Last Updated: September 29, 2022 At KnowBe4, the protection of our customers’ personal data is vital. Many organizations around the globe are concerned with how their personal data is protected and processed in other countries. The purpose of this document is to provide you with information on how we comply with various global privacy laws and ensure the protection of your personal data. This document is for informational purposes only and the information presented is not legal or professional advice, is not to be acted on as such, may not be current, and is subject to change without notice. Additionally, this document is not intended to be a full or accurate list of global privacy laws nor is it intended to be a complete list of every jurisdiction in which KnowBe4 legally operates or processes data. If you have specific questions about how KnowBe4 processes your personal data, please visit https://www.knowbe4.com/product-privacy-notice to learn more. What is the Japanese Privacy Act? The Japanese privacy act (“APPI”) is a law that came into effect in 2005 and was amended in 2017 to meet the data protection standards of the new age. Does KnowBe4 comply with the APPI? Yes, we comply with the APPI and its amendments. Does the APPI permit the cross-border transfer of personal data? The APPI permits the cross-border transfer of data as long as appropriate standards are met. Under the APPI our customers in Japan are considered “business operators” and we are considered the “service provider”. In order for business operators to transfer personal data to a service provider, they must request consent from individuals unless an exemption applies. One of the exemptions that apply to the cross-border transfer of personal data is if “the transfer is to the recipient that put into place a system compliant with the APPI with regard to handling of personal data.” This means that if an organization outside of Japan has appropriate technical and organizational security measures, you should be good to go. We take security and privacy seriously and have put into place a system of robust controls to ensure the proper protection of customer data. Additionally, we offer a data processing agreement which will provide you assurances on how we protect data. How does KnowBe4 comply with the cross border transfer requirements under the APPI? We have put in place robust controls to ensure that data is processed appropriately and in compliance with the APPI. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that customer data is also handled appropriately and only under your instructions. CANADA It is important to note that Canada has privacy laws at both the federal and provincial level. At the federal level, Canada’s primary privacy law is the Personal Information Protection and Electronic Documents Act (“PIPEDA”). The secondary Canadian privacy law is simply known as the Privacy Act. Canadian provinces are also permitted to create their own provincial-level privacy laws that are deemed to be similar to PIPEDA. Does KnowBe4 comply with PIPEDA? Yes, we comply with PIPEDA. Does PIPEDA permit the cross-border transfer of information? Yes, there are no rules or restrictions in PIPEDA that prohibit organizations from transferring personal information to other countries such as the United States. The Guidelines published by the Office of the Privacy Commissioner of Canada provide more insight on how cross border data transfers should take place.
How does KnowBe4 ensure compliance with PIPEDA?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with PIPEDA. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that customer data is also handled appropriately and only under our customers’ instructions. We also ensure that our products and services are provided with privacy and security top of mind to ensure the adequate protection of your organization’s personal data.
Alberta PIPA
Does KnowBe4 comply with Alberta’s PIPA?
Yes, we comply with Alberta’s Personal Information Protection Act (PIPA).
Does Alberta’s PIPA permit the cross-border transfer of information?
Yes, Alberta’s PIPA permits the cross-border transfer of information. There are a few steps that an organization may need to take first in regard to notifications and documentation. We suggest you consult your privacy expert or legal counsel on those matters.
How does KnowBe4 ensure compliance with Alberta’s PIPA?
We have put in place robust controls to ensure that your data is processed appropriately and in compliance with PIPA. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your data is also handled appropriately and only under our customers’ instructions. We also ensure that our products are built with privacy and security top of mind to ensure the adequate protection of customer personal data.
British Columbia PIPA
Does KnowBe4 comply with British Columbia’s PIPA?
Yes, KnowBe4 complies with British Columbia’s Personal Information Protection Act (PIPA).
Does British Columbia’s PIPA permit the cross-border transfer of information?
Yes, British Columbia’s PIPA permits the cross border transfer of information. There are a few steps that an organization may need to take first in regard to notifications and documentation. We suggest you consult your privacy expert or legal counsel on those matters.
How does KnowBe4 ensure compliance with British Columbia’s PIPA?
