<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=113894&amp;fmt=gif">

Privacy Matters

AT Contrast Security

Statement of Responsibility

The products and services of Contrast Security, Inc. represent a revolutionary approach to continuously protecting applications, just as the European Economic Area’s General Data Protection Regulation represents a revolutionary approach to affording individuals control over their personal information. Contrast Security, Inc. has a deep commitment to ensuring maximum Privacy and Information Security standards as evidenced by our product offerings and our internal compliance environment.

Accountability, Integrity, Transparency, Privacy by Design, and our Security Standards inform virtually all decisions at Contrast.

You will share information with us when you visit our website and use our services. We want to be up front with you regarding the information we collect, how we use it, how we share it, and the controls we give you to access, update, and delete your information. 

We also want to provide it in a way that is easy to understand. Legal and regulatory requirements are important, but our goal is to minimize any “legalese” that may be confusing. You are also welcome to contact privacy@contrastsecurity.com at any time.

If you are a resident of the European Economic Area, there is information included in our Privacy Policy that is specific to you. We have an entire section related to the General Data Protection Regulation (“GDPR”) at the end of our Privacy Policy.

We do not collect Personally Identifiable Information (“PII”) on our website unless you provide it voluntarily. PII is information that we can use to identify you as an individual and may include your name, address, company email, telephone number and any other information that is connected with you personally. 

If you are ever asked to provide PII or other confidential information to someone claiming to represent Contrast Security, please notify privacy@contrastsecurity.com. If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please contact us immediately at security@contrastsecurity.com and provide us with your contact information; please do not include any particulars of the alleged vulnerability in written format.

We are committed to safeguarding the information in our custody and under our control. Our compliance program is dynamic and proactive allowing us to stay abreast of the latest changes and enhancements to the ever-evolving global compliance landscape. We have implemented practical and sound administrative, technical and physical safeguards in an effort to protect against unauthorized access, use, modification and disclosure of this information.  This is a responsibility that we take seriously and we have strong internal controls around change management and employee accountability. 

A co-founder of Contrast Security is also a founder and major contributor to The Open Web Application Security Project (“OWASP”), where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. OWASP is a global not-for-profit charitable organization focused on improving the security of software. They provide impartial, practical information about AppSec to individuals, corporations, and other organizations worldwide. To further demonstrate the priority that Contrast gives to our compliance environment, we have a dedicated Data Protection/ Privacy and Compliance Officer with over 25 years’ experience whose primary function is oversight of our operational risk environment. They serve as our designated Data Protection Officer for the General Data Protection Regulation (“GDPR”).

Our hosted product environment resides with Amazon Web Services (“AWS”) and they adhere to the strictest compliance standards. They are CSA, GDPR, ISO, PCI and SOC-compliant and were the first Cloud Service Provider to adopt the new PCI DSS 3.2 assessment in advance of the mandatory February 1, 2018, deadline. While we do not accept any online payments or otherwise collect payment information, we believe this proactive compliance indicates the strength of our hosting provider’s information security framework. AWS is FedRamp certified; meets all of the requirements for FERPA, HIPAA and the EU Data Protection Directive and, as of March 26, 2018, were fully compliant with the GDPR; more information can be found here: AWS/ GDPR Compliance. Contrast has entered into a Data Processing Addendum with AWS relative to the GDPR. AWS allows for alignment with FISMA and adheres to the NIST framework. For a full list of their Assurance Programs, please click here. We welcome any questions you may have about the steps we take to ensure the most robust and best-in-class standards and practices at Contrast.

 

Contrast Security and the EU-U.S. Privacy Shield Framework

Contrast Security, Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.  Please see our Privacy Policy for additional information.

 

Contrast Security and the EU General Data Protection Regulation (GDPR)

As mentioned above, Contrast products represent a revolutionary approach to continuously protecting applications. The GDPR represents a revolutionary approach to affording individuals control over their personal information.

Contrast Security, Inc. has taken all measures to ensure compliance with the EU General Data Protection Regulation (GDPR) and will continue to monitor the international landscape for recommendations as to enhancements in conjunction with the enforcement of GDPR as of May 25, 2018. For more information on GDPR, please see our Privacy Policy below for additional information.

