Back to Blog

KnowBe4 Security Awareness Training: A GDPR Compliance Paradox

January 28, 2026 11 min read Privacy, GDPR, Government

Disclosure: This article contains affiliate links. We may earn a commission at no extra cost to you.

Here's a delicious irony: several Dutch government organizations are using KnowBe4 for security awareness training and phishing simulations. The goal? Teach employees to recognize security threats and handle data responsibly.

The problem? KnowBe4 itself appears to have significant GDPR compliance issues.

We're not naming specific organizations, but we can confirm that multiple Dutch public sector bodies rely on this vendor for their security awareness programs. And after examining KnowBe4's own documentation and technical implementation, what we found raises serious questions about vendor due diligence in the public sector.

Disclosure: This analysis is based on KnowBe4's publicly available sub-processor documentation, their Data Storage Locations page, and their website's technical implementation as of January 28, 2026. Findings may change if KnowBe4 updates their practices.

The Irony: Teaching Security While Ignoring Privacy

KnowBe4 is one of the world's largest security awareness training providers. Their core product: simulated phishing attacks that test whether your employees will click malicious links, combined with training modules to improve security behavior.

The pitch to organizations is compelling: "Your employees are your weakest link. Let us help you train them to recognize threats."

But here's what we found when we looked under the hood:

Issue 1: Tracking Without Consent

Visit KnowBe4's marketing website (www.knowbe4.com) and inspect the network requests. Before any cookie consent interaction, the page loads:

  • Google Tag Manager (GTM-N7W93L8)
  • Google Ads conversion tracking (ID: 978904139)
  • DoubleClick remarketing pixel
  • HubSpot tracking (Portal ID: 241394)
  • Qualified.com (lead intelligence)

No visible cookie consent banner. No opt-in before tracking fires. The scripts load immediately on page load.

Their support site (support.knowbe4.com) has HubSpot cookie consent code in the HTML, but no visible consent banner appears either. The code is there; the actual consent mechanism isn't.

For a company that trains others on security best practices, this is... not a great look.

Why this matters: Under GDPR, non-essential tracking cookies require explicit consent before being set. Loading Google Analytics and marketing pixels on page load without consent is a textbook GDPR violation in the EU.

Issue 2: The Login Portal and Session Monitoring

The EU login portal (eu.knowbe4.com) and product functionality use several analytics services. According to KnowBe4's own sub-processor documentation, these include:

  • Datadog (US AWS) - Application/system logging, analytics, and monitoring
  • Mixpanel (US GCP) - Capture metrics to improve product functionality
  • Pendo.io (US GCP) - Navigation usage insights

These tools capture detailed behavioral data:

  • Navigation patterns and feature usage
  • System logging information
  • Security logging information
  • Session behavior and interactions

For government employees accessing their security awareness training platform, this means their behavior is being recorded and sent to US-based analytics providers, regardless of choosing "EU storage."

The "EU Storage" Illusion

KnowBe4 offers customers the option to store their primary data in the EU. Sounds good, right? Problem solved?

Not quite.

To their credit, KnowBe4 does offer multiple data storage locations for their primary products:

Product Available Regions
KSAT & PhishER USA, Canada, UK, EU (Ireland), EU (Germany)
KCM GRC USA, EEA/UK
Defend USA, UK, EU, Australia
Prevent, Protect, etc. USA, UK, EU, Australia

But here's the catch. According to KnowBe4's own sub-processor documentation, regardless of where you choose to store your primary data, the following services always run in the United States:

Screenshot of KnowBe4's Product Functionality Sub-Processors table showing US-based services like Datadog, Mixpanel, and Pendo.io
KnowBe4's official sub-processor documentation showing US-based data processing services (January 2026)

Here's the complete list from KnowBe4's official sub-processor documentation:

Product Functionality Sub-Processors (Always Active)

Sub-Processor Location Purpose Data Types
Datadog US AWS Data Centers Application/system logging, analytics, monitoring Security logging information
Mixpanel US GCP Data Centers Capture metrics to improve product functionality Navigation Usage Insights
Pendo.io US GCP Data Centers Capture metrics to improve product functionality Navigation Usage Insights
Wiz.io US AWS Data Centers Cloud security posture management Configuration and Asset Metadata
LaunchDarkly US Data Centers Product functionality and feature flags Account Identifiers, Limited User Data
Mailgun (Sinch) United States Email delivery for alerts/notifications Email notifications to users
ElevenLabs US AWS Data Centers Voice/video processing for training Audio samples (if feature used)

Support Services Sub-Processors (Always Active)

Sub-Processor Location Purpose
HubSpot US AWS Data Centers Customer relationship management (CRM)
Salesforce US Salesforce Data Centers Customer relationship management (CRM)
Zendesk US AWS Data Centers Support ticket management
Zoom United States Telephony and technology tools for support
Churnzero United States Customer Success
Google Workspace United States Customer Support
Forethought.ai United States Customer Support Ticket Management
Gainsight (inSided) US AWS Data Centers Community engagement platform

So when a government organization chooses "EU storage" for their KnowBe4 instance, their employee data still flows through numerous US-based services for monitoring, analytics, email delivery, and support.

