Overview

We here at KnowBe4 would like to make a few things clear with respect to security. First, we respect your privacy and take significant efforts to protect all your data. Second, we would never do anything with your data that we wouldn’t want you to do with ours. Third, we are a security company built and operated by security minded individuals.

Keeping our customers' data secure is the most important thing KnowBe4 does. We go to considerable lengths to ensure that all data provided to KnowBe4 is done so securely - keeping KnowBe4 systems and your data secure is fundamental to our business. Before you get started, we at KnowBe4 recommend you also review our Terms of Service and Privacy Policy.

 

Security Team

Collectively, our infrastructure and security team has over 50 years of experience designing, building, and operating highly secure internet facing systems at companies ranging from startups to large public companies and government organizations. Members of our team maintain industry recognized security certifications and specific training in areas secure coding and incident handling.

 

Best Practices

Incident Response Plan

  • We have a procedure for security events and have educated all our staff on our policies.
  • When security events are detected they are escalated to our security operations team, stakeholders are then identified, notified and assembled to rapidly address the event.
  • After a security event is fixed the stakeholders and security operations team performs a root-cause analysis.
  • The analysis is reviewed in person, distributed to stakeholders and includes action items that will implement controls to detect and prevent similar events in the future.
Build Process Automation
  • We have functioning, frequently used automation in place so that we can safely and reliably rollout changes to both our application and operating platform within minutes.
  • We typically deploy code periodically throughout the day, so we are confident that we can implement a security fix quickly when required.

 

Infrastructure

  • All of our services run in the cloud. We do not run our own routers, load balancers, DNS servers, or physical servers.
  • Except for a few data sub-processors our services and data are hosted in Amazon Web Services (AWS) facilities. For US based customers and customers wishing to keep their data residing in the US we have servers in AWS datacenters in the US region. For customers wishing to keep their data within the EU, except for a small set of sub-processors that are US only, we have servers located in AWS datacenters in the EU region. KnowBe4 services have been built with business continuity and disaster recovery in mind.
  • Our entire infrastructure, including servers and databases, is spread across multiple AWS data centers (availability zones) for both the US and EU regions and will continue to work should any one of those data centers fail unexpectedly.
  • All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorized requests getting to our internal network.

 

Service Levels

  • We have a 99.9% uptime or higher. It's higher.
  • If you are the kind of person who likes human interaction, you can get support during normal business hours for US eastern time zone Monday through Friday, 9AM to 6PM. You can also email support@knowbe4.com to open a support ticket or visit our support site.

 

Data

  • If you are using the US region (training.knowbe4.com), all of your data is stored in the USA. If you are using the EU region (eu.knowbe4.com), except for temporary storage (30 days) by some subprocessors located in the US, your data (email address) is stored in the EU.
  • Customer data is stored in a multi-tenant architecture. We do not have individual databases or servers for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customer’s data. This is done using unique account identifiers which attribute each user to a specific account. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.

 

Data Transfer

  • All data sent to or from KnowBe4 is encrypted in transit using TLS/SSL. This includes system logs, email address lists, and other confidential information.

 

Authentication

  • KnowBe4 is served 100% over https. If you attempt to access the site via http you will be redirected to an https connection.
  • We have two-factor authentication (2FA) in place for administrative functions related to our services and for management of our infrastructure.

 

Application Monitoring

  • On an application level, we produce audit logs for all system and application activity, ship logs in real time to a subprocessor via TLS encrypted connections for analysis, centralization and archiving via AWS S3.
  • All access to KnowBe4 applications is logged and audited.
  • KnowBe4 uses a subprocessor to monitor for application errors that notifies technical staff of real-time application errors generated.
  • File integrity monitoring is performed periodically throughout the day and any changes to system files cause a security alert to be generated.

 

Security Audits

  • We periodically perform network and application level vulnerability scanning on our systems and applications.

 

Compliance

  • KnowBe4 complies with the U.S.-E.U. Safe Harbor Framework and the U.S.- Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use and retention of personal data from European Union member countries and Switzerland.
  • KnowBe4, Inc. has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
  • For customers wishing to use the EU instance of our applications, KnowBe4 maintains compliance with EU Data Protection of Personal Data (Directive 95/46/EC) Article 29 Working Party subject to acceptance of the US based data subprocessors listing that can be provided upon execution of a mutual non-disclosure agreement.

     


Get the latest about social engineering

Subscribe to CyberheistNews