Skip to content
Search
Support
 Select language
Cancel

Security Statement

Last Updated: February 2026

Overview

As a security company built and operated by security-minded individuals, we respect your privacy and make significant effort to protect your data. We would never do anything with your data that we wouldn’t want you to do with ours.

Keeping our customers' data secure is the most important thing we do. We go to considerable lengths to ensure that all data provided to KnowBe4 is done so securely; keeping KnowBe4 systems and your data secure is fundamental to our business. Use the Trust Center to learn about our Security posture and request access to our security documentation. Before you get started, we recommend you review our Terms of Service and Privacy Policy. 

Compliance

The KnowBe4 Platform (KSAT + PhishER) maintains FedRAMP Moderate ATO (Authorization To Operate) since 11/14/2023.

 

FedRAMP-1

Moderate ATO

KnowBe4 Platform (KSAT + PhishER)

All KnowBe4 products are SSAE18 SOC 2 Type 2 certified. This includes KSAT, PhishER, and SecurityCoach. If you require a copy of the full SOC 2 Type 2 report, please work with your sales representative or customer success manager. View SOC 3 report

The KnowBe4 SOC 2 assessments include all of the Trust Services Criteria:

CheckmarkSecurity

CheckmarkAvailability

CheckmarkProcessing Integrity

CheckmarkConfidentiality

CheckmarkPrivacy

The Egress SOC 2 assessments include the Security, Availability and Confidentiality Trust Services Criteria.

Should you require a bridge letter for compliance purposes, please work with your representative or customer success manager.

You can find a copy of our recently completed Consensus Assessment Initiative Questionnaire (CAIQ) on our Cloud Security Alliance (CSA) STAR Registry page

UKCE_KB4

KnowBe4 products are Cyber Essentials certified. Review our certification

The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers and data centers are securely managed. KnowBe4 is audited against a variety of standards in the International Organization for Standardization 27001 (ISO 27001) family by its independent third party ANSI-ASQ National Accreditation Board (ANAB) accredited certifier. These standards which KnowBe4 has successfully been audited against include:

  • The International Organization for Standardization 27001:2022 Standard covering information security controls
  • The International Organization for Standardization 27701:2019 Standard covering privacy information management
  • The International Organization for Standardization 27017:2015 Standard covering information security controls for cloud computing
  • The International Organization for Standardization 27018:2019 Standard covering protecting PII in the public cloud for data processors

ISO/IEC 27701:2019 Certificate of Registration

ISO/IEC 27001:2022 Certificate of Registration

A-LIGN_ISO_27701
A-LIGN_ISO_27001
A-LIGN_ISO_27018
A-LIGN_ISO_27017

Defend, Prevent and Protect

Defend, Prevent and Protect are in scope of Egress' SOC 2 Type 2 report & ISO 27001 certification.

Please contact your account representative to gain access to our InfoSec Due Diligence Package on Caplinked containing Defend, Prevent and Protect audit reports & certifications.

Information Security and Data Privacy Team

KnowBe4’s dedicated Information Security and Data Privacy teams hold relevant industry certifications detailed below.

isc2_cissp2
ceh
cisco_ccna_R_26S
CISA-Vertical
compTIA_Security-56a1203a5f9b58b7d0bc39bb
FIP_CMYK_Final-011
CertificationSeals_master2023_FINAL_CIPP_US
CertificationSeals_master2023_FINAL_CIPP_E
CertificationSeals_master2023_FINAL_CIPP_C
CIPM-1
AWS-Security-Specialty
aws-certified-cloud-practitioner-512x512

Access and Authentication Controls

KnowBe4 restricts access to customer and confidential data on a business need to know basis. Access is granted based on one’s role within the organization. KnowBe4 enforces mandatory multi-factor authentication for all access to confidential data. Where applicable, access to systems is restricted by IP address.

Data Handling and Data Privacy

  • KnowBe4 maintains compliance with the European Union’s General Data Protection Regulation 2016/679 (GDPR).
  • We rely on the E.U. Commission approved standard contractual clauses for data transfer from the EEA to the United States. We have policies and procedures in place to comply with any applicable data privacy laws.

