Last Updated: January 14, 2020
This KnowBe4 Data Privacy Impact Assessment (“DPIA”) is only applicable to the extent KnowBe4, Inc. and/or its affiliates (“KnowBe4”) is a processor of personal data for its KMSAT and KCM GRC products and services. The purpose of this DPIA is to provide information about KnowBe4’s personal data processing practices and to allow customers to complete their own data protection impact assessments on KnowBe4’s products and services. This DPIA only covers KnowBe4’s KMSAT and KnowBe4’s KCM GRC products and services.
Description of KnowBe4 services.
KnowBe4 is a B2B SaaS (Software-as-a-Service) company that provides its Customers a variety of services. The services that will be included in this document are:
● KMSAT Console - a simulated phishing and security awareness and compliance training platform
● KCM GRC Tool - a tool designed to help manage company governance, risk, compliance and audits
Describe the data that will be stored, used, collected or otherwise processed during the use of KnowBe4 services.
KMSAT Console - Name, email address, telephone number, title, security awareness training and simulated phishing campaign results and metrics, strictly necessary cookie information, IP addresses, web browser information, other uploaded information by customer.
KCM GRC Tool - Email address, browser information, strictly necessary cookie information, and information customers upload into the console (audit reports, compliance reports etc.)
Does KnowBe4 collect special categories of data (including criminal convictions, health information)?
No, KnowBe4 does not request nor does it provide appropriate fields for submitting special categories of data for any of its tools. Any special categories of data that may be received would be incidental and can be deleted upon request.
Where are the location of KnowBe4’s servers?
KnowBe4 operates both US and EU instances. Customers may choose where data is stored during the course of the services. However, KnowBe4 leverages subprocessors in the United States and generally personal data will always be processed in the United States.
Does KnowBe4’s processing of personal data include automated decision making which can produce legal effects concerning data subjects?
Do you provide notice to data subjects about the processing of their personal data?
KnowBe4 acts as a processor for its customers so it does not initiate direct contact with data subjects, unless specifically instructed too. KnowBe4 adheres to the terms of our data processing agreements and data protection notices found here when processing personal data. Data stored in KnowBe4’s products and services are provided by customers and it is the responsibility of our customers to make their users aware of how their data is being processed.
2. ACCESS TO PERSONAL DATA
How is access to personal data handled?
KnowBe4 provides products and services that leverage RBAC (Role Based Access Control). Customer administrators are able to set users roles and permission to limit access. KnowBe4’s employees and other personnel are only allowed access on a restricted basis. Access is only allowed to fulfill KnowBe4’s contractual obligations, legal obligations or legitimate business interests, such as meeting SLA’s or upon a customer’s written permission.
How do you ensure the security of KnowBe4 products?
KnowBe4 has security policies, procedures and controls to ensure the security of its products and services. These controls may be found by reviewing KnowBe4’s SOC 2 Type 2, which you may request by emailing your KnowBe4 point of contact after executing a non-disclosure agreement. You may also review KnowBe4’s public facing SOC 3 report found here.
How does KnowBe4 handle customer data subject access requests (DSAR’s)?
KnowBe4’s procedure for handling end user DSAR’s for customers is to forward the request on to the console or service administrator and provide assistance as requested.
3. INFORMATION FLOWS
International Data Transfer.
KnowBe4 is EU-US Privacy Shield Certified. You may view our attestation here. You can also visit https://privacyshield.gov and search “KnowBe4” to view our certification.
You may also execute a Data Processing Addendum with KnowBe4 by following the instructions found here.
Please describe KnowBe4’s product data flows.
KMSAT and KCM GRC are both built in the cloud leveraging Amazon AWS.
KMSAT Data Flow Description: Customer administrators are able to upload end user information into the console. Personal data is also generated when users complete security modules or are subject to phishing campaigns. This data is then stored in KnowBe4’s cloud storage (Amazon AWS).
KCM GRC: Customers create a user account with their business email address. KCM users then upload information into the KCM console. This information is then stored in KnowBe4’s cloud storage (Amazon AWS).
What sub-processors does KnowBe4 leverage in order to provide services?
KnowBe4 leverages sub-processors that process Personal Data in order to provide services to customers. You may request a list of sub-processors by emailing your KnowBe4 point of contact. Data Processing Agreements have been executed with all sub-processors in order to ensure the protection of Personal Data.
4. DATA SECURITY & PRIVACY BY DESIGN (PbD)
Where can I find KnowBe4’s security documentation?
KnowBe4 takes security seriously and takes appropriate measures in order to protect personal data. For more information about our security practices, you may visit our Security Page found here. Additionally, our CAIQ is available here. You may also request a copy of our SOC 2 Type 2 from your KnowBe4 point of contact after executing a non-disclosure agreement. Links to our SOC 3 reports can be found at the following links: KMSAT and PhishER / KCM.
How does KnowBe4 incorporate privacy by design into its products?
KnowBe4 conducts data privacy impact assessments and takes into account its data protection obligations when creating new products and services.
Are KnowBe4 employees and agents bound by confidentiality agreements?
KnowBe4 employees and other personnel who may have access to personal data are required to sign confidentiality agreements..
Do KnowBe4 employees receive privacy and security awareness training?
Yes, KnowBe4 employees receive periodic privacy and security awareness training.
Does KnowBe4 maintain a record of processing activities?
Yes, KnowBe4 maintains a record of processing activities.
5. DATA RETENTION
How long does KnowBe4 store Personal Data for?
KnowBe4 retains customer personal data in accordance with its customer contracts (i.e. service agreements and data processing agreements) as well as in accordance with other legal obligations.
6. HAS KNOWBE4 APPOINTED A DATA PROTECTION OFFICER?
You may contact KnowBe4’s Data Protection Officer by emailing firstname.lastname@example.org.
7. WHO CAN I REACH OUT TO IF I HAVE MORE QUESTIONS?
You can either contact your KnowBe4 point of contact or send an email to email@example.com.