• <output id="hcdnn"></output>

      <nav id="hcdnn"><thead id="hcdnn"><optgroup id="hcdnn"></optgroup></thead></nav>
      1. <form id="hcdnn"><legend id="hcdnn"></legend></form>
        <wbr id="hcdnn"></wbr>


        We here at KnowBe4 would like to make a few things clear with respect to security. First, we respect your privacy and take significant efforts to protect all your data. Second, we would never do anything with your data that we wouldn’t want you to do with ours. Third, we are a security company built and operated by highly security-minded individuals.

        Keeping our customers' data secure is the most important thing KnowBe4 does. We go to considerable lengths to ensure that all data provided to KnowBe4 is done so securely - keeping KnowBe4 systems and your data secure is fundamental to our business. Before you get started, we at KnowBe4 recommend you also review our Terms of Service and Privacy Policy.



        The KnowBe4 KMSAT product is FedRAMP Li-SaaS authorized.


        LI-SaaS authorized on 10/25/2019

        ●      Kevin Mitnick Security Awareness Training - KMSAT


        All KnowBe4 products are SSAE18 SOC2 Type 2 certified. This includes KMSAT, PhishER, and KCM GRC. You can download and review the SOC3 report for each product at the links below. The SOC3 report is a summary of the SOC2 Type 2 assessment.

        The KnowBe4 SOC2 assessments include all of the Trust Services Criteria:  



        Processing Integrity



        If you require a copy of the full SOC2 Type 2 report please work with your sales rep or customer success manager. 


        Audit Period: June 2018 - March 2019

        ●      KMSAT & PhishER

        ●      KCM GRC


        The 2019-2020 SOC2 audit cycle will conclude in March of 2020 and updated reports will be available around May 2020. Should you require a gap letter please work with your rep or customer success manager.

        We are listed under the Cloud Security Alliance (CSA) STAR Registry. https://cloudsecurityalliance.org/star/registry/knowbe4-inc/


        Information Security and Data Privacy Team:

        KnowBe4 has dedicated Information Security and Data Privacy teams with individuals holding relevant industry certifications.

        01 02 03.,png 04 05
        06 07 08 09 10-640







        Access and Authentication Controls:

        KnowBe4 restricts access to customer and confidential data on a business need to know basis. Access is granted based on role within the organization. KnowBe4 enforces mandatory multi-factor authentication for all access to confidential data. Where applicable access to systems is restricted by IP address.


        Data Handling and Data Privacy:

        • KnowBe4 maintains compliance with General Data Protection Regulation 2016/679 (GDPR).
        • We are US-EU / US-Swiss Privacy Shield. We will work with your legal and contracts teams to execute formal Service Agreements, Model Clause Contracts, and Data Protection Agreements.
        • We have policies and procedures in place to comply with any applicable data privacy laws.

        For more information on types of data and for what purpose, please refer to the product tab of our Privacy Policy.


        Data Encryption:

        KnowBe4 leverages AWS for data encryption in transit (TLS) and at rest (AES-GCM 256).

        • KnowBe4 currently uses the TLSv1_2016 Security Policy on AWS Application Load Balancers and within AWS CloudFront. Details of this can be found here.
        • KnowBe4 uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS), and data stored within S3. AWS KMS uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys.


        Data Center Location:

        KnowBe4 operates within Amazon Web Services (AWS). AWS follows the Shared Responsibility Model. AWS is responsible for the security ‘of’ the cloud and KnowBe4 is responsible for security ‘in’ the cloud. Information regarding the compliance of AWS data centers can be found on the AWS compliance website here.

        If you are required to review the data center SOC report, you can review the latest AWS SOC3 report located here: AWS SOC3 Report.


        KnowBe4 uses the following AWS regions:

        • KMSAT & PhishER & KCM GRC
          • US-East-1 (Northern Virginia)

        For any customers who wish to have their data reside within the EU we offer the following:

        • KMSAT & PhishER
          • EU-West-1 (Ireland)

        Note: Data is not shared between the US and EU data centers. You may request an account in each region but these will be independent of each other and data will not synchronize between accounts.


        Data Backups and Retention:

        KnowBe4 maintains 1 year of database backups and 3 years of audit and application logs. These backups are stored encrypted in accordance with the Data Encryption section listed above.

        To submit a data deletion request, please work with your sales representative or customer success manager.


        Awareness and Training:

        All KnowBe4 employees complete mandatory awareness and privacy training upon hire and at least once annually. We conduct simulated phishing and social engineering tests on an ongoing basis at least once a month.

        All KnowBe4 employees and contractors sign confidentiality and non-disclosure agreements upon hire and before any access to company or customer data is granted.


        Business Continuity / Disaster Recovery:

        KnowBe4 engineers have designed a cloud first highly scalable and resilient product architecture within AWS.

        Performance of systems within our product architecture are monitored for key metrics to ensure that the load on any one system is within an acceptable range. Should any components become overloaded or experience a fault, automated processes will execute to bring online additional temporary systems or to cycle out existing systems for new ones.

        Automation is built into the KnowBe4 architecture so system monitoring, updates,  and corrective actions can take place as needed with no downtime.

        For status and uptime monitoring please visit https://status.knowbe4.com


        Code Security and Code Updates:

        The KnowBe4 R&D department leverages a Continuous Integration / Continuous Delivery (CI/CD) pipeline for managing code deployments. Code changes are peer reviewed, approved by separate QA staff, and tested in a staging environment  before they are pushed into production. The staging and production environments are logically separated and no data is shared between them.


        Logging and Monitoring:

        KnowBe4 collects audit and application logs from all systems. These logs are stored encrypted in a centralized logging facility separate from the system generating the logs. The log entries are in line with industry standards for audit trails. KnowBe4 maintains these logs for a period of 3 years for the business purpose of investigating past system activity.


        Vulnerability Management:

        The KnowBe4 information security team performs web application vulnerability scans monthly. These scans are configured to run as authenticated scans. Any vulnerabilities found during these scans or any other vulnerability discovery activities are added to a vulnerability tracking system. There the vulnerabilities are verified, categorized, and evaluated for actual risk. Vulnerabilities are remediated in accordance with the schedule listed below: 

        CVSS Score

        7.0 - 10.0

        4.0 - 6.9

        1.0 - 3.9

        0 - 0.9

        Remediation Timeline

        < 2 Weeks

        < 4 Weeks

        < 6 Months



        Penetration Testing / Bug Bounty / Report Security Vulnerabilities:

        KnowBe4 participates in a paid private bug bounty program where vetted third-party researchers conduct ongoing penetration testing of our products.

        If you feel you have discovered a security flaw in our system you can sign up for the program and we will invite you to participate. You can submit any vulnerabilities through the bug bounty program and by contacting the KnowBe4 security team directly. We encourage you to test and we encourage you to share what you find.

        Security testing outside of this private program is not permitted. We do not permit any automated scanning as part of this program, the researchers are instructed to perform manual testing as to not be disruptive.


        [Latest Page Update: 12/18/2019]


        Get the latest about social engineering

        Subscribe to CyberheistNews