Privacy Matters at Contrast Security
For a list of Contrast’s sub-processors, please see: Sub-Processor Listing
Key changes to this policy
Revised and updated to address the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework.
Last Updated: 15 September 2023
The products and services of Contrast Security, Inc. ("Contrast") represent a revolutionary approach to continuously protecting applications, and Contrast has a deep commitment to ensuring maximum Privacy and Information Security standards as evidenced by our product offerings and our internal compliance environment. Consistent with that commitment, accountability, Integrity, Transparency, Privacy by Design, our internal Security posture, and following best-in-class standards such as NIST and OWASP, inform virtually all decisions at Contrast.
We also want to provide this information in a way that is easy to understand. Legal and regulatory requirements are important, but our goal is to minimize any “legalese” that may be confusing. You are welcome to contact email@example.com at any time with any questions you might have concerning this policy.
- What categories of personal data we collect and the sources of that information
- Purposes for which we use the personal data we collect
- How we may disclose the personal data we collect
- How we protect the personal data we collect
- Your choices regarding your personal data
- Region-Specific Information
1. WHAT PERSONAL DATA WE COLLECT AND THE SOURCES OF THAT INFORMATIONa) Categories of Personal Data We Collect
The categories of personal data we collect, whether through the Site or from offline interactions with you, include:
- Identifiers, including: name, email address, telephone, social media identifier, and signature.
- Commercial information, including: products and services purchased, and demos requested.
- Internet Activity Information, for example: we collect your internet protocol (“IP”) address as well as other related information, such as page requests, browser type, referring and exit pages, the files viewed on our Site (for example, HTML pages, graphics, or other), operating system and average time spent on our Site.
- Professional or employment-related information, including: business contact information, title, job function, and location of company.
- Sensory or surveillance data, for example: voicemails and recordings as described below in “User Content” and video surveillance recordings if you visit our facilities.
- User Content, including: content you submit when you contact technical support or otherwise contact Contrast. For example, this may include information you provide through our Live Chat feature, survey responses, or through our social media. This may also include recordings you create, including audio recordings or voicemail you submit when you interact with us.
- Communications data, for example: during our communications with you, we collect the content of these communications as well as metadata about the communications, e., date and time of the call or text (SMS or MMS) message and phone numbers.
Note on Sensitive Personal Information: Contrast does not collect or process sensitive personal information for the purpose of inferring characteristics about the individual.
Information We Collect Through Technology On The Site
We collect information through technology to enhance our ability to serve you. When you access and use the Site, Contrast and, in some cases, our third-party service providers collect information about how you interact with the Site. We describe below methods we use to collect information through technology.
IP Address And Other Connection Information
When you visit the Site, we collect your device identifier, browser information, and Internet Protocol (IP) address. An IP address is often associated with the portal you used to enter the Internet, like your Internet service provider (ISP), company, association, or university. While an IP address may reveal your ISP or geographic area, we cannot determine your identity solely based upon your IP address. We do not link your personal data to device identifier information, browser information, and IP addresses. Where, according to local law, IP addresses and the like are considered personal data, then we treat them as such.
If you prefer, you can choose to have your computer warn you each time a cookie is being sent, or you can choose to turn off cookies by adjusting your browser settings. If you turn off your cookies, some of the features on the Site may not function properly.
We include small graphic images or other web programming code, called web beacons (also known as "pixel tags", “web bugs” or "clear GIFs"), on the Site. The web beacons are minute graphics with a unique identifier. They are used to track the online movements of Web users. In contrast to cookies, which are stored in a user's computer hard drive, web beacons are embedded invisibly on Web pages and are about the size of the period at the end of this sentence.
Do Not Track Brower Setting
There are different ways you can prevent tracking of your online activity. One of them is setting a preference in your browser that alerts websites you visit that you do not want them to collect certain information about you. This is referred to as a Do-Not-Track (“DNT”) signal.
The Site may not recognize or react in response to DNT signals from web browsers as, currently, there is no universally accepted standard for what a company should do when a DNT signal is detected. At such time as a standard is established, we will assess how to best respond to the signals. For more information about DNT signals, please visit http://allaboutdnt.com.
Tracking Across Time and Different Sites
The Site tracks your online activities over time and across websites or online services on an individually identifiable basis. For example, we may serve you advertisements on other websites based on what appeared to interest you on our Site. We do allow third parties to use our Site to track your activities over time or across other websites.
Children’s Online Privacy Protection Act Compliance
We do not collect any information from anyone under 13 years of age. The Site, products and services are all directed to people who are at least 13 years old or older. If you are under the age of 13, you are not authorized to use the Site.