KnowBe4's own Data Storage Locations page acknowledges this directly:

From KnowBe4's documentation:

"You are able to select your data storage location based on your data localization requirements. However, please note that we use ancillary services for certain functions, so these services may store data in another location."

The "EU storage" option is more accurately described as "primary database in EU, everything else wherever our sub-processors operate."

Why This Matters for Government Organizations

For private companies, these issues might be merely embarrassing. For government organizations, they're potentially disqualifying.

GDPR (AVG) Requirements

Phishing simulations process sensitive personal data:

  • Email addresses of all employees
  • Click behavior (who clicked, when, how many times)
  • Training completion rates per employee
  • Risk scores and security profiles
  • Behavioral patterns over time

This is employee profiling data. It reveals who the "security risks" are in your organization. Under GDPR, this requires:

  • A valid legal basis (likely legitimate interest with balancing test)
  • Data minimization
  • Purpose limitation
  • Appropriate security measures
  • Valid transfer mechanisms for non-EU processing

When that data flows to US sub-processors, the transfer mechanism question becomes critical. Standard Contractual Clauses exist, but the Schrems II ruling raised questions about their adequacy for transfers to countries with broad surveillance powers.

NIS2 Supply Chain Requirements

The NIS2 Directive introduces explicit supply chain security requirements. Essential and important entities must:

  • Assess security risks from direct suppliers
  • Evaluate sub-processor security practices
  • Ensure contractual compliance obligations flow down
  • Monitor supplier security posture

A security awareness vendor that doesn't implement basic cookie consent is a supply chain risk signal. It suggests a gap between what they sell (security awareness) and what they practice (security hygiene).

BIO/BIO2 Framework (Dutch Government)

The Baseline Informatiebeveiliging Overheid (BIO) framework sets baseline security requirements for Dutch government organizations. Key relevant requirements:

  • Data classification: Employee behavioral data requires appropriate handling
  • Third-party risk management: Vendors must meet BIO standards
  • Data location awareness: Know where your data is processed
  • Incident response: Understand your supply chain's exposure

BIO2 (the updated framework) puts even more emphasis on supply chain security, aligning with NIS2 requirements.

Digital Sovereignty

The Dutch government has made digital sovereignty a policy priority. The goal: reduce dependency on non-European technology providers, especially for sensitive government functions.

Using a US-headquartered vendor that processes employee behavioral data through US infrastructure runs counter to this policy direction. It's not illegal, but it's not aligned with stated strategic goals.

The CLOUD Act factor: US companies are subject to the CLOUD Act, which allows US authorities to request data regardless of where it's physically stored. This means "EU storage" provides limited protection when the vendor is US-headquartered.

What We Actually Found

To be fair, let's separate confirmed findings from reported concerns:

Confirmed (Verified Independently)

  • Marketing website loads tracking without visible consent banner
  • Support website has consent code but no visible banner
  • Sub-processor list shows extensive US-based data processing
  • "EU storage" does not mean EU-only processing

Reported (Based on User Reports)

  • EU login portal loads Datadog RUM without consent
  • Session replay functionality active on authenticated pages

What KnowBe4 Claims

  • GDPR compliance (they have a DPA template)
  • SOC 2 Type II certification
  • ISO 27001 certification
  • EU data storage option available

The certifications are real. The question is whether implementation matches certification requirements, especially regarding consent and data transfers.

The Broader Lesson: Vendor Due Diligence

This isn't really a KnowBe4 story. It's a vendor assessment story.

Organizations, especially government organizations, often conduct vendor assessments that check boxes:

  • Do they have a DPA? Yes.
  • Are they SOC 2 certified? Yes.
  • Do they offer EU storage? Yes.
  • Do they have a privacy policy? Yes.

Assessment complete. Vendor approved.

