Last Updated: July 26, 2023
At KnowBe4, the protection of our customers’ personal data is vital. Many organizations around the globe are concerned with how their personal data is protected and processed in other countries. The purpose of this document is to provide you with information on how we comply with various global privacy laws and ensure the protection of your personal data. This document is for informational purposes only and the information presented is not legal or professional advice, is not to be acted on as such, may not be current, and is subject to change without notice. Additionally, this document is not intended to be a full or accurate list of global privacy laws nor is it intended to be a complete list of every jurisdiction in which KnowBe4 legally operates or processes data. We assess all countries on an as-needed basis. If you have specific questions about how KnowBe4 processes your personal data, please visit https://www.knowbe4.com/product-privacy-notice to learn more.
Privacy in Japan
What is the Japanese Privacy Act?
The Japanese privacy act (“APPI”) is a law that came into effect in 2005 and was amended in 2017 to meet the data protection standards of the new age. The law was further amended in 2020, with the new amendments entering into force on April 1, 2022.
Does KnowBe4 comply with the APPI?
Yes, we comply with the APPI and its amendments.
Does the APPI permit the cross-border transfer of personal data?
The APPI permits the cross-border transfer of data as long as appropriate standards are met. Under the APPI our customers in Japan are considered “business operators” and we are considered the “service provider”. In order for business operators to transfer personal data to a service provider, they must request consent from individuals unless an exemption applies. One of the exemptions that apply to the cross-border transfer of personal data is if “the transfer is to the recipient that put into place a system compliant with the APPI with regard to handling of personal data.” This means that if an organization outside of Japan has appropriate technical and organizational security measures, you should be good to go.
We take security and privacy seriously and have put into place a system of robust controls to ensure the proper protection of customer data. Additionally, we offer a data processing agreement which will provide you assurances on how we protect data.
How does KnowBe4 comply with the cross border transfer requirements under the APPI?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with the APPI. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that customer data is also handled appropriately and only under your instructions.
Privacy in North America
CANADA
It is important to note that Canada has privacy laws at both the federal and provincial level. At the federal level, Canada’s primary privacy law is the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The secondary Canadian privacy law is simply known as the Privacy Act.
Canadian provinces are also permitted to create their own provincial-level privacy laws that are deemed to be similar to PIPEDA.
Does KnowBe4 comply with PIPEDA?
Yes, we comply with PIPEDA.
Does PIPEDA permit the cross-border transfer of information?
Yes, there are no rules or restrictions in PIPEDA that prohibit organizations from transferring personal information to other countries such as the United States. The Guidelines published by the Office of the Privacy Commissioner of Canada provide more insight on how cross border data transfers should take place.
How does KnowBe4 ensure compliance with PIPEDA?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with PIPEDA. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that customer data is also handled appropriately and only under our customers’ instructions. We also ensure that our products and services are provided with privacy and security top of mind to ensure the adequate protection of your organization’s personal data.
Alberta PIPA
Does KnowBe4 comply with Alberta’s PIPA?
Yes, we comply with Alberta’s Personal Information Protection Act (PIPA).
Does Alberta’s PIPA permit the cross-border transfer of information?
Yes, Alberta’s PIPA permits the cross-border transfer of information. There are a few steps that an organization may need to take first in regard to notifications and documentation. We suggest you consult your privacy expert or legal counsel on those matters.
How does KnowBe4 ensure compliance with Alberta’s PIPA?
We have put in place robust controls to ensure that your data is processed appropriately and in compliance with PIPA. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your data is also handled appropriately and only under our customers’ instructions. We also ensure that our products are built with privacy and security top of mind to ensure the adequate protection of customer personal data.
British Columbia PIPA
Does KnowBe4 comply with British Columbia’s PIPA?
Yes, KnowBe4 complies with British Columbia’s Personal Information Protection Act (PIPA).
Does British Columbia’s PIPA permit the cross-border transfer of information?