For more information on the EU GDPR please click here.
For more information about NIST, please click here

As of January 31, 2017, Contrast is SOC2 Type II compliant and, as of October 31, 2017, we maintain a rolling, annual SOC2 schedule.

 


 

Contrast Security—Privacy Policy

Updated 25 May 2018

Contrast Security, Inc. (“Contrast,” “we,” “us,” or “our””) is committed to protecting your applications from vulnerabilities. We have prepared this Privacy Policy to describe our protocol around the collection, use, and disclosure of data related to Contrast Products and Offerings (the “Service”) or related products and offerings. This Policy is incorporated into and an inherent component of our Terms of Service which can be found at: TermsThe use of the collected information will be limited to the purpose of providing the Service for which you have engaged us.

Our Privacy Policy is subject to change due to modifications with regulatory agencies, best practices, or enhancements to the compliance and control environment. If we should ever make a substantial change to the way we use your Application Data or Personal Data, we will notify you by sending you an e-mail to the last e-mail address you provided to us and/or by prominently posting notice of the changes on our website. Any material changes to this Privacy Policy will be effective as of the date and time they are updated on our Website. These changes will be effective immediately for new users of our Website or Service. Continued use of our Website, Service, or related products, following notice of such changes shall indicate your acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.

 

Information About Our Website

When you visit our website at www.contrastsecurity.com (the “Website”), we collect your Internet Protocol (“IP”) address as well as other related information such as page requests, browser type, referring and exit pages, the files viewed on our site (for example, HTML pages, graphics, or other), operating system and average time spent on our Website. We use this information to help us understand our Website activity, and to monitor and improve our Website.

 

Cookies

Our Website uses a technology called "cookies". For more information about cookies, please click here: Cookies. Cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. You may set your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from our Website, certain features may not function as designed. You may also remove cookies. To learn how to do so, please click here: Clear Cookies

 

Do-Not-Track

There are different ways you can prevent tracking of your online activity. One of them is setting a preference in your browser that alerts websites you visit that you do not want them to collect certain information about you. This is referred to as a Do-Not-Track (“DNT”) signal.

Contrast’s website may not recognize or react in response to DNT signals from Web browsers as, currently, there is no universally accepted standard for what a company should do when a DNT signal is detected. At such time as a standard is established, we will assess how to best respond to the signals. For more information, please click here: DNT Signals

 

Other Links

Our Website may contain links to other websites that we do not own or operate.  We provide these links as a convenience to you, for informational purposes only. These links are not intended as an endorsement of or referral to the linked websites.  The linked websites have separate and independent privacy statements, notices and terms of use.  We do not have any control over these websites, and therefore we have no responsibility or liability for the manner in which they operate their sites nor what they may collect, use, disclose, secure or otherwise do with personal information. If you choose to click on these links, you will leave our site and be redirected to another site. During this process, a third party may collect Personal or Anonymous Data from you and Contrast is not responsible for their use of your data. If you are in the European Union and have concerns about your data, you will need to contact the Privacy department of the third party or their designated Data Protection Officer.

Links to our Website may be featured or referenced on other websites that are not under our control and therefore we have no responsibility or liability for the manner in which they operate their sites. Be sure to understand the privacy policies and terms of service of any site you visit. If you believe another entity has posted a link to Contrast Security that is misleading or that compromises the integrity of Contrast Security, please contact privacy@contrastsecurity.com. Such notifications will be kept in strict confidence.

 

Social Media

Our website includes social media features, such as Twitter, LinkedIn, Google Circles, etc. If you access these sites, they may collect your IP address, the page on which you are visiting our site, and they may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy policy of the company providing it and not by Contrast Security. 

We encourage you to carefully read the privacy statement of any website you visit whether visiting www.contrastsecurity.com or another.

 

Collection and Use of Information

By submitting Application, Personal or other data or information (the “Data”), or making it available to Contrast, you agree to the terms of this Privacy Policy and you expressly consent to the processing of your Data in accordance with it. 

When you provide us with Data, it is primarily used to respond to requests or to allow us to provide better service to you. Once you become a customer of Contrast, we may send you a welcome e-mail, administrative e-mail notifications such as security or support and maintenance advisories; send promotional communications, request participation in a survey, send upgrades and special offers related to our Service and for other Contrast-specific purposes. We may contact you by telephone for the purpose of verifying information, reviewing potential vulnerabilities or to solicit feedback.

