Overview

As a security company built and operated by security-minded individuals, we respect your privacy and make significant effort to protect your data. We would never do anything with your data that we wouldn’t want you to do with ours.

Keeping our customers' data secure is the most important thing we do. We go to considerable lengths to ensure that all data provided to KnowBe4 is done so securely; keeping KnowBe4 systems and your data secure is fundamental to our business. Before you get started, we recommend you review our Terms of Service and Privacy Policy.

 

Compliance:

The KnowBe4 KMSAT product is FedRAMP Li-SaaS authorized.

FedRAMP

LI-SaaS authorized on 10/25/2019

●      Kevin Mitnick Security Awareness Training - KMSAT

 

All KnowBe4 products are SSAE18 SOC2 Type 2 certified. This includes KMSAT, PhishER, and KCM GRC. You can download and review the SOC3 report for each product at the links below. The SOC3 report is a summary of the SOC2 Type 2 assessment.

The KnowBe4 SOC2 assessments include all of the Trust Services Criteria:

Security

Availability

Processing Integrity

Confidentiality

Privacy

If you require a copy of the full SOC2 Type 2 report, please work with your sales representative or customer success manager.

SOC3

Audit Period: March 16, 2019 - March 15, 2020

●      KMSAT & PhishER

●      KCM GRC

 

Should you require a gap letter for compliance purposes, please work with your representative or customer success manager.

We are listed under the Cloud Security Alliance (CSA) STAR Registry. https://cloudsecurityalliance.org/star/registry/knowbe4-inc/

 

Information Security and Data Privacy Team:

KnowBe4’s dedicated Information Security and Data Privacy teams hold relevant industry certifications detailed below.

CISSP CEH CCNA CISA Security+
FIP CIPP-US CIPP-E CIPP-C CIPM

 

AWS-Security

 

AWS-Cloud

 

 

Access and Authentication Controls:

KnowBe4 restricts access to customer and confidential data on a business need to know basis. Access is granted based on one’s role within the organization. KnowBe4 enforces mandatory multi-factor authentication for all access to confidential data. Where applicable, access to systems is restricted by IP address.

 

Data Handling and Data Privacy:

  • KnowBe4 maintains compliance with the European Union’s General Data Protection Regulation 2016/679 (GDPR).
  • We rely on the E.U. Commission approved standard contractual clauses for data transfer from the EEA to the United States. We have policies and procedures in place to comply with any applicable data privacy laws.

For more information on types of data and for what purpose, please refer to the product tab of our Privacy Policy.

 

Data Encryption:

KnowBe4 leverages AWS for data encryption in transit (TLS) and at rest (AES-GCM 256). KnowBe4 currently uses the TLSv1_2016 Security Policy on AWS Application Load Balancers and within AWS CloudFront. Details of this can be found here. KnowBe4 uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS), and data stored within S3. AWS KMS uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys.

 

Data Center Location:

KnowBe4 operates within Amazon Web Services (AWS). AWS follows the Shared Responsibility Model. AWS is responsible for the security of the cloud, and KnowBe4 is responsible for security in the cloud. Information regarding the compliance of AWS data centers can be found on the AWS compliance website here. If you are required to review the data center SOC report, you can review the latest AWS SOC3 report located here: AWS SOC3 Report.

 

KnowBe4 uses the following AWS regions:

  • KMSAT & PhishER & KCM GRC
    • US-East-1 (Northern Virginia)

For any customers who wish to have their data reside within the EU we offer the following:

  • KMSAT & PhishER
    • EU-West-1 (Ireland)
  • KCM
    • EU-West-2 (London)

Data is not shared between the U.S. and E.U. data centers. You may request an account in each region, but these will be independent of each other, and data will not synchronize between accounts.

 

Data Backups and Retention:

KnowBe4 maintains one year of database backups and three years of audit and application logs. These backups are stored encrypted in accordance with the Data Encryption section listed above. To submit a data deletion request, please work with your sales representative or customer success manager.

 

Awareness and Training:

All KnowBe4 employees complete mandatory security awareness and privacy training upon hire and at least once annually. We conduct simulated phishing and social engineering tests on an ongoing basis at least once a month. All KnowBe4 employees and contractors sign confidentiality and non-disclosure agreements upon hire and before access to company or customer data.

 

Business Continuity / Disaster Recovery:

KnowBe4 engineers have designed highly scalable and resilient product architecture within AWS. Our product withstands sophisticated attacks and is highly adaptable. Our systems’ performance within the product architecture is monitored for key metrics, ensuring the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will be executed to bring online additional temporary systems or to cycle out existing systems for new ones. Automation is built into the KnowBe4 architecture, so system monitoring, updates, and corrective actions can take place as needed with no downtime. For status and uptime monitoring please visit https://status.knowbe4.com

  

Code Security and Code Updates:

The KnowBe4 Research and Development (R&D) department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment before they are pushed into production. The staging and production environments are logically separated, and no data is shared between them.

 

Logging and Monitoring:

KnowBe4 collects audit and application logs from all systems. These logs are stored encrypted in a centralized logging facility separate from the system generating the logs. The log entries are in line with industry standards for audit trails. KnowBe4 maintains these logs for a period of three years for the business purpose of investigating past system activity.

 

Vulnerability Management:

The KnowBe4 information security team performs monthly web application vulnerability scans. These scans are configured to run as authenticated scans. Any vulnerabilities found during these scans or any other vulnerability discovery activities are added to a vulnerability tracking system. There, the vulnerabilities are verified, categorized, and evaluated for actual risk. Vulnerabilities are remediated in accordance with the schedule listed below:

CVSS Score

7.0 - 10.0

4.0 - 6.9

1.0 - 3.9

0 - 0.9

Remediation Timeline

< 2 Weeks

< 4 Weeks

< 6 Months

Discretionary

  

Penetration Testing / Bug Bounty / Report Security Vulnerabilities:

KnowBe4 participates in a paid, private bug bounty program where vetted third-party researchers conduct ongoing penetration testing of our products. If you feel you have discovered a security flaw in our system, you can sign up for the program, and we will invite you to participate. You can submit any vulnerabilities through the bug bounty program or by contacting the KnowBe4 security team directly. We encourage you to test, and we encourage you to share what you find. Security testing outside of this private program is not permitted. We do not permit any automated scanning as part of this program; the researchers are instructed to perform manual testing so as to not be disruptive.

[Latest Page Update: 09/22/2020]

 


Get the latest about social engineering

Subscribe to CyberheistNews