Last Reviewed: August 21, 2023

Data Protection Highlights 

These data protection highlights are intended to provide subscribing organizations (a “customer”) and their end users (collectively “you”) with a few key points from our data protection notices and will tell you how KnowBe4, Inc. (“KnowBe4,” “we,” “our,” or “us”) uses Personal Data (as defined below) collected through our technology platforms, subscription services, including but not limited to web hosted services; software; support services; training content; and/or other services, and websites (“Services”). Our data protection notices will provide you with more detail on KnowBe4’s global data protection practices.

What is Personal Data? 

“Personal Data” means any personally identifiable information that can be linked back to you such as your name, email address, or IP address.

How Does KnowBe4 Collect Personal Data? 

We collect Personal Data when you visit our websites, submit information through our submission forms, contact us, send information to us directly, or upload information to our technology platforms. We also receive Personal Data collected by our affiliates, channel partners, service providers, and other third party providers.

How KnowBe4 Uses Personal Data 

KnowBe4 uses Personal Data to respond to your inquiries, to provide information about our Services to you, to run our technology platform(s), to improve our Services, for hiring/employment purposes, to comply with legal obligations, and as otherwise described in our data protection notice(s) and applicable agreements for Services.

Your Rights 

If you are not a customer or an end user:

If you are not a customer or an end user, please email privacy@knowbe4.com to access, amend, delete, rectify, withdraw consent, or object to the processing of your Personal Data. Our data protection notices have more information about these options. 

If you are a customer or an end user: 

If you are an end user of KnowBe4’s Services, where we provide the Services under contract with your organization (i.e., your employer and our customer), it is your organization that controls the information processed by the Services. If you do not agree with the use of your Personal Data, we recommend you reach out to your organization’s Account Owner (as defined in this Customer Privacy Notice) to exercise your rights. You may also email privacy@knowbe4.com and we will reach out to your Account Owner for you. Please see our Customer Privacy Notice for more information about these options.

Contact Us 

If you would like more information on our data protection practices, you can review our full data protection notices contained on our website.

Please direct any complaints, requests, or inquiries to privacy@knowbe4.com. We are committed to working with you to obtain a fair resolution of any complaint or concern about privacy. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA or other applicable jurisdictions, you have the right to lodge a complaint with the competent supervisory authority.

Full Customer Privacy Notice

Important Information 

We at KnowBe4, Inc. (“KnowBe4,” “we,” “our,” or “us”) are committed to protecting the data of our subscribing organizations (a “customer”) and their end users (collectively, “you”). The data protection practices set forth in this Customer Privacy Notice (the “Customer Privacy Notice”) are for our technology platforms, web hosted services, software, support services, training content, and/or other services and websites (“Services”). This Customer Privacy Notice tells you how KnowBe4 uses Personal Data collected through our Services. “Personal Data” means any personally identifiable information such as your name, email address, or IP address.

By using our Services, you are accepting the practices described in this Customer Privacy Notice. If you do not agree with the data practices provided in this Customer Privacy Notice, you should not use the Services provided by KnowBe4. We may make changes to this Customer Privacy Notice at our sole discretion at any time. We will alert you if there is any material change to this Customer Privacy notice. Your continued use of the Services after we make changes to the Customer Privacy Notice is deemed to be an acceptance of those changes.

For the avoidance of doubt, this Customer Privacy Notice only applies to the extent we process Personal Data in the role of a processor on a customer’s behalf. If you executed a Data Protection Agreement with us, the terms of such agreement will supersede this Customer Privacy Notice.

What This Notice Covers: 

This Customer Privacy Notice applies to the processing of Personal Data collected by us when customers (or potential customers) use our Services or create a free account to use our free tools (where we act as a processor of Personal Data).

Personal Data KnowBe4 Collects: 

The Personal Data that we collect directly from customers includes the following: 

  • Business Contact information: first name, last name, organization, title, department,, phone number, third party integration data, and business email addresses
  • Automatically collected information: information collected via cookies and web beacons, including IP address, browser name, operating system details, domain name, date of visit, time of visit, pages viewed, or other similar information
  • Console Information: simulated phishing, security awareness testing and training results, risk score, security assessment results, training and coaching information; and information uploaded to the Services

We use common information-gathering tools, such as tools for collecting usage data, cookies, web beacons and similar technologies to automatically collect information that contain Personal Data from your computer or mobile device as you navigate our website, use our Services, or interact with emails we send to you.

