Contrast Security, Inc. (“Contrast” or “Contrast Security”) has a deep commitment to ensuring maximum Privacy and Information Security standards as evidenced by our product offerings and our internal compliance environment. We do not collect Personally Identifiable Information (“PII”) on our website other than voluntarily. PII is information that we can use to identify you as an individual. Personally identifiable information may include your name, address, telephone number and any other information that is connected with you personally.
If you are ever asked to provide PII or other confidential information to someone claiming to represent Contrast Security, please notify firstname.lastname@example.org. If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please contact us immediately at email@example.com and provide us with your contact information; please do not include any particulars of the alleged vulnerability in written format.
We are committed to safeguarding the information in our custody and under our control. Our compliance program is dynamic and proactive allowing us to stay abreast of the latest changes and enhancements to the ever-evolving global compliance landscape. We have implemented practical and sound administrative, technical and physical safeguards in an effort to protect against unauthorized access, use, modification and disclosure of this information. This is a responsibility that we take seriously and we have strong internal controls around change management and employee accountability.
A co-founder of Contrast Security is also a founder and major contributor to The Open Web Application Security Project (“OWASP”), where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. OWASP is a global not-for-profit charitable organization focused on improving the security of software. They provide impartial, practical information about AppSec to individuals, corporations, and other organizations worldwide. To further demonstrate the priority that Contrast gives to our compliance environment, we have a dedicated Data Privacy and Compliance Officer with over 25 years’ experience whose primary function is oversight of our operational risk environment.
Our hosted product environment resides with Amazon Web Services (“AWS”) and they adhere to the strictest compliance standards. They are CSA, ISO, PCI and SOC-compliant and were the first Cloud Service Provider to adopt the new PCI DSS 3.2 assessment in advance of the mandatory February 1, 2018, deadline. While we do not accept any online payments or otherwise collect payment information, we believe this proactive compliance indicates the strength of our hosting provider’s information security framework. AWS is FedRamp certified; meets all of the requirements for FERPA, HIPAA and the EU Data Protection Directive. AWS is in step to be fully compliant with the new EU General Data Protection Regulation (“GDPR”) as of May 25, 2018. AWS is working with their customers to provide tools to help them meet the requirements of the GDPR in addition to certification measures being taken by the companies themselves. AWS allows for alignment with FISMA and adheres to the NIST framework. For a full list of their Assurance Programs, please click here. We welcome any questions you may have about the steps we take to ensure the most robust and best-in-class standards and practices at Contrast.
Contrast Security, Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Please see our Privacy Statement below for additional information.
As of January 31, 2017, Contrast is SOC2 Type II compliant and, as of October 31, 2017, we maintain a rolling, annual SOC2 schedule.
Contrast Security – Privacy Statement
1 February 2018
Contrast Security, Inc. (“Contrast,” “we,” “us,” or “our””) is committed to protecting your applications from vulnerabilities. We have prepared this Statement to describe our protocol around the collection, use, and disclosure of data related to Contrast Products and Offerings (the “Service”) or related products and offerings. This Statement is incorporated into and an inherent component of our Terms of Service which can be found at: Terms. The use of the collected information will be limited to the purpose of providing the Service for which you have engaged us.
Our Privacy Statement is subject to change due to modifications with regulatory agencies, best practices, or enhancements to the compliance and control environment. If we should ever make a substantial change to the way we use your Application Data or Personal Data, we will notify you by sending you an e-mail to the last e-mail address you provided to us and/or by prominently posting notice of the changes on our website. Any material changes to this Privacy Statement will be effective as of the date and time they are updated on our Website. These changes will be effective immediately for new users of our Website or Service. Continued use of our Website, Service, or related products, following notice of such changes shall indicate your acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.
When you visit our website at www.contrastsecurity.com (the “Website”), we collect your Internet Protocol (“IP”) address as well as other related information such as page requests, browser type, operating system and average time spent on our Website. We use this information to help us understand our Website activity, and to monitor and improve our Website.
Our Website uses a technology called "cookies". For more information about cookies, please click here: Cookies. Cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. You may set your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from our Website, certain features may not function as designed. You may also remove cookies. To learn how to do so, please click here: Clear Cookies
Links to our Website may be featured or referenced on other websites that are not under our control and therefore we have no responsibility or liability for the manner in which they operate their sites. Be sure to understand the privacy policies and terms of service of any site you visit. If you believe another entity has posted a link to Contrast Security that is misleading or that compromises the integrity of Contrast Security, please contact firstname.lastname@example.org. Such notifications will be kept in strict confident.
We encourage you to carefully read the privacy statement of any website you visit whether visiting www.contrastsecurity.com or another.
By submitting Application, Personal or other data or information (the “Data”), or making it available to Contrast, you agree to the terms of this Privacy Statement and you expressly consent to the processing of your Data in accordance with it.