Yes, British Columbia’s PIPA permits the cross border transfer of information. There are a few steps that an organization may need to take first in regard to notifications and documentation. We suggest you consult your privacy expert or legal counsel on those matters.
How does KnowBe4 ensure compliance with British Columbia’s PIPA?
We have put in place robust controls to ensure that your data is processed appropriately and in compliance with PIPA. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your data is also handled appropriately and only under our customers instructions. We also ensure that our products and services are provided with privacy and security top of mind to ensure the adequate protection of customer personal data.
Does British Columbia’s FIPPA permit the cross-border transfer of information?
Yes, British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) permits the cross-border transfer of information under any of the following conditions:
- (i) the individual consents to the transfer;
- (ii) storage outside of Canada is permitted under FIPPA, including if the disclosure is necessary for installing, implementing, maintaining, repairing, troubleshooting, or upgrading an electronic system; or
- (iii) data storage relates to payment to or by British Columbia’s government
Quebec Privacy Act
Does KnowBe4 comply with Quebec’s Privacy Act?
Yes, KnowBe4 complies with the Act Respecting the Protection of Personal Information in the Private Sector (the “Privacy Act”).
Does Quebec’s Privacy Act permit the cross-border transfer of information?
Yes, Quebec’s Privacy Act requires that if an organization is going to communicate information outside of Quebec it must take reasonable steps to ensure that the receiving entity does not: a) use or disclose personal information for any purposes not relevant to the original collection purposes; and b) communicate the personal information to any third parties without consent, subject to limited exceptions.
How does KnowBe4 ensure compliance with Quebec’s Privacy Act?
Quebec’s Privacy Act requires that organizations execute a data processing agreement with their service provider(s). We provide our customers a robust data processing agreement which incorporates appropriate technical and organizational security measures which may be found here.
Nova Scotia PIIDPA
Does KnowBe4 comply with Nova Scotia’s PIIDPA?
Yes, KnowBe4 complies with the Nova Scotia Personal Information International Disclosure Protection Act (“PIIDPA”).
Does Nova Scotia’s PIIDPA permit cross-border transfers of information?
Yes, PIIDPA permits the cross-border transfer of information under the following conditions:
- (i) the individual consents;
- (ii) it is stored outside of Canada for a purpose otherwise allowed under PIIDPA, including carrying out an agreement; or
- (iii) the applicable public body’s head considers storage necessary for operational requirements of the public body
UNITED STATES
Does KnowBe4 comply with the CCPA?
Yes, KnowBe4 complies with the California Consumer Protection Act (“CCPA”) and its amendments.
Does KnowBe4 sell my data as defined in the CCPA?
No, we do not sell your information as defined in the CCPA.
How does KnowBe4 comply with the CCPA?
We have put in place robust technical and security measures to ensure the proper protection of your organization’s data. Additionally, we offer a CCPA addendum which may be found here to ensure that our customers are in compliance with the CCPA.
Privacy in Latin America
Does KnowBe4 comply with the LGPD?
Yes, we comply with the Brazilian General Data Protection regulation (“LGPD”).
Does the LGPD permit the cross-border transfer of personal data?
The LGPD permits cross-border transfers of data as long as appropriate standards are met. We have implemented robust technical and security measures to ensure the proper protection of your data. Additionally, customers will be able to execute the Brazilian standard contractual clauses once they have been drafted and approved by the appropriate authorities.
How does KnowBe4 comply with the cross-border transfer requirements under the LGPD?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with the LGPD. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your data is also handled appropriately and only under our customers’ instructions.
Privacy in Europe
EUROPEAN UNION (EU)
Does KnowBe4 comply with the GDPR?
Yes, we comply with the General Data Protection Regulation (“GDPR”).
Does the GDPR permit the cross-border transfer of personal data?
The GDPR permits cross-border transfers of data as long as appropriate safeguards are met. We have implemented robust technical and security measures to ensure the proper protection of information. Additionally, customers are able to execute our data processing agreement with standard contractual clauses with appropriate technical and organizational security measures which provides assurances that we are protecting and processing data in an adequate manner.