How Personal Data is Collected 

Personal Data is collected by KnowBe4 when it is shared by your organization’s account administrator (the “Account Admin”), at the discretion of your organization. Personal Data will also be requested from you through our Services by your Account Admin at your organization’s discretion. KnowBe4 collects the minimum information necessary to provide its Services to you.

How We Use Your Personal Data 

We collect and process your Personal Data for the purposes, and on the legal bases, identified in the following (where we act as a processor of your Personal Data):

Where we have entered into a contract: 

  • For your use of our free tools, KMSAT console or other Services provided to you that are under the applicable terms of service or applicable agreement for subscription services between you, or your organization, and KnowBe4
  • For the use of our Website including any free tools or Services
  • For managing payments in order to complete a transaction with you
  • In order to provide support for our Services (you can reach out to us by phone or email)
  • For any support services that we provide to you from time to time
  • For webinars that you have registered to attend
  • For KnowBe4 contests or promotions

A legitimate interest is the legal basis for processing the following:

  • To assess and improve your experience on the technology platforms (such as analyzing trends or tracking your usage and interactions with our Services in order to improve your overall experience)
  • For security purposes such as investigations of suspicious activity or for compliance purposes (such as investigating fraud or misuse of our Website)

KnowBe4 processes and discloses Personal Data when cooperating with appropriate regulatory and government authorities. When KnowBe4 processes Personal Data for this purpose, the legal bases for processing shall be for compliance with a legal obligation to which KnowBe4 is subject.

Cookies, web beacons, and other tracking technologies on our Services

KnowBe4 uses cookies and other tracking technologies when users interact with our Services. Cookies are small text files that are placed on your computer by a website. Each one of these cookies contain an identification number, IP address, and the time and date last accessed. KnowBe4 does NOT use these cookies contained within our Services for targeted advertising.

Below are the two types of cookies that are used on KnowBe4’s platform for its Services.

  • Session based cookies - These are only used to determine how long you remain on the technology platforms and immediately expire when you leave our technology platforms or logout.
  • Support cookies - These cookies allow us to track onboarding times and other metadata in order to provide better service to end users.

Most browsers are set up to accept cookies. If you choose, you may refuse to accept cookies or set up your browser so that it notifies you when you receive a cookie.

Who Do We Share Personal Data With? 

We use third-party partners to assist in provision of the Services and perform specialized services for data processing. When we provide Personal Data to these partners, they are not permitted to use the Personal Data for any reason outside of the scope for which we contracted them.

The ways in which we share your Personal Data include the following:

  • When we use our third-party processors (such as Amazon Web Services) in the performance of our Services. This is required for us to provide our Services to you. We execute contracts with our third parties to ensure they fulfill their data protection obligations. A list of our third party processors may be found here: https://support.knowbe4.com/hc/en-us/articles/1500007523981-KnowBe4-Subprocessors.
  • When you register for a webinar, it is generally done through one of our third-party partners. In these circumstances, your information will be subject to such partners’ or sponsors’ privacy statements and/or our website privacy notice located here. If you do not wish for your information to be shared, you may choose to not opt-in via the applicable event/webinar registration.
  • With KnowBe4 affiliates and other companies that become part of KnowBe4 in the future.
  • We will disclose your information to a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding. You will be alerted if this occurs, and you may request to have your personal data deleted from our systems, where possible.
  • Finally, we will disclose your information for other legitimate business purposes.

KnowBe4 reserves the right to disclose your Personal Data under the following conditions: (1) when permitted or required by law; (2) when trying to protect against or prevent actual or potential fraud or unauthorized transactions; or (3) when investigating suspected fraud which has already taken place.

Sale of Personal Data 

KnowBe4 will never sell your Personal Data. 

Account Admin(s) 

As an Account Admin, your Personal Data will be used to communicate with you for support purposes or to follow up on requests made by you or another user of the console as well as your use of the Services. An Account Admin runs the Services and delivers the Services to members of an organization. When you or your Account Admin uploads information (such as organization email addresses) into our Services, it has been done at the discretion of the organization that you or your Account Admin represent. The Account Admin’s organization is the “controller” of the Personal Data and KnowBe4 acts as a “processor” of the Personal Data. KnowBe4 is legally bound by the applicable terms for the Services purchased, such as the KnowBe4 Terms of Service, other applicable agreements for the Services between KnowBe4 and your organization, and/or Data Processing Agreements to only process data as authorized by the agreement(s) and upon the instruction of the controller. If you have any detailed questions regarding these agreements, please contact your Account Admin or KnowBe4 directly and we will forward your request to your appropriate organizational contact.