When you provide us with Data, it is primarily used to respond to requests or to allow us to provide better service to you. Once you become a customer of Contrast, we may send you a welcome e-mail, administrative e-mail notifications, such as security or support and maintenance advisories; send promotional communications, request participation in a survey, send upgrades and special offers related to our Service and for other Contrast-specific marketing purposes. We may contact you by telephone for the purpose of verifying information, reviewing potential vulnerabilities or to solicit feedback.
As we provide web application security services and products, our software is embedded into our clients’ web applications to monitor for vulnerabilities and prevent attacks. For the purposes of performing the web application security services on behalf of our clients, we may collect and use Data through our clients’ web applications. We do not collect or use personal information through your web applications for any purpose other than to provide the Service to which you have subscribed; this includes providing support and answering questions that you may have about the Service.
“Application Data” means data about the performance of your application, system data (such as version data, names of plug-ins, etc.) about the environment in which your application is operating, data about transactions in your application (“Transaction Data”), stack traces and extracts of source code for certain classes of errors, and other similar data related to your application.
Any Application Data we collect is used to notify you of vulnerabilities and attacks and to share application performance information with you. We may also aggregate Application Data across multiple accounts and use this data to create and publish industry benchmarks or comparative application performance metrics. By default, we obfuscate any Individual Transaction Data that we collect. You have the option of changing the configuration of our products so that individual Transaction Data is not obfuscated. You can also disable certain vulnerability rules and/ or the collection of certain types of Application Data collected through our Service. Information as to how to do so can be found here.
You expressly consent to the sharing of your Application Data as described in this Statement.
We offer you choices regarding the collection, use, and sharing of your information. We may, from time to time, send e-mails regarding scheduled maintenance, or that promote the purchase of our Products or Service, etc. You may “opt out” of further communications by following the unsubscribe instructions embedded in the email or by contacting email@example.com. Should you decide to opt-out of receiving future communications, we will advise third-parties with whom we may be associated related to the servicing of your account to ensure you do not receive further communications from them. Regardless of whether you “opt out” or not, we may, but are not obligated to, send you emails and/ or notices related to updates to our Privacy Statement or Terms of Service.
When we delete account information, it will be deleted from the active database, but may remain in our archives. We will otherwise retain your information for as long as your account is active or as needed to provide you with the Service to which you have subscribed. It will also be retained as is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.
We will not disclose, sell or otherwise transfer personal information without your prior consent except as otherwise set out herein or, if applicable, in your Agreement or Contract for Service with us.
We may transfer or disclose personal information as follows:
Contrast will never intentionally collect data from children who are 13 years of age or younger. If a parent, guardian or other individual suspects that a child 13 or younger has provided data to Contrast, that individual should immediately report such information to firstname.lastname@example.org. Contrast will only retain the data for as long as it is necessary to delete the information using every reasonable measure to protect against its unauthorized access or use.
The key goals of Privacy Shield are to inform individuals about:
In compliance with the Privacy Shield Principles, Contrast Security, Inc. commits to resolve complaints about our collection or use of your personal information. EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Contrast Security, Inc. at: Privacy@contrastsecurity.com.
Contrast has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.
Contrast self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Contrast is required to respond promptly to individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.
Under Privacy Shield, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Contrast must respond to individual complaints within 45 days. For additional information, visit: Privacy Shield/ Complaints.
We may post client endorsements on our web site which may contain personal information. All client endorsements require the voluntary consent of the client to provide the endorsement and for us to publicly post it. Should you provide an endorsement and later want it removed, please contact email@example.com.
Your California Privacy Rights
Please contact firstname.lastname@example.org with any questions or comments you may have or to file a complaint. We will use the same email address to update, and/ or correct any information that we may have on file for you.
You may also write to us at:
Contrast Security, Inc.
240 3rd Street
Los Altos, CA 94022
Contrast Security, Inc. (“Contrast”) respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act of 1998 (the “DMCA”), the text of which may be found on the U.S. Copyright Office website at http://www.copyright.gov/legislation/dmca.pdf, Contrast will promptly respond to claims of copyright infringement using our Service or Website. Such claims must be reported to Contrast’s Designated Copyright Agent identified below.
If you are a copyright owner, authorized to act on behalf of a copyright owner, or are authorized to act under any exclusive right under copyright, please report alleged copyright infringements by completing the DMCA Notice of Alleged Infringement and delivering it to Contrast’s Designated Copyright Agent. Upon receipt of Notice as described below, Contrast will take whatever action it deems appropriate, including removal of the challenged content from the Website.
DMCA Notice of Alleged Infringement (“Notice”)
Identify the copyrighted work that you claim has been infringed or, if multiple copyrighted works are covered by this Notice, you may provide a representative list of the copyrighted works that you claim have been infringed.
You are required to provide your full legal name and your electronic or physical signature. It is helpful, but not required, to also provide your company affiliation (if applicable), mailing address, telephone number, and email address.
Contrast Security, Inc.
Attn: Copyright Agent
240 3rd Street
Los Altos, CA 94022
Updated 9 January 2018
Updated 29 September 2017
Originally published 1 September 2016