As we provide web application security services and products, our software is embedded into our clients’ web applications to monitor for vulnerabilities and prevent attacks.  For the purposes of performing the web application security services on behalf of our clients, we may collect and use Data through our clients’ web applications. We do not collect or use personal information through your web applications for any purpose other than to provide the Service to which you have subscribed; this includes providing support and answering questions that you may have about the Service. 

“Application Data” means data about the performance of your application, system data (such as version data, names of plug-ins, etc.) about the environment in which your application is operating, data about transactions in your application (“Transaction Data”), stack traces and extracts of source code for certain classes of errors, and other similar data related to your application.

Any Application Data we collect is used to notify you of vulnerabilities and attacks and to share application performance information with you. We may also aggregate Application Data across multiple accounts and use this data to create and publish industry benchmarks or comparative application performance metrics. By default, we obfuscate any Individual Transaction Data that we collect. You have the option of changing the configuration of our products so that individual Transaction Data is not obfuscated. You can also disable certain vulnerability rules and/ or the collection of certain types of Application Data collected through our Service. Information as to how to do so can be found here.   

You expressly consent to the sharing of your Application Data as described in this Policy.

 

Choices Regarding Your Information

We offer you choices regarding the collection, use, and sharing of your information. We may, from time to time, send e-mails regarding scheduled maintenance, or that promote the purchase of our Products or Service, etc. You may “opt out” of further communications by following the unsubscribe instructions embedded in the email or by contacting privacy@contrastsecurity.com. Should you decide to opt-out of receiving future communications, we will advise third-parties with whom we may be associated related to the servicing of your account to ensure you do not receive further communications from them. Regardless of whether you “opt out” or not, we may, but are not obligated to, send you emails and/ or notices related to updates to our Privacy Policy or Terms of Service.

When we delete account information, it will be deleted from the active database, but may remain in our archives. We will otherwise retain your information for as long as your account is active or as needed to provide you with the Service to which you have subscribed. It will also be retained as is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

We will not disclose, sell or otherwise transfer personal information without your prior consent except as otherwise set out herein or, if applicable, in your Agreement or Contract for Service with us.

We may transfer or disclose personal information as follows:

  • In connection with our Website or the Service, we may transfer (or otherwise make available) personal information to third parties who provide services on our behalf. The information is limited to what they need to perform their designated functions, and they are not authorized to use or disclose personal information for their own marketing or other purposes. That condition is, and will continue to be, included in all Agreements that we have with any service provider or third party.
  • If Contrast is involved in a merger, sale or acquisition, we may transfer personal information in connection with the transaction. We will make every effort to notify you in advance of any such merger, sale or acquisition as well as any significant corporate reorganization or change in control.
  • Contrast may be required to provide personal information responsive to requests from a governmental, law enforcement or regulatory agency. We will only disclose personal information in response to:
    • A subpoena, warrant or other process issued by a court of competent jurisdiction;
    • A legal process having the same impact as a court-issued request for information where, if by refusing to do so, we would be in breach of local law and/ or where we or our officers executives or employees would be subject to liability for failing to honor such legal process;
    • A situation where such disclosure is necessary for us to enforce our legal rights pursuant to the laws of the jurisdiction from which such information was gathered; or
    • Lessening a serious and/ or imminent threat of bodily harm.

Where a disclosure of your information is required under such circumstances, we will promptly notify you, whenever possible, prior to complying with such requirements (to the extent we are not prohibited from doing so). To this end, it is important that you maintain current information with us at all times.