Subject to legal and contractual requirements, you can refuse our collection of your data or withdraw consent to further collection. Your Personal Data will never be used outside of the scope for which KnowBe4 was contracted.

Opt Out 

Since the Services provided are at the request of your organization, you can contact your organization’s Account Admin to opt out of the Services provided. Additionally, you can contact your Account Admin to make changes to your Personal Data. KnowBe4 does not have control over how your organization uses your Personal Data for their purposes. You can also contact us to contact your organization on your behalf by emailing privacy@knowbe4.com.

International Transfers of Personal Data 

Your Personal Data will be collected, transferred to, and stored by us in the United States or by our affiliates in other countries where we operate. In the event that your Personal Data is processed outside the European Economic Area (EEA) or other applicable jurisdiction, we will ensure that the recipient of your Personal Data offers an adequate level of protection by entering into an agreement to abide by Standard Contractual Clauses for the transfer of data as approved by the European Commission (Art. 46 GDPR), or another mechanism approved by appropriate regulatory bodies.

Data Security and Retention 

Your Personal Data is kept secure. Only our authorized employees, agents, and contractors (who have agreed to keep information secure and confidential) have access to this information. To provide our Services, we use third party partners (“Third Party” or “Third Parties”) to perform specialized services for data processing. When we provide data to these Third Parties, they are not permitted to use data outside of the scope for which we contracted them.

We (and our Third Party partners) use a variety of industry standard security measures to prevent unauthorized access, use, or disclosure of your Personal Data. These security measures consist of, but are not limited to, data encryption and physical security. No method of transmission or method of electronic storage over the internet is 100% secure. Therefore, while we strive to use industry standard means to protect your Personal Data, we cannot guarantee its absolute security.

KnowBe4 will retain your Personal Data for the period necessary to fulfill the purpose outlined in this Customer Privacy Notice or until you request its deletion, unless a longer retention period is required by applicable data privacy law.

We take reasonable steps to ensure that your Personal Data is accurate, complete, current, and otherwise reliable for its intended use. We will not process Personal Data in a way that is incompatible with the purposes for which it was collected. If your Personal Data has been disclosed to a Third Party, and it has been deemed incorrect by you, KnowBe4 will contact the Account Admin and will work with the Third Parties (such as our subprocessors) to request a correction to the information.

If KnowBe4 obtains knowledge that one of our Third Parties or employees are in violation of this Customer Privacy Notice, KnowBe4 will take industry standard steps to prevent or stop the unauthorized use or disclosure of your Personal Data. KnowBe4 takes data privacy seriously. Therefore, we agree to take industry standard measures to ensure the proper handling of your Personal Data by our employees and Third Party partners.

Your Rights 

You have certain rights relating to your Personal Data, subject to local data protection laws. Depending on the applicable laws and, in particular, if you are located in the EEA, these rights include:

  • accessing, correcting, amending, deleting your Personal Data;
  • objecting to any processing of your Personal Data carried out on the basis of our legitimate interests (right to object). Where we process your Personal Data for direct marketing purposes or share it with third parties for their own direct marketing purposes, you can exercise your right to object at any time to such processing without having to provide any specific reason for such objection;
  • not being subject to a decision based solely on automated processing, including profiling, which produces legal effects ("Automated Decision-Making"). Automated Decision-Making currently does not take place on our websites or in our Services; and
  • to the extent we base the collection, processing and sharing of your Personal Data on your consent, withdrawing your consent at any time, without affecting the lawfulness of the processing based on such consent before its withdrawal.
  • request to limit the use or disclosure of your personal data

How to exercise your rights 

To exercise your rights, please contact us at privacy@knowbe4.com. 

More Important Information 

EU-U.S. Data Privacy Framework Notice

On July 10, 2023, the European Commission’s adequacy decision for the EU-U.S. Data Privacy Framework entered into force.

