Product Data Protection Notice - July 3, 2019
We at KnowBe4, Inc. are committed to protecting your data. The data protection practices set forth in this Product Data Protection Notice (the “Product Data Protection Notice”) are for technology platforms owned by KnowBe4, Inc. (“KnowBe4”, “we”, “our”, or “us”). This Product Data Protection Notice tells you how KnowBe4 uses Personal Data collected on our technology platform(s). “Personal Data” means any personally identifiable information such as your name, address, date of birth, phone number, and email address.
By using our technology platform(s), you are accepting the practices described in this Product Data Protection Notice. If you do not agree with the data practices provided in this Product Data Protection Notice, you should not use products and services provided by KnowBe4. We may make changes to this Product Data Protection Notice at our sole discretion at any time. We encourage you to periodically review this Website Data Protection Notice to stay informed about our collection, processing, and sharing of your Personal Data. Your continued use of this Site after we make changes to the Product Data Protection Notice is deemed to be acceptance of those changes.
For the avoidance of doubt, this Product Data Protection Notice only applies to the extent we process Personal Data in the role of a processor on behalf of our customers. If you have executed a Data Protection Agreement with KnowBe4, the terms of such agreement will supersede this Product Data Protection Notice.
What This Notice Covers:
This Product Data Protection Notice applies to the processing of Personal Data collected by us when you:
- Use our products and services (where we act as a processor of your Personal Data)
- Create a free account to use our products and services on behalf of your employer
Personal Data KnowBe4 Collects
The Personal Data that we collect directly from you includes the following:
- Business Contact information: first name, last name, employer, title, city, state, country, phone number, IP address, and business email addresses
- Automatically collected information: information collected via cookies and web beacons, including IP address, browser name, operating system details, domain name, date of visit, time of visit, and pages viewed, or other similar information
- Console Information: Simulated phishing, security awareness testing and training results, security assessment results, and information uploaded to KCM GRC tool
Protected Health Information), Payment Card Information and other Sensitive Information.
KnowBe4 does not need, nor does it request, any protected health information (“PHI”) governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”), nor does it need or request any non-public consumer personally identifiable information or financial information governed by the Gramm-Leach-Bliley Act (“GLBA”) or payment card information covered by the Payment Card Industry Data Security Standards (“PCI DSS”) in order to provide its products and services. You should never disclose, or allow to be disclosed, PHI, information protected by PCI DSS or GLBA, or other sensitive information to KnowBe4. In the event that a user discloses such information (which would be a violation of this Product Data Protection Notice), you, on behalf of your organization, acknowledge that KnowBe4 does not take steps to ensure its products are HIPAA or PCI compliant. All obligations of the aforementioned regulations remain solely with you, on behalf of your organization.
Visitors under the age of 16
Our Website and our technology platforms are not intended for persons under the age of 16. Thus, we do not intentionally gather Personal Data from visitors who are under the age of 16. If you are under the age of 16, please do not submit your Personal Data via our submission forms.
How Personal Data is Collected
Personal Data is collected by KnowBe4 when it is shared by your organization’s account administrator (the “Account Admin”), at the discretion of your organization. Personal Data will also be requested from you through our products and services (i.e. technology platforms) by your Account Admin at your organization’s discretion. KnowBe4 collects the minimum information necessary to provide its products and services to you..
Cookies and Other Identifiers
We use common information-gathering tools, such as tools for collecting usage data, cookies, web beacons and similar technologies to automatically collect information that contain Personal Data from your computer or mobile device as you navigate our Site, use our services, or interact with emails we have sent to you.
Cookies, web beacons and other tracking technologies on our products and services
Below are the two types of cookies that are used on KnowBe4’s platform for its products and services.
- Session based cookies - These are only used to determine how long you remain on the platform and immediately expire when you leave our platform or logout.
- Support cookies - These cookies allow us to track onboarding times and other metadata in order to provide better service to our users.