How does KnowBe4 comply with the cross border transfer requirements under the GDPR?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with the GDPR. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your organization’s data is also handled appropriately and only under your instructions. We also offer our customers the option to execute standard contractual clauses with appropriate security measures to ensure the lawful transfer of personal data. Our DPA with standard contractual clauses may be found here.
United Kingdom (UK)
Does KnowBe4 comply with the UK GDPR?
Yes, we comply with the United Kingdom General Data Protection Regulation (“UK GDPR”).
Does the UK GDPR permit the cross-border transfer of personal data?
The UK GDPR permits cross-border transfers of data as long as appropriate safeguards are met. We have implemented robust technical and security measures to ensure the proper protection of information. Additionally, customers are able to execute our data processing agreement with the International Data Transfer Addendum (“IDTA”) with appropriate technical and organizational security measures which provides assurances that we are protecting and processing data in an adequate manner.
How does KnowBe4 comply with the cross border transfer requirements under the UK GDPR?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with the GDPR. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your organization’s data is also handled appropriately and only under your instructions. We also offer our customers the option to execute standard contractual clauses with appropriate security measures to ensure the lawful transfer of personal data. Our DPA with International Data Transfer Addendum may be found here.
Privacy in Singapore
Does KnowBe4 comply with the PDPA?
Yes, we comply with the Personal Data Protection Act (“PDPA”).
Does the PDPA permit the cross-border transfer of personal data?
The PDPA permits for cross-border data transfers as long as the organization desiring to transfer the personal data ensures the recipient has adequate levels of protection to those standards outlined under the PDPA.
How does KnowBe4 comply with the cross border transfer requirements under the PDPA?
The PDPA allows for cross-border transfers so long as the receiving party provides adequate levels of protection. We have implemented robust technical and security measures to ensure the proper protection of your information. We provide our customers a data processing agreement which incorporates appropriate technical and organizational security measures which may be found here.
Privacy in Australia
Does KnowBe4 comply with the Australian Privacy Act of 1988?
Yes, KnowBe4 complies with the Australian Privacy Act of 1988.
Does the Australian Privacy Act of 1988 permit the cross-border transfer of personal data?
Yes, however in order to do so, the transferring entity must take reasonable steps to ensure the overseas recipient does not violate the Australian Privacy Principles outlined in the Privacy Act of 1988.
How does KnowBe4 comply with the cross border transfer requirements under the Australian Privacy Act of 1988?
We have implemented robust technical and security measures to ensure the proper protection of information. We provide our customers a data processing agreement which incorporates appropriate technical and organizational security measures which may be found here.
Privacy in Saudi Arabia
What is the Saudi Personal Data Protection Law (PDPL)?
The PDPL is the Kingdom of Saudi Arabia’s personal data protection law that is anticipated to come into effect in March 2023.
However, the Saudi Data & Artificial Intelligence Authority (SDAIA), the supervisory authority for the law, could further delay when the law applies to organizations outside the Kingdom and those that process personal data of Saudi residents, for a period of up to five (5) years.
Does KnowBe4 comply with the upcoming PDPL?
Yes, KnowBe4 will comply with the upcoming PDPL.
Does PDPL permit the cross-border transfer of personal data?
Yes, the PDPL does permit the cross-border transfer of personal data in specific instances, such as when providing services to individuals requires the transfer of personal data outside the Kingdom. The SDAIA will also need to provide written approval of the cross-border transfer as well.
How will KnowBe4 comply with the cross-border transfer requirements under the PDPL?
We have put in place controls to ensure that personal data would be processed appropriately and in compliance with PDPL. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure customer data is handled appropriately and only under our customers’ instructions. We also ensure that our products and services are provided with privacy and security top of mind to ensure adequate protection of your organization’s personal data.
In the instance where required, KnowBe4 will seek written approval for cross-border transfer and storage of customer information where necessary to provide our services.
