Last Updated: February 6, 2023

This California Addendum (“Addendum”) forms part of the Terms of Service or other written or electronic agreement(s) between KnowBe4, Inc. and/or its subsidiaries (“KnowBe4”) and Customer for the provision of products and/or services by KnowBe4 to Customer (the “Agreement”). This Addendum shall reflect the parties’ agreement with regard to the processing of Personal Data (as defined below) in the performance of the Agreement. By executing this Addendum, Customer enters into this Addendum on behalf of itself and in the name and on behalf of its Affiliates. For the purposes of this Addendum, and except where indicated otherwise, the term “Customer” shall mean the organization entering into this Addendum and shall include its Affiliates, as applicable. Customer and KnowBe4 may be referred to in this Addendum individually as a “party” or jointly as the “parties.”


To execute this Addendum, Customer must:

  1. Download the PDF version of the Addendum for completion;
  2. Fill in the information requested in the signature block and any areas requesting Customer’s information; and
  3. Send the signed Addendum to KnowBe4 by email to indicating Customer’s full legal name and whether Customer is a current customer or prospective customer of KnowBe4.

If accepted, KnowBe4 will return the fully executed Addendum to Customer. This Addendum will not become effective until: (i) the Addendum is fully executed and returned to Customer; and (ii) the parties have entered into an Agreement for KnowBe4’s products and services.


This Addendum shall only apply to Personal Data that is subject to the CPRA (as defined below).

This Addendum is agreed to and executed by authorized representatives of the parties.



COMPANY NAME: ______________________                            






Printed Name:


Printed Name:






Principal Place of Business:




Principal Place of Business:









KnowBe4, Inc.

33 N Garden Ave Suite 1200

Clearwater, Florida, 33755

Attn: Legal Department

With an email copy to:






With an email copy to (if applicable):


  1. Defined Terms. Terms used but not defined in the Addendum, such as “business purpose”, “commercial purpose”, “consumer”, “processing”, “business”, “sell”, “selling”, “sale” and “verifiable consumer request”, will have the same meaning as set forth in California Civil Code Section 1798.140. Bracketed numbers are references to related sections of the California Civil Code. In addition, capitalized terms used in the Addendum shall have the following meanings:
    1. CCPA” means the Cal. Civ. Code § 1798.100 et seq.), as amended by the Consumer Privacy Rights Act of 2020 (Cal. Civ. Code § 1798.100 et seq.), and as may be further amended from time to time and any successor legislation thereto and any regulations promulgated thereunder.
    2. "Contracted Business Purposes" means the Services described in the underlying Agreement by which KnowBe4 receives or accesses Customer Personal Information.
    3. Personal Information” means “personal information” and includes “Sensitive personal information” as defined in the CPRA.
    4. Customer Personal Information” means Personal Information of the Customer provided to and Processed by KnowBe4 to perform the Services.
    5. Services” means any services to be performed by KnowBe4 under the Agreement.


  1. Applicability. The Addendum applies to the processing of Customer Personal Information within the scope of the CPRA in the course of providing Services to the Customer.


  1. Effective Date. KnowBe4 makes the commitments in the Addendum effective on the later of (a) January 1, 2023, the operative date of the CPRA [1798.199.100 Sec. 31], or (b) the date KnowBe4 begins to process Customer Personal Information on behalf of Customer.


  1. Processing Only for Contracted Business Purposes. KnowBe4 agrees and acknowledges that Customer is disclosing or making available Customer Personal Information solely for the limited and specified Business Purpose for which Customer provides or permits Personal Information access. KnowBe4 shall only Process such Customer Personal Information for the Contracted Business Purposes or as otherwise expressly permitted under the CPRA.


  1. Prohibitions. KnowBe4 is prohibited from: (a) selling or sharing Customer Personal Information; (b) retaining, using, or disclosing the Personal Information for any purpose outside of the specific purpose of performing the Services or as otherwise permitted by the CPRA, including retaining, using, or disclosing the Personal Information for a commercial purpose other than providing the Services, (c) retaining, using, or disclosing the Personal Information outside of the direct business relationship between the KnowBe4 and Customer, and (d) combining the Personal Information received, in connection with performing the Services, with Personal Information received from, or on behalf of, any other source or collected from KnowBe4’s own interaction with consumers, unless otherwise permitted by the CPRA. [1798.140(ag)(1)]


  1. Consumer Requests.
    1. If KnowBe4 is contacted by a person with a request, inquiry or complaint regarding their Personal Information in connection with the Services, KnowBe4 shall promptly notify Customer of such request, inquiry or complaint. KnowBe4 shall not respond to such request, inquiry or complaint directly, unless otherwise required by applicable law. [1798.130(3)(A)]
    2. Upon Customer’s request, KnowBe4 shall provide Customer with reasonable cooperation, assistance, information and access to Personal Information in its possession, custody or control as is necessary for Customer to respond within any timeframe required by the CPRA to any verifiable consumer request to disclose Personal Information in a readily usable format or delete Personal Information pursuant to Sections 1798.100-1798.105 of the California Civil Code. [1798.100-1798.105] If KnowBe4 intends to rely on an exception under Section 1798.105(d), KnowBe4 shall notify Customer within the same timeframe of the intent.


  1. Reasonable Security. KnowBe4 shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect any “personal information” as defined in California Civil Code Section 1798.81.5 from unauthorized access, destruction, use, modification, or disclosure. [1798.81.5(c), 1798.150]


  1. Verification of Compliance. KnowBe4 represents that it is and shall remain in compliance with all applicable requirements of the CPRA when Processing Customer Personal Information. KnowBe4 shall, upon written notice by Customer, make available to Customer information necessary to demonstrate compliance with the obligations set forth in this Addendum and the CPRA. [1798.100(3)] KnowBe4 shall, upon written notice, allow Customer to take reasonable and appropriate steps to stop and remediate any alleged unauthorized use of personal information. [1798.100(5)] KnowBe4 shall notify Customer if it determines it can no longer meet its obligations under the CPRA or this Addendum. [1798.100(4)]


  1. Changes in Law. If any variation is required to this Addendum as a result of a change in the CPRA, then either party may provide written notice to the other party of that change. The parties will discuss and negotiate in good faith any necessary variations to this Addendum to address such changes.


  1. Subcontracting. KnowBe4 will notify Customer and provide Customer with an opportunity to object if KnowBe4 engages another party to assist in Processing of Personal Information. KnowBe4 will ensure that all subcontractors engaged are bound by written agreements with terms and conditions in compliance with the CPRA and that are at least as restrictive as the relevant terms and conditions contained in the Agreement or this Addendum as they apply to KnowBe4. KnowBe4 may only permit a subcontractor to Process Customer Personal Information to the extent permitted under the Agreement. KnowBe4 shall not sell or share any Personal Information to the subcontractor (as the terms “sell” and “share” are defined under the CPRA). [1798.140(ag)(2)]


  1. Severability. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

Get the latest about social engineering

Subscribe to CyberheistNews