KnowBe4, Inc. (“KnowBe4,” “we,” “our,” or “us”) complies with the EU-U.S. Data Privacy Framework (“EU-U.S. DPF”), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (“Swiss-U.S. DPF”) as set forth by the U.S. Department of Commerce. KnowBe4 has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. DPF Principles with regard to the processing of Personal Data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. KnowBe4 has certified to the U.S. Department of Commerce that we adhere to the Swiss-U.S. DPF Principles with regard to the processing of Personal Data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the EU.-U.S. DPF and/or Swiss-U.S. DPF Principles shall govern. To learn more about the Data Privacy Framework (“DPF”) program, please visit https://www.dataprivacyframework.gov/.

To view our certification, please visit this page and search for ”KnowBe4”.

As required under the principles, when we receive information under the DPF program and then transfer it to a third-party service provider acting as an agent on our behalf, we have certain liability under the DPF. If the agent processes the information in a manner inconsistent with the DPF, we are responsible for the event giving rise to the damage.

We encourage you to contact us at privacy@knowbe4.com if you have a DPF-related (or general privacy-related) complaint. If you have an unresolved privacy or data use complaint that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge). Through this third-party dispute resolution provider, we have also committed to cooperating and complying with the information and advice provided by an informal panel of data protection authorities in the European Economic Area, the Swiss Federal Data Protection, and/or the UK Information Commissioner (as applicable) in relation to unresolved complaints (as further described in the DPF program). You may also contact your local data protection authority within the European Economic Area or Switzerland (as applicable) for unresolved complaints.

Under certain conditions, more fully described on the Data Privacy Framework website, including when other dispute resolution procedures have been exhausted, you may invoke binding arbitration.

KnowBe4 is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission (FTC). KnowBe4 may be required to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Protected Health Information, Payment Card Information and other Sensitive Information. 

KnowBe4 does not need, nor does it request, any protected health information (“PHI”) governed by the Health Insurance Portability and Accountability Act and its implementing regulations (“HIPAA”), nor does it need or request any non-public consumer personally identifiable information or financial information governed by the Gramm-Leach-Bliley Act (“GLBA”) or payment card information covered by the Payment Card Industry Data Security Standards (“PCI DSS”) in order to provide its Services. You should never disclose, or allow to be disclosed, PHI, information protected by PCI DSS or GLBA, or other sensitive information to KnowBe4. In the event that an end user discloses such information (which would be a violation of this Customer Privacy Notice), you, on behalf of your organization, acknowledge that KnowBe4 does not take steps to ensure its Services are HIPAA or PCI compliant. All obligations of the aforementioned regulations remain solely with you, on behalf of your organization.

Visitors under the age of 16 

Our Services, such as our website, are not intended for persons under the age of 16. Thus, we do not intentionally gather Personal Data from visitors who are under the age of 16. If you are under the age of 16, please do not submit your Personal Data via our submission forms.

California Consumer Protection Act 

This section provides additional details about the personal information we collect about California consumers and the rights afforded to them under the California Consumer Privacy Act or “CCPA.”

We do not provide services, or other items of value, as consideration for your, or your end users’, personal information protected by the CCPA. 

You are responsible for ensuring your compliance with the requirements of the CCPA in your use of the Services we provide to you and your own processing of personal information. 

Here are a few things that KnowBe4 will NOT do with personal information in the scope of acting as a service provider, as defined by CCPA: 

  • sell, rent, or otherwise disclose your personal information to third parties in exchange for money or something else of value;
  • use your information outside the scope of the agreement(s) for services that we have with you.

Subject to certain limitations, the CCPA provides California consumers the right to request to know more details about the categories or specific pieces of personal information we collect (including how we use and disclose this personal information), to delete their personal information, to opt out of any “sales” that may be occurring, and to not be discriminated against for exercising these rights. 

California consumers may make a request pursuant to their rights under the CCPA by contacting us at privacy@knowbe4.com. We will verify your request using the information associated with your account, including email address. Consumers can also designate an authorized agent to exercise these rights on their behalf. 

Contacting Us 

To exercise your rights regarding your Personal Data, or if you have questions regarding this Customer Privacy Notice or our data protection practices please send an email to privacy@knowbe4.com. Alternatively, you may send notice by way of mail at the address listed below: 

KnowBe4, Inc. 

33 N Garden Avenue, Suite 1200

Clearwater, FL 33755, USA 

Attn: KnowBe4 Privacy Team 

We are committed to working with you to obtain a fair resolution of any complaint or concern about your data. If, however, you believe that we have not been able to assist with your complaint or concern, and you are located in the EEA, you have the right to lodge a complaint with the competent supervisory authority.


Get the latest about social engineering

Subscribe to CyberheistNews