Most browsers are set up to accept cookies. If you choose, you may refuse to accept cookies or set up your browser so that it notifies you when you receive a cookie.
How We Use Your Personal Data
We collect and process your Personal Data for the purposes and on the legal bases identified in the following (where we act as a processor of your Personal Data):
Where we have entered into a contract:
- For your use of our free tools, KCM GRC console, KMSAT console or other services provided to you that are under the applicable terms of service or applicable agreement for services between you, or your organization, and KnowBe4
- For the use of our Website including any products and services
- For managing payments in order to complete a transaction with you
- In order to provide support for our products and services (you can reach out to us by phone or email)
- For any managed services that we provide to you from time to time
- For webinars that you have registered to attend
- For KnowBe4 contests or promotions
Legitimate interest is the legal basis for processing the following:
- To assess and improve your experience on the console (such as analyzing trends or tracking your usage and interactions with our products and services in order to improve your overall experience)
- For security purposes such as investigations of suspicious activity or for compliance purposes (such as investigating fraud or misuse of our Website)
- For other purposes that arise from time to time
KnowBe4 processes and discloses Personal Data when cooperating with appropriate regulatory and government authorities. When KnowBe4 processes Personal Data for this purpose, the legal bases for processing shall be for compliance with a legal obligation to which KnowBe4 is subject.
Who Do We Share Personal Data With?
We may occasionally use third-party businesses to provide products and perform specialized services for data processing. When we provide Personal Data to these businesses, they are not permitted to use the Personal Data for any reason outside of the scope for which we contracted them.
The ways in which we may share your Personal Data include the following:
- When we use our third-party processors (such as Amazon Web Services) in the performance of our services. This is required for us to provide our services to you. We execute contracts with our third parties to ensure they fulfill their data protection obligations.
- When you register for a webinar it is generally done through one of our third-party partners.
- With KnowBe4 affiliates and other companies that become part of KnowBe4 in the future.
- We may also disclose your information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding. Finally, we may also disclose your information for any other purpose disclosed by us when you provide the information or with your consent.
KnowBe4 reserves the right to disclose your Personal Data under the following conditions: (1) when permitted or required by law; (2) when trying to protect against or prevent actual or potential fraud or unauthorized transactions; or (3) when investigating suspected fraud which has already taken place.
Sale of Personal Data
KnowBe4 will never sell your Personal Data.
An Account Admin is the person responsible for owning the product or service and delivering the service to members of his/her respective organization. When you or your Account Admin uploads information (such as business email address) into our products and services, you and/or the Account Admin acknowledge that is has been done at the discretion of the organization that you or your Account Admin represent. In this scenario, the Account Admin’s organization is the “controller” of the Personal Data and KnowBe4 acts as a “processor” of the Personal Data. KnowBe4 is legally bound by the applicable terms for the products and services purchased, such as the KnowBe4 Terms of Service, other applicable agreements for services between KnowBe4 and your organization, and/or Data Processing Agreements to only process data as authorized by the agreement(s) and upon the instruction of the controller. If you have any detailed questions regarding these agreements, please contact your Account Admin or KnowBe4 directly and we will forward your request to your appropriate organizational contact.
As an Account Admin, your Personal Data will be used to communicate with you for support purposes or to follow up on requests made by you or another user of the console.
Subject to legal and contractual requirements, you may refuse our collection of your data or withdraw consent to further collection. Your Personal Data will never be used outside of the scope for which KnowBe4 was contracted.
Since the products and services provided are at the request of your organization, you can contact your organization’s Account Admin in order to opt out of the products and services provided. Additionally, you can contact your Account Admin to make changes to your Personal Data. KnowBe4 does not have control over how your organization uses your Personal Data for their purposes. You can also contact us to contact your organization on your behalf.
International Transfers of Personal Data
Your Personal Data may be collected, transferred to, and stored by us in the United States and by our affiliates in other countries where we operate.
