data localization requirements. Currently we operate data centers in the United States, Europe, United Kingdom and Canada. However, please note that we use ancillary services for certain functions, so these services may store data in another location, listed here.
Product |
Production Database |
Disaster Recovery Database |
KMSAT & PhishER (Option 1) *For customers wishing their data reside in the United States |
Amazon AWS Data Center in the United States, Northern Virginia (us-east-1) |
Amazon AWS Data Center in the United States, Oregon (us-west-2) |
KMSAT & PhishER (Option 2) *For customers who wish to have long-term data storage in Ireland (EU) |
Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1) |
Amazon AWS Data Center Frankfurt, Germany (eu-central-1) |
KMSAT & PhishER (Option 3) *For customers who wish to have long-term data storage in Canada |
Amazon AWS Data Center in Montreal, Canada (central) |
Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1) |
KMSAT & PhishER (Option 4) *For customers who wish to have long-term data storage in the UK |
Amazon AWS data center in London, England (eu-west-2) |
Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1) |
KMSAT & PhishER (Option 5) *For customers who wish to have long-term data storage in Germany (EU) |
Amazon AWS Data Center Frankfurt, Germany (eu-central-1) |
Amazon AWS Data Center in Europe located in Dublin, Ireland (eu-west-1) |
KCM GRC (Option 1) *For customers wishing their data reside in the United States |
Amazon AWS Data Center in the United States, Northern Virginia (us-east-1) |
Amazon AWS Data Center (us-west-1) |
KCM GRC (Option 2) *For customers wishing their data reside in EEA and/or the UK |
Amazon AWS Data Centers in Europe located in London (eu-west-2) |
Amazon AWS Data Center Dublin, Ireland (eu-west-1) |
Data is not shared between the data centers. You may request an account in each region, but these will be independent of each other, and data will not synchronize between accounts.
Data Backups and Retention
KnowBe4 maintains one year of database backups and three years of audit and application logs. These backups are stored encrypted in accordance with the Data Encryption section listed above. To submit a data deletion request, please work with your sales representative or customer success manager.
Awareness and Training
All KnowBe4 employees complete mandatory security awareness and privacy training upon hire and at least once annually. We conduct simulated phishing and social engineering tests on an ongoing basis at least once a month. All KnowBe4 employees and contractors sign confidentiality and non-disclosure agreements upon hire and before access to company or customer data.
Business Continuity / Disaster Recovery
KnowBe4 engineers have designed highly scalable and resilient product architecture within AWS. Our product withstands sophisticated attacks and is highly adaptable. Our systems’ performance within the product architecture is monitored for key metrics, ensuring the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will be executed to bring online additional temporary systems or to cycle out existing systems for new ones. Automation is built into the KnowBe4 architecture, so system monitoring, updates, and corrective actions can take place as needed with no downtime. Status and uptime monitoring can be found here.
KnowBe4’s Risk Management Program is reviewed as part of KnowBe4’s annual third-party audits (FedRAMP, ISO 27001, and SOC2). A full overview of KnowBe4's Risk Management Program can be found here.
Code Security and Code Updates
The KnowBe4 Research and Development (R&D) department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated, and no data is shared between them.
Logging and Monitoring:
KnowBe4 collects audit and application logs from all systems. These logs are stored encrypted in a centralized logging facility separate from the system generating the logs. The log entries are in line with industry standards for audit trails. KnowBe4 maintains these logs for a period of three years for the business purpose of investigating past system activity.
Vulnerability Management
The KnowBe4 information security team performs monthly web application vulnerability scans. These scans are configured to run as authenticated scans. Any vulnerabilities found during these scans or any other vulnerability discovery activities are added to a vulnerability tracking system. There, the vulnerabilities are verified, categorized, and evaluated for actual risk. Vulnerabilities are remediated in accordance with the schedule listed below:
The following SLA will be followed for vulnerability findings based on a CVSS with a Snyk Priority Score lower than 800, Snyk does not use the CVSS score alone to determine priority. Snyk's Priority Score is a comprehensive scoring system that processes multiple factors, including the CVSS score, the availability of a fix, known exploits, how new the vulnerability is, and whether it is reachable or not.
Severity |
Critical/High |
Medium |
Low |
Informational |
Remediation Timeline |
< 30 Days |
< 90 Days |
< 180 Days |
Discretionary |
The following SLA will be followed for:
Vulnerability findings based on CVSS with a Snyk Priority Score of 800 or higher Non-CVSS scored vulnerabilities with a risk score determined by leveraging OWASP Risk Rating Methodology (Risk = Likelihood * Impact)
Severity |
Critical/High |
Medium |
Low |
Informational |
Remediation Timeline |
< 14 Days |
< 30 Days |
< 180 Days |
Discretionary |
Penetration Testing / Bug Bounty / Report Security Vulnerabilities
KnowBe4 participates in a paid, private bug bounty program where vetted third-party researchers conduct ongoing penetration testing of our products. If you feel you have discovered a security flaw in our system, you can sign up for the program, and we will invite you to participate. You can submit any vulnerabilities through the bug bounty program or by contacting the KnowBe4 security team directly at infosec@knowbe4.com. We encourage you to test, and we encourage you to share what you find. Security testing outside of this private program is not permitted. We do not permit any automated scanning as part of this program; the researchers are instructed to perform manual testing so as to not be disruptive.