We have put in place robust controls to ensure that your data is processed appropriately and in compliance with PIPA. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your data is also handled appropriately and only under our customers instructions. We also ensure that our products and services are provided with privacy and security top of mind to ensure the adequate protection of customer personal data.
Does British Columbia’s FIPPA permit the cross-border transfer of information?
Yes, British Columbia’s Freedom of Information and Protection of Privacy Act (“FIPPA”) permits the cross-border transfer of information under any of the following conditions:
- (i) the individual consents to the transfer;
- (ii) storage outside of Canada is permitted under FIPPA, including if the disclosure is necessary for installing, implementing, maintaining, repairing, troubleshooting, or upgrading an electronic system; or
- (iii) data storage relates to payment to or by British Columbia’s government
Quebec Privacy Act
Does KnowBe4 comply with Quebec’s Privacy Act?
Yes, KnowBe4 complies with the Act Respecting the Protection of Personal Information in the Private Sector (the “Privacy Act”).
Does Quebec’s Privacy Act permit the cross-border transfer of information?
Yes, Quebec’s Privacy Act requires that if an organization is going to communicate information outside of Quebec it must take reasonable steps to ensure that the receiving entity does not: a) use or disclose personal information for any purposes not relevant to the original collection purposes; and b) communicate the personal information to any third parties without consent, subject to limited exceptions.
How does KnowBe4 ensure compliance with Quebec’s Privacy Act?
Quebec’s Privacy Act requires that organizations execute a data processing agreement with their service provider(s). We provide our customers a robust data processing agreement which incorporates appropriate technical and organizational security measures which may be found here.
Nova Scotia PIIDPA
Does KnowBe4 comply with Nova Scotia’s PIIDPA?
Yes, KnowBe4 complies with the Nova Scotia Personal Information International Disclosure Protection Act (“PIIDPA”).
Does Nova Scotia’s PIIDPA permit cross-border transfers of information?
Yes, PIIDPA permits the cross-border transfer of information under the following conditions:
- (i) the individual consents;
- (ii) it is stored outside of Canada for a purpose otherwise allowed under PIIDPA, including carrying out an agreement; or
- (iii) the applicable public body’s head considers storage necessary for operational requirements of the public body
UNITED STATES
Does KnowBe4 comply with the CCPA?
Yes, KnowBe4 complies with the California Consumer Protection Act (“CCPA”) and its amendments.
Does KnowBe4 sell my data as defined in the CCPA?
No, we do not sell your information as defined in the CCPA.
How does KnowBe4 comply with the CCPA?
We have put in place robust technical and security measures to ensure the proper protection of your organization’s data. Additionally, we offer a CCPA addendum which may be found here to ensure that our customers are in compliance with the CCPA.
Does KnowBe4 comply with the LGPD?
Yes, we comply with the Brazilian General Data Protection regulation (“LGPD”).
Does the LGPD permit the cross-border transfer of personal data?
The LGPD permits cross-border transfers of data as long as appropriate standards are met. We have implemented robust technical and security measures to ensure the proper protection of your data. Additionally, customers will be able to execute the Brazilian standard contractual clauses once they have been drafted and approved by the appropriate authorities.
How does KnowBe4 comply with the cross-border transfer requirements under the LGPD?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with the LGPD. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your data is also handled appropriately and only under our customers’ instructions.
EUROPEAN UNION (EU)
Does KnowBe4 comply with the GDPR?
Yes, we comply with the General Data Protection Regulation (“GDPR”).
Does the GDPR permit the cross-border transfer of personal data?
The GDPR permits cross-border transfers of data as long as appropriate safeguards are met. We have implemented robust technical and security measures to ensure the proper protection of information. Additionally, customers are able to execute our data processing agreement with standard contractual clauses with appropriate technical and organizational security measures which provides assurances that we are protecting and processing data in an adequate manner.
How does KnowBe4 comply with the cross border transfer requirements under the GDPR?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with the GDPR. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your organization’s data is also handled appropriately and only under your instructions. We also offer our customers the option to execute standard contractual clauses with appropriate security measures to ensure the lawful transfer of personal data. Our DPA with standard contractual clauses may be found here.
United Kingdom (UK)
Does KnowBe4 comply with the UK GDPR?
Yes, we comply with the United Kingdom General Data Protection Regulation (“UK GDPR”).