- You, for example, when you register with our Site, enquire about the services we offer, engage with us over social media, or when you otherwise provide information directly to us.
- Automated technologies, for example, browsing activity collected by automated technologies on the Site.
- Service providers, for example, analytics providers, IT, and system administration services.
- Third parties, for example, to assist with distribution of our products.
- Marketing/advertising companies, for example, from social media platforms, consumer research companies, and analytics or marketing/advertising companies.
- Surveillance/recording technologies installed by Contrast, for example, video surveillance in common areas of Contrast facilities, voicemail, and audio recording with consent to the extent required by law.
- Our clients’ web applications: As we provide web application security services and products, our software is either embedded into our clients’ web applications or used to scan our client’s source code to monitor for vulnerabilities and prevent attacks. For the purposes of performing the web application security services on behalf of our clients, We may collect and use personal data through our clients’ web applications. We do not collect or use personal data through your web applications for any purpose other than to provide the Service to which you have subscribed; this includes providing support and answering questions that you may have about the Service.
2. PURPOSES FOR WHICH WE USE THE PERSONAL DATA WE COLLECT
We use the information we collect to serve you and improve your experience on the Site. Some examples include:
- Delivering our products and administering our services
- Providing customer support and addressing service complaints
- Communicating with you
- Where you have agreed to receive such information, sending you marketing information about our products and services, including notifying you of promotions and sweepstakes
- Troubleshooting technical problems on the Site
- Responding to questions and feedback
- Conducting research and analysis
- Marketing and advertising our products and services
- Improving our products and services, developing new products and services, and conducting research on further improvements
- Continuously evaluating and improving the online user experience
- Compliance with the law or to protect the rights, property, or safety of Contrast, our users, or others, including to maintain network and information security, for fraud prevention, and to report suspected criminal acts
We may also supplement the information we collect about you through the Site with records received from third parties in order to enhance our ability to serve you, to tailor our content to you, and to offer you information that we believe may be of interest to you.
We retain your personal data for the duration of the customer relationship, if any. Unless contractually obligated, and not in conflict with legal obligations, customer data will be deleted within 37 days of the end of the agreement to which our collection of your personal data relates. If you request we delete your data sooner, it will remain for 7 days after deletion to allow us to ensure regulatory compliance before deletion becomes permanent.
3. HOW WE MAY DISCLOSE THE PERSONAL DATA WE COLLECT
We do not, and will not, sell your personal information or disclose it to third parties for cross-context behavioral advertising.
We may disclose your personal data as necessary for the purposes described in Section 2, above, to the following categories of third parties:
- Third-Party Service Providers: We may disclose your personal data to third-party service providers under contract with Contrast to help us provide services to you. The information disclosed is limited to what they need to perform their designated functions, and they are not authorized to use, sell or disclose personal data for their own marketing or other purposes. Our hosted product environment resides with Amazon Web Services (“AWS”), and they adhere to the strictest compliance standards. For the full listing of their current certifications or compliance standards, please see https://aws.amazon.com/compliance/programs/While we do not accept any online payments or otherwise collect payment information through our website, we believe this proactive compliance indicates the strength of our hosting provider’s information security framework.
- Public: Contrast may disclose personal information to the public as part of a press release, for example, to announce, with your organization’s permission, that we have entered into a significant contract for our services.
- Required disclosures: We may be required to disclose personal information in a court proceeding, in response to a court order, subpoena, civil discovery request, or other legal process, or as otherwise required by law.
- Legal Compliance and Protections: Contrast also discloses personal information to government agencies, law enforcement, and other parties as required by law and as necessary to protect the rights, property, or safety of Contrast, its subsidiaries or affiliates, employees, customers, and users.
- Corporate Transactions: If Contrast is involved in a merger, sale or acquisition, we may transfer PI in connection with the transaction. We will make every effort to notify you in advance of any such merger, sale or acquisition as well as any significant corporate reorganization or change in control.
Contrast is primarily responsible for managing any personal data that you voluntarily provide us and jointly used with our affiliates or third parties. We do not provide your personal data to third parties for marketing purposes without your prior consent.
4. HOW WE PROTECT THE PERSONAL DATA WE COLLECT
The security and confidentiality of your personal data is important to us. We have technical, administrative, and physical security measures in place to protect your personal data from unauthorized access or disclosure and improper use.