Please note:

  • You do not have to register in order to browse our Website.  However, if you are interested in a Product Demo, a Free Trial or downloading a whitepaper, for example, you will need to provide a name, company email address and a phone number. We use this information to communicate with you and otherwise administer your use of our Service for a trial period.
  • Contrast does not collect any Personally Identifiable Information (“PII”) unless you provide it voluntarily. We do not collect any financial information online. All Orders are placed and managed directly with a Client Manager.  
  • Our Website includes a “Careers” link.  If you apply for a job with us, you may provide certain personal information about yourself (cover letter, resume, references, eligibility, or other employment-related information).  We use this information for the purpose of processing and responding to your application for current and future career opportunities. If you are a resident of the European Economic Area, please see the GDPR Section below.
  • Our Website includes a “Contact Us” page. If you use this form, you may provide certain personal information about yourself (name, company email, phone number, company name, the number of employees at your company, your industry, your job function and the location of your company) plus the content of any message you choose to send. We use this information to contact you and will only do so for legitimate business purposes.
  • If you subscribe to our Blog notifications we collect your name, email address and company name. If you post comments on our blog, the information contained in your posting will be stored on our servers and other users will be able to see it. To request removal of your personal information from our blog or community forum, please contact marketing@contrastsecurity.com.
  • From time to time, Contrast may conduct surveys, the results of which drive improved customer service and/ or products. If you choose to participate in one of our surveys, we may collect information such as your name, company email, company phone number, company name, etc.
  • If you contact us otherwise to ask a question, provide feedback, file a complaint, etc. you may be asked for information that identifies you (such as your name, company affiliation, email address and/ or a telephone number) along with additional information we may need to promptly and accurately respond.  We may retain this information to assist you in the future and to improve our customer service, service offerings, and our Website.
  • We also collect other types of Data such as operating system and version, information about your application and operating environment, and other requested information if you contact us via e-mail regarding support for the Service.

 

The Children's Online Privacy Protection Act ("COPPA")

Contrast will never intentionally collect data from children who are 13 years of age or younger. If a parent, guardian or other individual suspects that a child 13 or younger has provided data to Contrast, that individual should immediately report such information to privacy@contrastsecurity.com. Contrast will only retain the data for as long as it is necessary to delete the information using every reasonable measure to protect against its unauthorized access or use or to comply with legal or regulatory requirements.

 

The Privacy Shield Program

Privacy Statement Privacy ShieldContrast Security, Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Contrast has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit EU-U.S. Privacy Shield.

The key goals of Privacy Shield are to inform individuals about:

  • The type or identity of third parties to which an organization discloses personal information and the purposes for which it does so
  • The right of individuals to access their personal data
  • The choices and means an organization offers individuals for limiting the use and disclosure of their personal data
  • An organization being subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC)  
  • The possibility, under certain conditions, for the individual to invoke binding arbitration
  • The requirements for an organization to disclose personal information in response to lawful requests by public authorities, including to meet national security, law enforcement, or regulatory requirements
  • An organization’s liability in cases of onward transfers to third parties

In compliance with the Privacy Shield Principles, Contrast Security, Inc. commits to resolve complaints about our collection or use of your personal information.  EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Contrast Security, Inc. at: Privacy@contrastsecurity.com.

Contrast has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.

Contrast self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Contrast is required to respond promptly to individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles. 

Under Privacy Shield, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Contrast must respond to individual complaints within 45 days. For additional information, visit: Privacy Shield/ Complaints.

 

Testimonials

We may post client endorsements on our web site which may contain personal information. All client endorsements require the voluntary consent of the client to provide the endorsement and for us to publicly post it. Should you provide an endorsement and later want it removed, please contact marketing@contrastsecurity.com.

 

Your California Privacy Rights

Pursuant to California Civil Code Section 1798.83, residents of the State of California have the right to request certain information relating to third parties to which the company has disclosed certain categories of personal information during the preceding year for the third parties’ direct marketing purposes. Alternatively, the law provides that a company that has a privacy policy that provides consumers choice regarding sharing personal information with third parties for those third parties’ direct marketing purposes, as Contrast does, may instead provide information on how to exercise that choice. If you would like to opt-out of this type of sharing with third parties, please email us at privacy@contrastsecurity.com with “Opt Out” as your subject line.

 

Contact

Please contact privacy@contrastsecurity.com with any questions or comments you may have or to file a complaint. We will use the same email address to update, and/ or correct any information that we may have on file for you.

You may also write to us at:
Contrast Security, Inc.

Attn: Privacy

240 3rd Street

Los Altos, CA 94022

 

Digital Millennium Copyright Act

Contrast respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act of 1998 (the “DMCA”), the text of which may be found on the U.S. Copyright Office website at http://www.copyright.gov/legislation/dmca.pdf, Contrast will promptly respond to claims of copyright infringement using our Service or Website. Such claims must be reported to Contrast’s Designated Copyright Agent identified below. 