Does the UK GDPR permit the cross-border transfer of personal data?
The UK GDPR permits cross-border transfers of data as long as appropriate safeguards are met. We have implemented robust technical and security measures to ensure the proper protection of information. Additionally, customers are able to execute our data processing agreement with the International Data Transfer Addendum (“IDTA”) with appropriate technical and organizational security measures which provides assurances that we are protecting and processing data in an adequate manner.
How does KnowBe4 comply with the cross border transfer requirements under the UK GDPR?
We have put in place robust controls to ensure that data is processed appropriately and in compliance with the GDPR. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure that your organization’s data is also handled appropriately and only under your instructions. We also offer our customers the option to execute standard contractual clauses with appropriate security measures to ensure the lawful transfer of personal data. Our DPA with International Data Transfer Addendum may be found here.
Does KnowBe4 comply with the PDPA?
Yes, we comply with the Personal Data Protection Act (“PDPA”).
Does the PDPA permit the cross-border transfer of personal data?
The PDPA permits for cross-border data transfers as long as the organization desiring to transfer the personal data ensures the recipient has adequate levels of protection to those standards outlined under the PDPA.
How does KnowBe4 comply with the cross border transfer requirements under the PDPA?
The PDPA allows for cross-border transfers so long as the receiving party provides adequate levels of protection. We have implemented robust technical and security measures to ensure the proper protection of your information. We provide our customers a data processing agreement which incorporates appropriate technical and organizational security measures which may be found here.
Does KnowBe4 comply with the Australian Privacy Act of 1988?
Yes, KnowBe4 complies with the Australian Privacy Act of 1988.
Does the Australian Privacy Act of 1988 permit the cross-border transfer of personal data?
Yes, however in order to do so, the transferring entity must take reasonable steps to ensure the overseas recipient does not violate the Australian Privacy Principles outlined in the Privacy Act of 1988.
How does KnowBe4 comply with the cross border transfer requirements under the Australian Privacy Act of 1988?
We have implemented robust technical and security measures to ensure the proper protection of information. We provide our customers a data processing agreement which incorporates appropriate technical and organizational security measures which may be found here.
What is the Saudi Personal Data Protection Law (PDPL)?
The PDPL is the Kingdom of Saudi Arabia’s personal data protection law that is anticipated to come into effect in March 2023.
However, the Saudi Data & Artificial Intelligence Authority (SDAIA), the supervisory authority for the law, could further delay when the law applies to organizations outside the Kingdom and those that process personal data of Saudi residents, for a period of up to five (5) years.
Does KnowBe4 comply with the upcoming PDPL?
Yes, KnowBe4 will comply with the upcoming PDPL.
Does PDPL permit the cross-border transfer of personal data?
Yes, the PDPL does permit the cross-border transfer of personal data in specific instances, such as when providing services to individuals requires the transfer of personal data outside the Kingdom. The SDAIA will also need to provide written approval of the cross-border transfer as well.
How will KnowBe4 comply with the cross-border transfer requirements under the PDPL?
We have put in place controls to ensure that personal data would be processed appropriately and in compliance with PDPL. Additionally, we have executed agreements with our subprocessors (or otherwise, sub-service providers) to ensure customer data is handled appropriately and only under our customers’ instructions. We also ensure that our products and services are provided with privacy and security top of mind to ensure adequate protection of your organization’s personal data.
In the instance where required, KnowBe4 will seek written approval for cross-border transfer and storage of customer information where necessary to provide our services.
FAQs
Is KnowBe4 GDPR compliant? ›
Does KnowBe4 comply with the GDPR? Yes, we comply with the General Data Protection Regulation (“GDPR”).
Who does the GDPR apply to KnowBe4? ›The subject-matter of the data processing to be carried out by KnowBe4 is: Current employees and contractors of the Customer. 4.3.
Is KnowBe4 a real company? ›KnowBe4 is the world's largest integrated platform for security awareness training combined with simulated phishing attacks.
What are the requirements for KnowBe4? ›– Internet Explorer, Firefox, and Safari require Flash Player 6.0 or higher. (Chrome has Flash built-in.) – A minimum screen resolution of 800—600 is required to view courses. – Pop-up Blocker Disabled.