But those checkboxes don't tell you:

  • What sub-processors actually handle your data
  • Where those sub-processors are located
  • Whether the vendor practices what they preach
  • Whether their own website is compliant

A Better Vendor Assessment Approach

For security and privacy vendors specifically, consider:

  1. Test their website: Does the vendor's own site implement proper consent? Use browser dev tools to check what loads before consent.
  2. Read the sub-processor list: Not just "do they have one" but what does it actually say? Where is data processed?
  3. Trace the data flows: From your employees' browsers through to final storage. Every hop matters.
  4. Check for US nexus: Is the vendor US-headquartered? Are key sub-processors US-based? What are the CLOUD Act implications?
  5. Verify claims independently: "EU storage" might not mean what you think. Read the fine print.
  6. Consider the irony factor: A security awareness vendor with poor security hygiene should raise flags.

What Should Organizations Do?

If your organization uses KnowBe4 or similar vendors, consider these steps:

Immediate Actions

  • Review your DPA: Does it cover all sub-processors? Are transfer mechanisms specified?
  • Check data flows: Request documentation of exactly where your employee data goes
  • Assess risk tolerance: Is US data processing acceptable for your use case?
  • Document your assessment: NIS2 requires demonstrable supply chain due diligence

For New Vendor Selection

  • Prioritize EU-headquartered vendors: Reduces CLOUD Act exposure
  • Verify EU-only processing: Not just storage, but all data handling
  • Test before buying: Check their website compliance first
  • Consider alternatives: There are EU-based security awareness platforms

Questions to Ask Vendors

  1. Where is your company legally headquartered?
  2. Which sub-processors handle our data, and where are they located?
  3. Can we get EU-only processing, including all monitoring and analytics?
  4. What transfer mechanisms do you use for any non-EU data flows?
  5. Why does your website load tracking before consent?

Check your own exposure: Wondering what trackers your browser is exposed to? Visit myip.foo to see your current IP and network configuration. Then check for tracking with browser dev tools (F12 → Network → filter by third-party domains).

Common Questions

Does KnowBe4 store data in the EU?

KnowBe4 offers EU storage as an option, but their sub-processor documentation shows that many services always run in the US regardless of storage location choice. These include Datadog, Mixpanel, Pendo.io, Mailgun, HubSpot, Salesforce, Zendesk, and Google Workspace.

Is KnowBe4 GDPR compliant?

KnowBe4 claims GDPR compliance and offers a Data Processing Agreement. However, their marketing website loads tracking scripts without a visible consent mechanism, and the extensive use of US sub-processors raises transfer mechanism questions that require careful assessment.

What data does phishing simulation collect?

Phishing simulations collect email addresses, click behavior (who clicked what, when), training completion rates, risk scores, and behavioral profiles over time. This is personal data under GDPR that requires appropriate legal basis and security measures.

Why does US data processing matter?

US companies are subject to the CLOUD Act, which allows US authorities to request data regardless of storage location. For government organizations processing employee behavioral data, this creates legal and security considerations that may conflict with digital sovereignty goals and sector-specific requirements.

What alternatives exist?

Several EU-headquartered security awareness vendors offer similar functionality with EU-only data processing. Options include SoSafe (Germany), Hoxhunt (Finland), and Proofpoint (has EU options). Always verify sub-processor locations before selecting.

Conclusion

The KnowBe4 case illustrates a broader problem in vendor procurement: the gap between marketing claims and technical reality.

"EU storage" sounds like compliance. In practice, it often means "primary database in EU, everything else wherever we want." Sub-processor lists tell the real story, but few organizations read them carefully.

Key takeaways:

  • KnowBe4's marketing site loads tracking without visible consent
  • "EU storage" doesn't prevent US sub-processor data flows
  • At least 10 US-based services process data regardless of storage choice
  • Security awareness vendors should practice what they preach
  • Government organizations need deeper vendor due diligence
  • NIS2 supply chain requirements make this everyone's problem

The irony of a security awareness company not implementing basic privacy practices is almost too perfect. It's a reminder that certifications and marketing materials don't equal compliance. Verification requires looking at actual implementation.

For government organizations, the stakes are higher. Employee behavioral data is sensitive. Supply chain security is legally required. Digital sovereignty is a policy priority. A vendor that doesn't meet these standards, regardless of their marketing claims, is a risk worth reassessing.

Protect your privacy: Whether you're assessing vendors or protecting your own data, understanding your exposure is the first step.

  1. Check your IP and network at myip.foo
  2. Test for WebRTC leaks that bypass VPNs
  3. Use a VPN like NordVPN to encrypt your connection
  4. Review vendor sub-processor lists before signing contracts

Security awareness starts at home. Or in this case, on your own website.

Sources

Related Articles