If you are a copyright owner, authorized to act on behalf of a copyright owner, or are authorized to act under any exclusive right under copyright, please report alleged copyright infringements by completing the DMCA Notice of Alleged Infringement and delivering it to Contrast’s Designated Copyright Agent. Upon receipt of Notice as described below, Contrast will take whatever action it deems appropriate, including removal of the challenged content from the Website.

 

DMCA Notice of Alleged Infringement ("Notice")

Identify the copyrighted work that you claim has been infringed or, if multiple copyrighted works are covered by this Notice, you may provide a representative list of the copyrighted works that you claim have been infringed.

  1. Identify the material or link you claim is infringing (or the subject of infringing activity) and to which access is to be disabled. If applicable, include the URL of the link shown on our Website or the exact location where such material may be found.
  2. Include both of the following statements in the body of the Notice:

    “I hereby state that I have a good faith belief that the disputed use of the copyrighted material is not authorized by the copyright owner, its agent, or the law (e.g., as a fair use).” 

    “I hereby state that the information in this Notice is accurate and, under penalty of perjury, that I am the owner, or authorized to act on behalf of the owner, of the copyright or of an exclusive right under the copyright that is allegedly infringed.”

    You are required to provide your full legal name and your electronic or physical signature. It is helpful, but not required, to also provide your company affiliation (if applicable), mailing address, telephone number, and email address.


  3. Deliver your Notice to Contrast's Designated Copyright Agent:

    Contrast Security, Inc.
    Attn: Copyright Agent
    240 3rd Street

    Los Altos, CA 94022

Key changes to this Policy:

While we have not completely rewritten our Privacy Policy, we have reorganized it and added information specific to the General Data Protection Regulation and highlighted our Security Standards. In doing so, we believe we have provided;

  • Better navigation and user-friendly language. We have maintained active links, so you can quickly find the information that matters most to you. 
  • More control over your information with respect to privacy. Our policy explains how you can make choices about your information, and the measures we’ve put in place to keep your information secure with respect to the GDPR.
  • Better information regarding the use of our products for work. Many users have access to our services through their organizations (e.g., their employers), who control their accounts or use of our services. The updated policy clarifies our relationship to these users and explains the tools available to administrators of these users.

Updated 1 February 2018


Updated 9 January 2018


Updated 29 September 2017


Originally published 1 September 2016

 


 

The General Data Protection Regulation ("GDPR")

What is GDPR

GDPR addresses the technological changes in the global business environment over the past two decades and seeks to harmonize the approach to data protection across the European Economic Area by establishing a single set of rules and associated penalties for non-compliance. The regulation was adopted on 27 April 2016 and becomes enforceable on 25 May 2018. The GDPR will replace the Data Protection Directive, a 20-year old law with similar requirements to the GDPR, but varying interpretation and application among member states of the European Economic Area, and a lack of enforcement powers.  GDPR has a global reach, however, as it even applies to companies who are outside the area that control or process the data of EU subjects, making the GDPR the first global privacy standard. 

Contrast Security has put processes in place to ensure GDPR compliance and to meet our obligations to our customers and employees. We have appointed a Data Protection Officer to oversee compliance, conducted a full Data Protection Impact Assessment (DPIA), and tuned our current incident response and breach notification policy and process to align with the requirements of the GDPR. We have also implemented business processes to deal with privacy-related requests outside the Contrast Security platform and to ensure any requests from your employees directed to us, are made known to you in a timely manner, if applicable.

 

Lawful Basis for Processing

The GDPR defines 6 lawful bases for processing:

  1. Consent:an individual has given clear consent for the processing of their personal data for a specific purpose.
  2. Contract:processing is necessary for a contract that a company has with an individual, or because they have asked a company to take specific steps before entering into a contract.
  3. Legal obligation:the processing is necessary for a company to comply with the law (not including contractual obligations).
  4. Vital interests:the processing is necessary to protect someone’s life.
  5. Public task:the processing is necessary for a company to perform a task in the public interest or for a company’s official functions, and the task or function has a clear basis in law.
  6. Legitimate interests: the processing is necessary for a company’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

 

Contrast processes all data based on Legitimate Interests

 

Contrast Products and Services

Contrast Security collects limited Corporate and Personal Data. The data we collect can be categorized as:

  • data that we control for purposes of Corporate Business to Business marketing efforts,
  • data we may collect from your browsing on our public website, and
  • data collected from your Company’s indication of interest in our product or your application as a part of our security services. 