Is GDPR compliance mandatory? ›Which companies does the GDPR affect? Any company that stores or processes personal information about EU citizens within EU states must comply with the GDPR, even if they do not have a business presence within the EU. Specific criteria for companies required to comply are: A presence in an EU country.
How do you check if you are GDPR compliant? ›ImmuniWeb is a website security test that includes GDPR compliance. When you enter the website address, it scans the entire site for various compliance. You get a detailed report on the security test that includes your score for GDPR compliance. You can download the report as PDF as well.
Which companies must comply with GDPR? ›All organizations that collect personal data of any citizen of a EU member state must comply with the GDPR. That includes organizations that reside outside the Union -- they still must comply with the GDPR if they're collecting a member state citizen's personal data.
Who can certify GDPR compliance? ›Article 42 specifies that GDPR compliance certification can be obtained from either competent supervisory authorities, accreditation certification bodies, or eventually, the EDPB—which will offer a “common certification.”
Who is responsible for enforcing GDPR compliance? ›It will be enforced by theInformation Commissioner's Office (ICO).
Is KnowBe4 secure? ›KnowBe4 uses the AWS Key Management Service (KMS) to enable data at rest encryption across our products. We use this for encrypting data within databases (RDS), and data stored within S3. AWS KMS uses the Advanced Encryption Standard (AES) algorithm in Galois/Counter Mode (GCM) with 256-bit secret keys.
Is KnowBe4 a good company? ›
KnowBe4 really cares about employee growth, training and certificates are encouraged for everyone. The culture is also amazing, there is never a dull moment and plenty of team building activities. It's nice to be somewhere that has your back and works together as one solid unit.
Who owns KnowBe4? ›Stu Sjouwerman (pronounced “shower-man”) is the founder and CEO of KnowBe4, Inc., which hosts the world's most popular integrated Security Awareness Training and Simulated Phishing platform. A serial entrepreneur and data security expert with more than 30 years in the IT industry, Sjouwerman was the co-founder of Inc.
Is KnowBe4 PCI compliant? ›Sjouwerman further stated, “It is encouraging to see that using KnowBe4's Kevin Mitnick Security Awareness Training program allows our customers to fully comply with the PCI requirements.
Who are KnowBe4 competitors? ›- Cofense.
- SANS Institute.
- PhishLabs.
- Broadcom (Symantec)
- Sophos.
- Infosec.
- Proofpoint.
- Rapid7.
KnowBe4's Compliance Plus training is interactive, relevant and engaging with real-life simulated scenarios to help teach your users how to respond in a challenging situation. The content addresses difficult topics such as sexual harassment, diversity and inclusion, discrimination and business ethics.
What is the difference between HIPAA and GDPR? ›GDPR focuses on protecting EU citizens' PII. Therefore, any organization that handles an EU patient's information can be subject to GDPR regulations. In contrast, HIPAA is focused on organizations – covered entities and business associates – that handle protected health information (PHI) within the United States.
What is the difference between CCPA and GDPR? ›The CCPA protects consumers—natural persons who are California residents. The GDPR focuses on data subjects—any identifiable person residing in the E.U. who can be identified directly or indirectly. Both regulations have a global reach, though under slightly different circumstances.
Do US websites need to comply with GDPR? ›Yes, the GDPR does apply to US websites that collect the personal data of EEA residents. Personal data includes any identifying information, such as names, contact information, and device details. Non-compliance with the GDPR could lead to fines and legal penalties, even for US websites.
What does it mean to be compliant with GDPR? ›At its core, GDPR Compliance means an organization that falls within the scope of the General Data Protection Regulation (GDPR) meets the requirements for properly handling personal data as defined in the law. The GDPR outlines certain obligations organizations must follow which limit how personal data can be used.
What does GDPR compliance look like? ›GDPR compliance involves implementing processes and procedures to protect the personal data of EU citizens, such as ensuring that data is collected and stored securely, informing individuals of how their data is being used, and allowing individuals to see, amend, or delete their data.
How do I make sure my company is GDPR compliant? ›
- Know All of the Data Your Business Collects. ...
- Appoint a Data Protection Officer (DPO) ...
- Create a GDPR Diary. ...