Therefore, your Personal Data may be processed outside the European Economic Area (EEA), and in countries which are not subject to an adequacy decision by the European Commission, and which may not provide for the same level of data protection as the EEA. In this event, we will ensure that the recipient of your Personal Data offers an adequate level of protection, for instance by entering into an agreement to abide by standard contractual clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or another mechanism approved by the EU Commission.
Data Security and Retention
Your Personal Data is kept secure. Only authorized employees, agents, and contractors (who have agreed to keep information secure and confidential) have access to this information. To provide our products and services, we occasionally use third party businesses (“Third Party” or “Third Parties”) to perform specialized services in regard to data processing. When we provide data to these businesses, they are not permitted to use data outside of the scope for which we contracted them.
We (and our third-party service providers) use a variety of industry standard security measures to prevent unauthorized access, use, or disclosure of your Personal Data. These security measures consist of but are not limited to data encryption and physical security. No method of transmission or method of electronic storage over the internet is 100% secure. Therefore, while we strive to use commercially acceptable means to protect your Personal Data, we cannot guarantee its absolute security.
KnowBe4 will retain your Personal Data for the period necessary to fulfill the purpose outlined in this Product Data Protection Notice unless a longer retention period is required by applicable data privacy law.
We take reasonable steps to ensure that your Personal Data is accurate, complete, current, and otherwise reliable for its intended use. We will not process Personal Data in a way that is incompatible with the purposes for which it was collected. If your Personal Data has been disclosed to a third party, and it has been deemed incorrect by you, KnowBe4 will contact the Account Admin and will work with third parties (such as our subprocessors) to request a correction to the information.
If KnowBe4 obtains knowledge that one of our service providers or employees is in violation of this Product Data Protection Notice, KnowBe4 will take commercially reasonable steps to prevent or stop the unauthorized use or disclosure of your Personal Data. KnowBe4 takes data privacy seriously. Therefore, we agree to take commercially reasonable measures to ensure the proper handling of your Personal Data by our employees and service providers.
You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws and, in particular, if you are located in the EEA, these rights include:
- Accessing, correcting, amending, deleting your Personal Data;
- Objecting to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
- Not being subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our websites or in our services; and
- To the extent we base the collection, processing and sharing of your Personal Data on your consent, withdrawing your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
How to exercise your rights
To exercise your rights, please contact us at firstname.lastname@example.org.
More Important Information
EU-U.S. and Swiss Privacy Shield Framework
KnowBe4, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss – U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred from the European Union and the United Kingdom and Switzerland to the United States, respectively. KnowBe4, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. If there is any conflict between the terms in this Product Data Protection Notice and the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view our certification, please visit https://www.privacyshield.gov/.
KnowBe4, Inc. is responsible for processing of the Personal Data that it receives, under the Privacy Shield framework, and subsequently transfers to a third party acting as an agent on its behalf. KnowBe4, Inc. complies with the Privacy Shield Principles for all onward transfers of Personal Data from the EU, including onward transfer liability provisions.
With respect to Personal Data received or transferred pursuant to the Privacy Shield Framework, KnowBe4, Inc. is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, KnowBe4, Inc. may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Privacy Shield Principles, KnowBe4 commits to resolve complaints about our collection or use of your Personal Data. EU and Swiss individuals with inquiries or complaints regarding our Privacy Shield policy should first contact KnowBe4 at: email@example.com.
Under certain conditions, more fully described on the Privacy Shield website (https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint), you may invoke binding arbitration when other dispute resolution procedures have been exhausted.
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.
To exercise your rights regarding your Personal Data, or if you have questions regarding this Product Data Protection Notice or our data protection practices please send an email to firstname.lastname@example.org. Alternatively, you may send notice by way of mail at the address listed below:
33 N Garden Avenue, Suite 1200
Clearwater, FL 33755, USA
Attn: KnowBe4 Privacy Team
We are committed to working with you to obtain a fair resolution of any complaint or concern about your data. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.