For business to business marketing efforts, we do not currently collect Personal Data (names and corporate email addresses) for the purpose of marketing our services. Rather, we only maintain contacts that have expressed interest in our services. If you have expressed interest in our services, we may contact you about updates or product offerings that may be of interest to you. If these communications are no longer of use, we invite you to unsubscribe at any time.  Contrast believes we have a legitimate interest in offering business more information about our services and have controls in place to ensure the way in which we store and handle such data is subject to our Information Security Program.

Contrast Security does not collect “Personal Data” from Data Subjects in the course of offering our application security services. We only obtain your Company’s consent to collection and use of your Company’s confidential data (application performance data, application transaction records, etc.). This confidential data is of paramount importance to us, and we go to great lengths to protect it, however, this data is not to be confused with “Personal Data” of Data Subjects as contemplated under the GDPR. Thus, Contrast makes the general Privacy commitments as stated in our Privacy Policy as well as those more specific to GDPR. We are committed to the confidentiality of our customer’s information. In addition, we are independently audited on an annual basis.

We believe a very important piece of our continued compliance with privacy best practices, as well as compliance with the GDPR, is to ensure that we hold our vendors and sub-processors accountable for their security and privacy commitments. Contrast has a  robust Third-Party Vendor Management program, and we frequently assess all third parties for continued compliance with their security, privacy and confidentiality commitments.

Cookies: As mentioned in our overarching Privacy Policy, our Website uses a technology called "cookies". For more information about cookies, please click here: Cookies. Cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. You may set your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from our Website, certain features may not function as designed. You may also remove cookies. To learn how to do so, please click here: Clear Cookies

Do-Not-Track: There are different ways you can prevent tracking of your online activity. One of them is setting a preference in your browser that alerts websites you visit that you do not want them to collect certain information about you. This is referred to as a Do-Not-Track (“DNT”) signal.

Contrast’s website may not recognize or react in response to DNT signals from Web browsers as, currently, there is no universally accepted standard for what a company should do when a DNT signal is detected. At such time as a standard is established, we will assess how to best respond to the signals. For more information, please click here: DNT Signals

 

Notice to End Users

Where our Services are made available to you through an organization (e.g. your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the Services is subject to your organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different than this policy. 

Administrators are able to:

  1. require you to reset your account password;
  2. restrict, suspend or terminate your access to the Services and your account access;
  3. access information in and about your account;
  4. access or retain information stored as part of your account;
  5. install or uninstall third-party apps or other integrations  

In some cases, administrators can also:

  • change the email address associated with your account;
  • change your information, including profile information;
  • restrict your ability to edit, restrict, modify or delete information.

Even if the Services are not currently administered to you by an organization, if you use an email address provided by an organization (such as your work email address) to access the Services, then the owner of the domain associated with your email address (e.g. your employer) may assert administrative control over your account and use of the Services at a later date. 

Please contact your organization or refer to your administrator’s organizational policies for more information.

 

Employment with Contrast Security

Candidates

If you reside in the European Economic Area and are interested in employment with Contrast Security, Inc., you will need to provide certain information (cover letter, resume, references, eligibility, or other employment-related information).  We use this information for the purpose of processing and responding to your application for current and future career opportunities. In this respect, you would be considered a Data Subject and the information you provide to us would represent Personal Data. 

Our Website includes a “Careers” link.  All applications must originate from this website. Any entity that processes data on behalf of Contrast will be fully GDPR compliant. You will need to provide your Consent for us to contact you as part of your application. You have the right not to provide Consent, but we will be unable to process your application and consider you for employment if you do not provide it. While we will obtain your Consent, we process and manage your data based on legitimate interests.