For more information on types of data and for what purpose, please refer to the product tab of our Privacy Policy.

Data Encryption

KnowBe4 leverages AWS and Azure for data encryption in transit (TLS) and at rest (AES-GCM 256). KnowBe4 currently uses Load Balancer and CloudFront Security Policies and/or Azure Front Door supporting TLS 1.2 and higher. KnowBe4 uses the AWS Key Management Service (KMS) and/or Azure KeyVault service to enable data at rest encryption across our products. We use this for encrypting data within databases, and data stored within object storage (S3/Blob). AWS KMS and Azure Key Vault uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys.

Data Storage Locations

Fully documented in our Knowledge Base, here.

Data Backups and Retention

KnowBe4 maintains one year of database backups and three years of audit and application logs. These backups are stored encrypted in accordance with the Data Encryption section listed above. To submit a data deletion request, please work with your sales representative or customer success manager.

Awareness and Training

All KnowBe4 employees complete mandatory security awareness and privacy training upon hire and at least once annually. We conduct simulated phishing and social engineering tests on an ongoing basis at least once a month. All KnowBe4 employees and contractors sign confidentiality and non-disclosure agreements upon hire and before access to company or customer data.

Business Continuity / Disaster Recovery

KnowBe4 engineers have designed highly scalable and resilient product architecture within AWS and Azure. Our products withstand sophisticated attacks and are highly adaptable. Our systems’ performance within our products’ architecture is monitored for key metrics, ensuring the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will be executed to bring online additional temporary systems or to cycle out existing systems for new ones. Automation is built into the KnowBe4 architecture, so system monitoring, updates, and corrective actions can take place as needed with no downtime. Status and uptime monitoring

KnowBe4’s Risk Management Program is reviewed as part of KnowBe4’s annual third-party audits (FedRAMP, ISO 27001, and SOC2). View full overview of KnowBe4's Risk Management Program

Code Security and Code Updates

The KnowBe4 Research and Development (R&D) department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated, and no data is shared between them.

Logging and Monitoring:

KnowBe4 collects audit and application logs from all systems. These logs are stored encrypted in a centralized logging facility separate from the system generating the logs. The log entries are in line with industry standards for audit trails. KnowBe4 maintains these logs for a period of three years for the business purpose of investigating past system activity.

Vulnerability Management

The KnowBe4 information security team performs the following scans at least monthly:

  • Authenticated web application vulnerability scans
  • OS and container scans
  • Infrastructure as Code (IAC) scans
  • Package/Dependency scans

In addition to the above scans, KnowBe4 maintains continuous monitoring of all systems and applications using various security tools.

All vulnerabilities found are added to a vulnerability tracking system where they are verified, triaged, and evaluated for actual risk.

CVSS and priority scores serve as our foundational metric to assess risk. KnowBe4 also leverages additional factors such as the OWASP risk rating methodology, reachability-based analysis, and exploitability to determine a more accurate likelihood and impact. This enables effective utilization of our engineering resources to focus on the security issues that represent the highest overall risk to customers.

The below SLA for remediation is applied when a vulnerability is confirmed to be reachable and exploitable:

Severity

Critical/High

Medium

Low

Informational

Remediation Timeline

< 30 Days

< 90 Days

< 180 Days

Discretionary

Information relating to past and current vulnerabilities as well as their remediation status can be found in the KnowBe4 Trust Portal which is updated monthly.

Penetration Testing / Bug Bounty / Report Security Vulnerabilities

KnowBe4 participates in a paid, private bug bounty program where vetted third-party researchers conduct ongoing penetration testing of our products. If you feel you have discovered a security flaw in our system, you can sign up for the program, and we will invite you to participate. You can submit any vulnerabilities through the bug bounty program or by contacting the KnowBe4 security team directly at infosec@knowbe4.com. We encourage you to test, and we encourage you to share what you find. Security testing outside of this private program is not permitted. We do not permit any automated scanning as part of this program; the researchers are instructed to perform manual testing so as to not be disruptive.