For example, we use Transport Layer Security (TLS) encryption to protect the data collection forms on our Site. In addition, we restrict access to your personal data. Only employees who need the personal data to perform a specific job (for example, a customer service representative) are granted access to personal data. Employees with access to personal data are kept up to date on our security and privacy practices and all employees acknowledge Contrast’s Privileged User Agreement and Acknowledgement of Responsibilities policy. This policy is predicated on the NIST Rules of Behaviour. Trust Center coming soon!
Contrast has entered into a Data Processing Addendum and Standard Contractual Clauses with AWS relative to the GDPR and CPRA. AWS allows for alignment with FISMA and adheres to the NIST framework. For more information about our use of sub-processors, including a list of sub-processors, please see here and here.
You can help us protect the security of your personal data in several ways:
- It is important for you to protect against unauthorized access to your password and to your computer. Be sure to close your browser after you have completed your visit to the Site.
- If you are ever asked to provide personal data or other confidential information such as a Social Security number, My Number or National ID to someone claiming to represent Contrast, please do not share that information and notify firstname.lastname@example.org. If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please click here: Vulnerability Disclosure and/or email email@example.com.
Please note that despite our reasonable efforts, no security measure is ever perfect or impenetrable, so we cannot guarantee the security of your personal data.
5. YOUR CHOICES REGARDING YOUR PERSONAL DATA
You may contact firstname.lastname@example.org to ask us to access, update, correct, or delete your personal data.
6. REGION-SPECIFIC INFORMATION
This section applies only to individuals who reside in the state of California in the United States (“California residents”). This section applies to personal information collected through Site and in any other way, such as when California residents visit our offices.
Assistance For The Disabled
California Notice at Collection: Contrast collects the categories of personal information identified in Section 1, above, for the purposes identified in Section 2, above, and retains personal information for the period described in Section 2: “Data Retention”. We do not, and will not, sell your personal information or disclose it to third parties for cross-context behavioral advertising. We also do not collect or process sensitive personal information for the purpose of inferring characteristics about you.
Your California Privacy Rights
Subject to applicable exceptions, California residents have the following rights under the California Privacy Rights Act (“CPRA”):
- Right to Know: You have the right to submit a verifiable request for specific pieces of your personal information obtained from you and for information about Contrast’s collection, use, and disclosure of categories of your personal information.
- Right to Delete: You have the right to submit a verifiable request to delete personal information that Contrast has collected from or about you.
- Right to Correct: You have the right to submit a verifiable request to correct inaccurate personal information about you maintained by Contrast, taking into account the nature of the personal information and the purposes of processing the personal information.
Non-Discrimination: Contrast will not unlawfully discriminate against you for exercising your privacy rights under the California Privacy Rights Act.
How to Exercise Your California Privacy Rights
Contrast will respond to request to know, delete, and correct in accordance with applicable law if it can verify the identity of the requestor. You can exercise these rights in the following ways:
- Call (650) 567-4734 extension 9
- Email email@example.com or firstname.lastname@example.org or
- Complete the request form available here https://www.contrastsecurity.com/contact-us
How We Will Verify Your Request
The processes that we follow to verify your identity when you make a request to know, correct, or delete are described below. The relevant process depends on how and why the request is submitted.
For a less risky request, such as a request to know how we handle your personal information, we will match at least two data points that you provide against information about you that we already have in our records and that we have determined to be reliable for purposes of verifying your identity.
For a more risky request, such as a request for specific pieces of your personal information, we will match at least three data points that you provide against information that we already have about you in our records and that we have determined to be reliable for purposes of verifying your identity.
We have implemented the following additional procedures when verifying the identity of requestors:
- If we cannot verify your identity based on the processes described above, we may ask you for additional verification information. If we do so, we will not use that information for any purpose other than verification.
- If we cannot verify your identity to a sufficient level of certainty to respond to your request, we will let you know promptly and explain why we cannot verify your identity.
If an authorized agent submits a request to know, correct, or delete on your behalf, the authorized agent must submit with the request a document signed by you that authorizes the authorized agent to submit the request on your behalf. In addition, we may ask you to follow the applicable process described above for verifying your identity. You can obtain an “Authorized Agent Designation” form by contacting us at email@example.com.
b) All locations outside of the United States
The personal data collected through the Site is downloaded to a server maintained by Contrast. Contrast is located in the United States. The laws of the United States may provide a different level of protection for your personal data than what is required in the country where you reside.
Contrast will respond to requests to exercise individual data rights in accordance with applicable law. You can contact firstname.lastname@example.org to request to exercise your data rights.
c) European Economic Area, United Kingdom, and Switzerland
The information in this section applies to users in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland (collectively, the “Europe”). Individuals in Europe (“European Individuals”) are not required by statute or by contract to provide any personal data to the Site.