A limited number of employees of Contrast Security will also have access to your data once you apply for a position. The recipients of your personal data will be select employees of Contrast such as Human Resources, the hiring leader, individuals with whom you will need to interview, etc. All information is shared according to the principle of least privilege. These employees have all undergone GDPR-related training. A limited number of third-party providers, under contract with Contrast, may also have access to your Personal Data. We ensure that any such provider has data protection levels equivalent to those set forth in this privacy notice, at a minimum.

If you are selected as a final candidate for a position, we will enter into the appropriate contract, agreement, or other documentation as appropriate for your country of residence. All documentation and actions, including those requiring additional Consent,  will reflect full compliance with GDPR.

 

Employees

As part of becoming an employee of Contrast Security, Inc. you will be provided with an Employee Privacy Notice outlining your rights and remedies. At that time, you will also be provided with any and all documentation and information related to your status as both a Data Subject under the GDPR and an employee of Contrast Security, Inc.

 

Subject Access Requests

A subject access request is a written request for personal information/ personal data held about you by us. You have the right to see what personal information we hold about you. You are entitled to be given a description of the information, what we use it for, who we might pass it on to, and any information we might have about the source of the information. However, this right is subject to certain exemptions or restrictions that are set out in the GDPR.

 

Data Protection Officer and Subject Access Requests

To make a Subject Access Request, email GDPR@contrastsecurity.com or write: 

Sharron Reed Gavin, Data Protection Officer
Contrast Security, Inc.
240 3rd Street
Los Altos, CA 94022

The GDPR requires that we provide you with the following information:

  1. Company Name: Contrast Security, Inc.

    Address:
    240 3rd Street
    Los Altos, CA 94022
    001 650.567.4734 
  1. Data Protection Officer: Sharron Reed Gavin
    sharron.reed@contrastsecurity.com
    GDPR@contrastsecurity.com
    001 650.567.4734

Finally, you have the right to lodge a complaint to the Information Commissioners’ Office (“ICO”) if you believe that we have not complied with the requirements of the GDPR with regard to your personal data. The ICO encourages individuals to first report their concern to the organization controlling or processing your data. For more information, please refer to ICO/ Raising a Concern.

 


 

Security Standards at Contrast Security (Beyond Data Privacy)

Keeping your data secure is critical to us at Contrast Security. We follow industry best practices in application, network, and product security to ensure that your data is safe. We envision a world where we can trust software with the most important activities of humanity. We love software, and it hurts us to see it misused to cause harm to others. As a security company, we not only protect our business, but yours as well.  Contrast Security is committed to the highest standards of application and network security for our hosted products. At the core of our approach to security is a commitment to transparency – across our protections, processes, and even potential issues.

Contrast has successfully undergone third party Service Organization Control auditing (SOC 2 Type II). The SOC 2 report provides assurance that we have designed and implemented effective security controls as defined by the SOC 2 standards which are based on defined Trust Services Criteria. During the examination, the independent auditors evaluated and tested controls over the following:

  • Organization and management
  • Communications
  • Risk management, design, and implementation of controls
  • Monitoring of controls
  • Logical and physical access controls
  • Systems operation
  • Change Management

With respect to Security, Availability, Confidentiality and, as of 2018, Privacy.

 

Data Center and Network Security

Contrast Security application services and data are currently hosted on servers in Amazon Web Services (AWS) ISO 27001 certified facilities in the United States. AWS is routinely audited and believes in transparent security. A few of AWS’ Assurance Programs are as follows: FedRAMP, ISO 27001, FIPS, SOC2/Type 2, FERPA, and HIPAA. As of March 26, 2018, AWS is fully compliant with the GDPR; more information can be found here: AWS/ GDPR Compliance. Contrast has entered into a Data Processing Addendum with AWS. 

A full list of AWS certifications is available here: http://aws.amazon.com/compliance/.

In addition, Amazon Web Services has published the Shared Responsibility Model where they describe the division of responsibilities between AWS and the customer. In general, AWS is responsible for security of the cloud and the customer is responsible for security in the cloud.  No Contrast employees have physical access to AWS Data Centers.

 

Data Back Ups & Disaster Recovery

We store our data across multiple AWS availability zones and perform multiple database backups each day.  These backups are stored in geographically distributed object storage.  Backup integrity is automatically tested daily. Host logs are ingested into a log management platform for support and operational processes.

