We here at KnowBe4 would like to make a few things clear with respect to security. First, we respect your privacy and take significant efforts to protect all your data. Second, we would never do anything with your data that we wouldn’t want you to do with ours. Third, we are a security company built and operated by highly security-minded individuals.
Security and Privacy Team
Collectively, our infrastructure and security team has over 50 years of experience designing, building, and operating highly secure internet facing systems at companies ranging from startups to large public companies and government organizations. Members of our team maintain industry-recognized security and privacy certifications and specific training in areas of secure coding and incident handling.
Incident Response Plan
- We have a procedure for security events and have educated all our staff on our policies.
- When security events are detected they are escalated to our security operations team, stakeholders are then identified, notified and assembled to rapidly address the event.
- After a security event is fixed the stakeholders and security operations team performs a root-cause analysis.
- The analysis is reviewed in person, distributed to stakeholders and includes action items that will implement controls to detect and prevent similar events in the future.
Build Process Automation
- We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
- We typically deploy code periodically throughout the day, so we are confident that we can implement a security fix quickly when required.
- All of our services run in the cloud. We do not run our own routers, load balancers, DNS servers, or physical servers.
- Except for a few data sub-processors our services and data are hosted in Amazon Web Services (AWS) facilities. For US based customers and customers wishing to keep their data residing in the US we have servers in AWS datacenters in the US region. For customers wishing to keep their data within the EU, except for a small set of sub-processors that are US only, we have servers located in AWS datacenters in the EU region. KnowBe4 services have been built with business continuity and disaster recovery in mind.
- Our entire infrastructure, including servers and databases, is spread across multiple AWS data centers (availability zones) for both the US and EU regions and will continue to work should any one of those data centers fail unexpectedly.
- All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.
- We currently are only able to operate in the US and EU regions of AWS due to feature limitations. Other regions of AWS will be considered once all of the services necessary to run our platforms are available in those regions.
- We have a 99.9% uptime or higher… It's higher.
- If you are the kind of person who likes human interaction, you can get support during normal business hours for US eastern time zone Monday through Friday, 9AM to 6PM. You can also email firstname.lastname@example.org to open a support ticket or visit our support site.
- If you are using the US region (training.knowbe4.com), all of your data is stored in the USA. If you are using the EU region (eu.knowbe4.com), except for temporary storage (30 days) by some subprocessors located in the US, your data (email address) is stored in the EU.
- Customer data is stored in a multi-tenant architecture. We do not have individual databases or servers for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customer’s data. This is done using unique account identifiers which attribute each user to a specific account. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.
- All data is encrypted at rest and in transit using industry standard encryption algorithms.
- All data sent to or from KnowBe4 is encrypted in transit using TLS/SSL. This includes system logs, email address lists, and other confidential information.
- KnowBe4 is served 100% over https. If you attempt to access the site via http you will be redirected to an https connection.
- We require multi-factor authentication (MFA) for all employees to access systems and data and for management of our infrastructure.
- On an application level, we produce audit logs for all system and application activity, ship logs in real time to a subprocessor via TLS encrypted connections for analysis, centralization and archiving via AWS S3.
- All access to KnowBe4 applications is logged and audited.
- KnowBe4 uses a subprocessor to monitor for application errors that notifies technical staff of real-time application errors generated.
- System performance and uptime are monitored.
Security Audits and Compliance
- Our internal infosec team performs quarterly network and application level vulnerability scanning on our systems and applications.
Our infrastructure provider is (Amazon Web Services - AWS). We operate in the US and by customer request the EU. You can refer to the following pages to review the compliance of Amazon Web Services. https://aws.amazon.com/compliance/
A direct link to the Amazon Web Services SOC3 report can be found here: https://d0.awsstatic.com/whitepapers/compliance/soc3_amazon_web_services.pdf
The Amazon Web Services SOC2 report is not public information and we are under a non-transferrable NDA with them. We are not legally permitted to send the AWS SOC2 report to any customers or prospects. You must be a customer of AWS in order to request this under a non disclosure agreement.
The SOC reports, as well as many other audit and compliance documents, are all readily available through AWS Artifact.
You can follow the link to “Get started for free” and be redirected to the AWS Console. You will need to create a new AWS account if you don’t already have one. The online NDA needs to be digitally agreed to (if it hasn’t already) in order for Amazon to share SOC reports. Artifact will guide you through this process. You will see a list of SOC reports that you can choose from (SOC 1, SOC 2, SOC 3, current and previous versions). All the latest reports are always readily available in the portal. You can also view ISO and other certifications.
We are SOC2 Type 2 certified and conduct annual SOC2 audits. The results of these will be made available to any customer or prospect by request and who is under an NDA.
We will gladly fill out vendor due diligence paperwork and security questionnaires. We have pre-completed questionnaires available in CAIQ and SIG Lite format. Customers and prospects that are under an NDA may request these documents.
- For customers wishing to use the EU instance of our applications, KnowBe4 maintains compliance with EU Data Protection of Personal Data (Directive 95/46/EC) Article 29 Working Party subject to acceptance of the US based data subprocessors listing that can be provided upon execution of a mutual non-disclosure agreement.
- We are US-EU / US-Swiss Privacy Shield certified. We will work with your legal and contracts teams to execute formal Service Agreements, Model Clause Contracts, and Data Protection Agreements.
- We have policies and procedures in place to comply with the GDPR.
Found a Security Bug?
- KnowBe4 currently participates in a private bug bounty program where vetted researchers conduct ongoing security testing of our infrastructure and applications.
- If you feel you have discovered a security flaw in our system you can submit it through the bug bounty program.
- Security testing outside of this private program is not permitted.
[Latest Page Update: 8/7/2018]