No Automated Decision-Making
Contrast will not use European Individuals’ personal data submitted through the Site for automated decision-making, including profiling, that produces legal effects or similarly significantly affects the European Individual.
Cross-Border Data Transfers
For customers located in the European Economic Area, Japan, or the United Kingdom, we store their personal data in the country where the information was collected unless the customer specifically requests that we transfer the personal data to the United States.
When we do transfer customers’ personal data to the United States or to another country, whether to a corporate affiliate or to any authorized processor, we do so in accordance with applicable laws. Nonetheless, the United States or the other jurisdictions may not have an adequate level of data protection as determined by the competent supervisory authority in the country where the personal data originates.
When these transfers are necessary, we may rely on the individual’s consent to transfer their personal data or on a data transfer mechanism approved by the competent supervisory authority. For transfers outside of the EEA and Switzerland, we may enter into the Standard Contractual Clauses (EU SCCs), approved by the European Commission and the Swiss Federal Data Protection and Information Commissioner. For transfers from the UK, we may rely on the UK’s Addendum to the EU SCCs or the UK’s own SCCs, approved by the UK’s Information Commissioner.
Legal Bases For Processing
Contrast processes your personal data with your consent and as required by law. Contrast also processes personal data as necessary for its legitimate interests as follows:
- Marketing and advertising: Unless you opt out as described below, we use your personal data regarding products and services you have ordered, or in which you have otherwise demonstrated an interest, as necessary to provide you information about the products and services that we think might interest you in accordance with applicable law.
- Network and information security, fraud prevention, and reporting suspected criminal acts: In the event of fraud, a security incident, or a suspected criminal act, we would examine personal data that appeared to be linked to the incident as necessary to determine what happened, remediate, report to the authorities, and prevent a recurrence.
Right to Object to Processing for Direct Marketing or Legitimate Interests
European Individuals have the right to object to the processing of their personal data for purposes of Contrast’s direct marketing or legitimate interests by contacting Contrast at email@example.com.
To the extent provided by applicable law and subject to any relevant exceptions, European Individuals have the following rights:
- Access: You have the right to request access to your personal data.
More on the right of access: European Individuals’ right to access their personal data includes their right to receive a copy of all, or a portion, of their personal data in Contrast’s possession as long as Contrast’s providing the personal data would not adversely affect the rights and freedoms of others.
- Rectification/Deletion: You have the right to request that Contrast update, correct or delete your personal data, i.e., to rectify personal data that is incomplete or inaccurate or to erase your personal data.
- Restrict Processing: You have the right to request restriction of processing of your personal data in certain situations, such as while a dispute concerning the accuracy of personal data is being resolved.
- Data Portability: You have the right to request that Contrast transfer your personal data to a third party.
More on the right to data portability: Subject to certain limitations, the right to data portability allows you to obtain from Contrast, or to ask Contrast to send to a third party, a copy of your personal data in electronic form that you provided to Contrast in connection with your interactions with Contrast.
- Objection: You have the right to object to the processing of your personal data.
More on the right to object: You have the right to object when processing of your personal data is based solely on Contrast’s legitimate interests. If you do object in these circumstances, the processing of your personal data will be stopped unless there is an overriding, compelling reason to continue the processing or the processing is necessary to establish, pursue or defend legal claims.
- Withdraw Consent: You have the right to withdraw your consent to the processing of your personal data, at any time, where you previously consented to the processing of your personal data.
More on the right to withdraw consent: If Contrast requests your consent to process your personal data and you do consent, you may use the contact information below to withdraw your consent. Any withdrawal shall not affect the lawfulness of processing based on your consent before its withdrawal, and Contrast will continue to retain the personal data that you provided us before you withdrew your consent for as long as allowed or required by applicable law.
How To Exercise Your Rights
EEA Individuals can exercise these rights by contacting Contrast at firstname.lastname@example.org or GDPR@contrastsecurity.com. Contrast will respond to such requests in accordance with applicable data protection law.
Right to Lodge a Complaint: If European Individuals believe that their personal data has been processed in violation of applicable data protection law, they have the right to lodge a complaint with the competent supervisory authority in the country where they reside, where they work, or where the alleged violation occurred.
Data Protection Officer
Contrast’s data protection officer is:
Chief Information Security and Data Privacy Officer
240 3rd Street
Los Altos, California 94022 USA
For a current listing of Contrast’s sub-processors, please see: Sub-Processors Listing. You can also register to receive an updated listing whenever a modification is made to the listing.
Contrast Security, Inc.
240 3rd Street
Los Altos, CA 94022
For previous versions/updates, please click here.