 

Operating System, Network and Firewall Configuration

Operating Systems are hardened using Center for Internet Security standards and other industry best practices depending on the host's role.  System configuration and patches occur through both scheduled and ad-hoc process that are driven by configuration management tools.  The code is committed, tested, and peer reviewed before deployment.

Security patch management is an automated task for all hosts.  Should a security patch be needed outside this process, we can apply patches in bulk to all hosts.  If an urgent patch needs to be applied outside the regular schedule, we first verify that our infrastructure is vulnerable and then apply the patch.    

We observe communications from cert.org, us-cert.gov, and our own software processes to alert us of vulnerabilities that should be patched.

Our network is engineered and designed to limit access by origin and port between hosts and services (AWS Security Groups).  Where possible, separate private networks (AWS VPCs) are created and are completely separate from other networks.  All network and firewall rules are checked into our source code repository and reviewed by staff via Pull Requests and only deployed once tested and reviewed.  The network is designed with limited public facing systems.

In addition to our own product, we deploy several monitoring solutions to measure the health of our service.

 

Product Security

Minimal Data Collection

Contrast Security only collects the data absolutely necessary to provide the analysis and metrics we offer. Our agents minimize the amount of data collected by reporting only confirmed vulnerabilities. Your source code and binaries never leave your servers. Contrast collects the following types of data:

  • Vulnerability and attack data that includes HTTP request data and a series of method invocations
  • Summary information about what libraries and classes are loaded by each application
  • Sitemap information, including URLs, but not parameters
  • Software architecture information about back-end components and connections

 

Encryption

Contrast Security encrypts all data at rest and sends and receives all data over HTTPS using TLS.

Our primary defenses keep out attackers and control access, but we also use strong encryption to ensure that all of the data we store is inaccessible to attackers. All Contrast data is stored on encrypted volumes or object storage. We extend the use of encryption to backups, logs, and any other data associated with the Contrast service. 

Where possible, we utilize Amazon's Key Management Service to generate and rotate keys used across our services.  

Amazon’s overall key management infrastructure uses Federal Information Processing Standards (FIPS) 140-2 approved cryptographic algorithms and is consistent with the National Institute of Standards and Technology (NIST) 800-57 recommendations.

Contrast uses strong encryption and mutual authentication on all connections. This protects against sniffing, spoofing, and other communications attacks. The connection from the Contrast Agents to the Contrast TeamServer uses a TLS socket connection that can be configured to use an outbound proxy. The Agents verify the Contrast TeamServer certificate and sends the client authorization key to the TeamServer to establish mutual authentication. Back-end connections are also both encrypted and mutually authenticated.  Any attempt to access our service over a non-SSL connection is redirected to use HTTPS.

We leverage multiple AWS services relating to encryption. 

 

Permissions

We enable administrator, manager, or individual contributor permission levels within the app to be set for your individual users. Permission levels determine the user’s ability to change settings, view information, and edit, delete, or export data. These are configurable by customer.

 

Authentication

We believe that everything that happens within Contrast should be fully authenticated and traceable to a particular individual and we discourage the use of shared logins.  We do not charge or limit the number of users within an organization.  We check password strength and failed login lockouts to ensure that Contrast is not susceptible to brute force attacks.  We allow organizations and users to configure our Two Step Verification process that leverages time-based one-time passwords (TOTP). 

 

Secure Coding

Contrast was designed from the ground up to be resilient against injection attacks like SQL injection, cross-site scripting (XSS), LDAP injection, XML entity attacks, command injection, and other risks. Our software architecture requires strict input validation on all input before it can be used. We minimize the use of interpreters where possible and use parameterized interfaces, if available.  

Contrast uses TeamServer to identify, track, and remediate vulnerabilities during the Software Development Life Cycle.  Our agent runs in automated testing and manual verification environments.

 

Application Security

Vulnerability Scanning

Contrast Security performs regular vulnerability scanning from multiple perspectives.

 

Penetration Testing

Annually, at a minimum, Contrast Security contracts with respected third-party security experts to execute a penetration test on our source code and production infrastructure.

 

Monitoring

Contrast Security restricts access to our production environment on a need-to-know basis and maintains a comprehensive logging system to track access and events.