- Evaluate Your Data Collection Requirements. ...
- Instantly Report Data Breaches. ...
- Be Transparent About Data Collection Motives.
What is the US equivalent of GDPR? The CCPA (California Consumer Privacy Act) is the US equivalent of GDPR. This comprehensive data privacy act gives Californian residents greater transparency and control over how businesses collect and use their personal information.
How many US companies are GDPR compliant? ›Key GDPR Compliance Statistics. Nearly 8 out of 10 US companies took steps to comply with the GDPR. 27% of companies spent over half a million dollars to become GDPR compliant. There have been over €359 million in major GDPR fines so far.
Are US companies affected by GDPR? ›So, does the GDPR apply to American companies? Unfortunately, yes. The GDPR affects US companies, even if they're not specifically targeting EU or UK customers. The GDPR is enforced by the EU, and international treaties give them the authority to go after foreign bad actors.
How much does GDPR certificate cost? ›Fees information
The course is for Rs. 1,999 (Exclusive of taxes).
GDPR certification is a new feature of GDPR law that allows people or entities to receive certification from approved certification bodies to show both the EU and consumers that they are in compliance with GDPR. Certification is scalable and can be different for organizations of differing sizes and types.
Is there an official GDPR certification? ›Certify and demonstrate the conformity of your data processing activities with the General Data Protection Regulation (GDPR) and complementary data protection regulations with the Europrivacy Data Protection Certification Scheme. Customer retention is a vital part of any business strategy.
What are the 7 principles of GDPR? ›According to the ICO's website, The GDPR was developed based upon seven principles: 1) lawfulness, fairness and transparency; 2) purpose limitation; 3) data minimization; 4) accuracy; 5) storage limitation; 6) integrity and confidentiality (security); and 7) accountability.
Who does GDPR not apply to? ›The GDPR does not apply if: the data subject is dead. the data subject is a legal person. the processing is done by a person acting for purposes which are outside his trade, business, or profession.
Who owns GDPR in a company? ›It's not just an IT issue: the GDPR impacts HR, legal, marketing, procurement, training and security. It's therefore key that your Board or management team takes ownership of GDPR compliance and considers all these areas of the business. GDPR is everyone's business.
Which company must comply with GDPR? ›
All organizations that collect personal data of any citizen of a EU member state must comply with the GDPR. That includes organizations that reside outside the Union -- they still must comply with the GDPR if they're collecting a member state citizen's personal data.
Is EU KnowBe4 com legit? ›Is the email from do-not-reply@training.knowbe4.com legitimate? Yes, TCS has contracted with Knowbe4 to provide phishing training to all faculty, staff, and students. You will receive emails from do-not-reply@training.knowbe4.com requesting that you complete security awareness training on a re-occurring basis.
Does the data protection Act include GDPR? ›The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR). Everyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is: used fairly, lawfully and transparently.
Can a US company be GDPR compliant? ›Although the GDPR is intended to protect the personal information and data security of EU citizens and residents, it can apply to organizations that do not have locations or employees in the EU, including U.S. businesses, nonprofits, and universities.
Does GDPR apply to US citizens? ›Due to its effectiveness and abilities, GDPR extends to manage data regardless of whether it's Europe, the US, or any part of the world. It is known as the 'extra-territorial effect'. The legislation is not restricted to European businesses and citizens, and it can be applied and used for businesses outside Europe.
What is a phishing email KnowBe4? ›Phishing is the process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity using bulk email which tries to evade spam filters.
How common is cybercrime KnowBe4? ›Cybercrime Happens Way More Than You Think!
In fact, one happens every 36 seconds!
In the context of the GDPR, a privacy notice is a publicly accessible document produced for data subjects. By contrast, a GDPR privacy policy is an internal document explaining the organisation's obligations and practices for meeting its compliance requirements.
Is GDPR the same as privacy Act? ›The GDPR defines pseudonymised data, whereas the Privacy Act refers to the term in relation to the identity of individuals when dealing with an APP entity. The Privacy Act defines the term de-identified information as information which is no longer about a natural person.
What are 4 of the key principles of the GDPR? ›Data minimisation. Accuracy. Storage limitation. Integrity and confidentiality (security)