KMSAT, KCM GRC, PhishER, and SecurityCoach DPIA

Last Updated: July 19, 2023

1. SCOPE

This KnowBe4 Data Privacy Impact Assessment (“DPIA”) is only applicable to the extent KnowBe4, Inc. and/or its affiliates (“KnowBe4”) is a processor of personal data for its various product and service offerings, including KMSAT, KCM GRC, PhishER, and SecurityCoach. The purpose of this DPIA is to provide information about KnowBe4’s personal data processing practices and to allow customers to complete their own data protection impact assessments on KnowBe4’s products and services. This DPIA only covers KnowBe4’s applicable services pursuant to the Services Agreement.

Description of KnowBe4 services.

KnowBe4 is a B2B SaaS (Software-as-a-Service) company that provides its Customers a variety of services. The services that will be included in this document are:

• KMSAT Console - a simulated phishing and security awareness and compliance training platform 
• KCM GRC Tool - a tool designed to help manage company governance, risk, compliance and audits
• PhishER - a Security, Orchestration, Automation and Response (SOAR) platform for managing the high volume of potentially malicious email messages reported by your users.
• SecurityCoach - a product that enables real-time security coaching of your users in response to risky security behavior based on the rules in your existing security software stack.

Describe the data that will be stored, used, collected or otherwise processed during the use of KnowBe4 services.

KMSAT Console

KCM GRC Tool

PhishER

SecurityCoach

Does KnowBe4 collect special categories of data (including criminal convictions, health information)?

No, KnowBe4 does not request nor does it provide appropriate fields for submitting special categories of data for any of its tools. Any special categories of data that may be received would be incidental and can be deleted upon request.

Where are the locations of KnowBe4’s servers?

KnowBe4 operates both US and EU instances. Customers may choose where data is stored during the course of the services. However, KnowBe4 leverages subprocessors in the United States and generally personal data will always be processed in the United States.

Does KnowBe4’s processing of personal data include automated decision making which can produce legal effects concerning data subjects?

No.

Do you provide notice to data subjects about the processing of their personal data?

KnowBe4 acts as a processor for its customers so it does not initiate direct contact with data subjects, unless specifically instructed to. KnowBe4 adheres to the terms of our data processing agreements and data protection notices found here when processing personal data. Data stored in KnowBe4’s products and services are provided by customers and it is the responsibility of our customers to make their users aware of how their data is being processed.

2. ACCESS TO PERSONAL DATA

How is access to personal data handled?

KnowBe4 provides products and services that leverage RBAC (Role Based Access Control). Customer administrators are able to set users roles and permission to limit access. KnowBe4’s employees and other personnel are only allowed access on a restricted basis. Access is only allowed to fulfill KnowBe4’s contractual obligations, legal obligations or legitimate business interests, such as meeting SLA’s or upon a customer’s written permission.

How do you ensure the security of KnowBe4 products?

KnowBe4 has security policies, procedures and controls to ensure the security of its products and services. These controls may be found by reviewing KnowBe4’s SOC 2 Type 2, which you may request by emailing your KnowBe4 point of contact after executing a non-disclosure agreement.  

How does KnowBe4 handle customer data subject access requests (DSAR’s)?

KnowBe4’s procedure for handling end user DSAR’s for customers is to forward the request on to the console or service administrator and provide assistance as requested.

3. INFORMATION FLOWS

International Data Transfer.

You may also execute a Data Processing Addendum with standard contractual clauses (SCC’s) with KnowBe4 by following the instructions found here.

Please describe KnowBe4’s product data flows.

KMSAT, KCM GRC, PhishER, and SecurityCoach are both built in the cloud leveraging Amazon AWS.

KMSAT Data Flow Description: Customer administrators are able to upload end user information into the console. Personal data is also generated when users complete security modules or are subject to phishing campaigns. This data is then stored in KnowBe4’s cloud storage (Amazon AWS).

KCM GRC Data Flow Description: Customers create a user account with their business email address. KCM users then upload information into the KCM console. This information is then stored in KnowBe4’s cloud storage (Amazon AWS).

PhishER Data Flow Description: Customers enable PhishER and Customer’s users report suspicious emails to be sent to Customer’s PhishER inbox. This information is then stored in KnowBe4’s cloud storage (Amazon AWS).

SecurityCoach Data Flow Description: Customers first enable third party integrations and enable within Customer’s KMSAT console. Risky activity is monitored on user devices and processed if data matches Customer detection rules and training is assigned based on the implemented rules. This information is then stored within KnowBe4’s cloud storage (Amazon AWS).

What sub-processors does KnowBe4 leverage in order to provide services?

KnowBe4 leverages sub-processors that process Personal Data in order to provide services to customers. You may request a list of sub-processors by emailing your KnowBe4 point of contact. Data Processing Agreements, including the most up to date Standard Contractual Clauses at time of signing of the Services Agreement, have been executed with all sub-processors in order to ensure the protection of Personal Data.

4. DATA SECURITY & PRIVACY BY DESIGN (PbD)

Where can I find KnowBe4’s security documentation?

KnowBe4 takes security seriously and takes appropriate measures in order to protect personal data. For more information about our security practices, you may visit our Security Page found here. Additionally, our CAIQ is available here. You may also request a copy of our SOC 2 Type 2 from your KnowBe4 point of contact after executing a non-disclosure agreement. 

How does KnowBe4 incorporate privacy by design into its products?

KnowBe4 conducts data privacy impact assessments and takes into account its data protection obligations when creating new products and services. 

Are KnowBe4 employees and agents bound by confidentiality agreements?

KnowBe4 employees and other personnel who may have access to personal data are required to sign confidentiality agreements..

Do KnowBe4 employees receive privacy and security awareness training?

Yes, KnowBe4 employees receive periodic privacy and security awareness training. 

Does KnowBe4 maintain a record of processing activities?

Yes, KnowBe4 maintains a record of processing activities.

5. DATA RETENTION

How long does KnowBe4 store Personal Data for?

KnowBe4 retains customer personal data in accordance with its customer contracts (i.e. service agreements and data processing agreements) as well as in accordance with other legal obligations.

6. HAS KNOWBE4 APPOINTED A DATA PROTECTION OFFICER?

You may contact KnowBe4’s Data Protection Officer by emailing privacymanager@knowbe4.com. 

7. WHO CAN I REACH OUT TO IF I HAVE MORE QUESTIONS?

You can either contact your KnowBe4 point of contact or send an email to privacymanager@knowbe4.com.