<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=113894&amp;fmt=gif">

Privacy Matters

AT Contrast Security

Statement of Responsibility 

Contrast Security, Inc. (“Contrast” or “Contrast Security”) has a deep commitment to ensuring maximum Privacy and Information Security standards as evidenced by our product offerings and our internal compliance environment. We do not collect Personally Identifiable Information (“PII”) on our website other than voluntarily. PII is information that we can use to identify you as an individual. Personally identifiable information may include your name, address, telephone number and any other information that is connected with you personally.

If you are ever asked to provide PII or other confidential information to someone claiming to represent Contrast Security, please notify privacy@contrastsecurity.com. If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please contact us immediately at security@contrastsecurity.com and provide us with your contact information; please do not include any particulars of the alleged vulnerability in written format.

We are committed to safeguarding the information in our custody and under our control. Our compliance program is dynamic and proactive allowing us to stay abreast of the latest changes and enhancements to the ever-evolving global compliance landscape. We have implemented practical and sound administrative, technical and physical safeguards in an effort to protect against unauthorized access, use, modification and disclosure of this information.  This is a responsibility that we take seriously and we have strong internal controls around change management and employee accountability.

A co-founder of Contrast Security is also a founder and major contributor to The Open Web Application Security Project (“OWASP”), where he served as the Chair of the OWASP Board for 8 years and created the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. OWASP is a global not-for-profit charitable organization focused on improving the security of software. They provide impartial, practical information about AppSec to individuals, corporations, and other organizations worldwide. To further demonstrate the priority that Contrast gives to our compliance environment, we have a dedicated Data Privacy and Compliance Officer with over 25 years’ experience whose primary function is oversight of our operational risk environment.

Our hosted product environment resides with Amazon Web Services (“AWS”) and they adhere to the strictest compliance standards. They are CSA, ISO, PCI and SOC-compliant and were the first Cloud Service Provider to adopt the new PCI DSS 3.2 assessment in advance of the mandatory February 1, 2018, deadline. While we do not accept any online payments or otherwise collect payment information, we believe this proactive compliance indicates the strength of our hosting provider’s information security framework. AWS is FedRamp certified; meets all of the requirements for FERPA, HIPAA and the EU Data Protection Directive. AWS is in step to be fully compliant with the new EU General Data Protection Regulation (“GDPR”) as of May 25, 2018. AWS is working with their customers to provide tools to help them meet the requirements of the GDPR in addition to certification measures being taken by the companies themselves. AWS allows for alignment with FISMA and adheres to the NIST framework. For a full list of their Assurance Programs, please click here. We welcome any questions you may have about the steps we take to ensure the most robust and best-in-class standards and practices at Contrast.

Contrast Security, Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States.  Please see our Privacy Statement below for additional information.

For more information on the EU GDPR please click here.
For more information about NIST, please click here

As of January 31, 2017, Contrast is SOC2 Type II compliant and, as of October 31, 2017, we maintain a rolling, annual SOC2 schedule.


Contrast Security – Privacy Statement

1 February 2018

Contrast Security, Inc. (“Contrast,” “we,” “us,” or “our””) is committed to protecting your applications from vulnerabilities. We have prepared this Statement to describe our protocol around the collection, use, and disclosure of data related to Contrast Products and Offerings (the “Service”) or related products and offerings. This Statement is incorporated into and an inherent component of our Terms of Service which can be found at: TermsThe use of the collected information will be limited to the purpose of providing the Service for which you have engaged us.

Our Privacy Statement is subject to change due to modifications with regulatory agencies, best practices, or enhancements to the compliance and control environment. If we should ever make a substantial change to the way we use your Application Data or Personal Data, we will notify you by sending you an e-mail to the last e-mail address you provided to us and/or by prominently posting notice of the changes on our website. Any material changes to this Privacy Statement will be effective as of the date and time they are updated on our Website. These changes will be effective immediately for new users of our Website or Service. Continued use of our Website, Service, or related products, following notice of such changes shall indicate your acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.


Information About Our Website

When you visit our website at www.contrastsecurity.com (the “Website”), we collect your Internet Protocol (“IP”) address as well as other related information such as page requests, browser type, operating system and average time spent on our Website. We use this information to help us understand our Website activity, and to monitor and improve our Website.

Our Website uses a technology called "cookies". For more information about cookies, please click here: Cookies. Cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. You may set your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from our Website, certain features may not function as designed. You may also remove cookies. To learn how to do so, please click here: Clear Cookies

Our Website may contain links to other websites that we do not own or operate.  We provide these links as a convenience to you, for informational purposes only. These links are not intended as an endorsement of or referral to the linked websites.  The linked websites have separate and independent privacy statements, notices and terms of use.  We do not have any control over these websites, and therefore we have no responsibility or liability for the manner in which they operate their sites nor what they may collect, use, disclose, secure or otherwise do with personal information. If you choose to click on these links, you will leave our site and be redirected to another site. During this process, a third party may collect Personal or Anonymous Data from you and Contrast is not responsible for their use of your data.

Links to our Website may be featured or referenced on other websites that are not under our control and therefore we have no responsibility or liability for the manner in which they operate their sites. Be sure to understand the privacy policies and terms of service of any site you visit. If you believe another entity has posted a link to Contrast Security that is misleading or that compromises the integrity of Contrast Security, please contact privacy@contrastsecurity.com. Such notifications will be kept in strict confident.

Our website includes social media features, such as Twitter, LinkedIn, Google Circles, etc. If you access these sites, they may collect your IP address, the page on which you are visiting our site, and they may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on our website. Your interactions with these features are governed by the privacy policy of the company providing it and not by Contrast Security.

We encourage you to carefully read the privacy statement of any website you visit whether visiting www.contrastsecurity.com or another.


Collection and Use of Information

By submitting Application, Personal or other data or information (the “Data”), or making it available to Contrast, you agree to the terms of this Privacy Statement and you expressly consent to the processing of your Data in accordance with it.

When you provide us with Data, it is primarily used to respond to requests or to allow us to provide better service to you. Once you become a customer of Contrast, we may send you a welcome e-mail, administrative e-mail notifications, such as security or support and maintenance advisories; send promotional communications, request participation in a survey, send upgrades and special offers related to our Service and for other Contrast-specific marketing purposes. We may contact you by telephone for the purpose of verifying information, reviewing potential vulnerabilities or to solicit feedback.

As we provide web application security services and products, our software is embedded into our clients’ web applications to monitor for vulnerabilities and prevent attacks.  For the purposes of performing the web application security services on behalf of our clients, we may collect and use Data through our clients’ web applications. We do not collect or use personal information through your web applications for any purpose other than to provide the Service to which you have subscribed; this includes providing support and answering questions that you may have about the Service.

“Application Data” means data about the performance of your application, system data (such as version data, names of plug-ins, etc.) about the environment in which your application is operating, data about transactions in your application (“Transaction Data”), stack traces and extracts of source code for certain classes of errors, and other similar data related to your application.

Any Application Data we collect is used to notify you of vulnerabilities and attacks and to share application performance information with you. We may also aggregate Application Data across multiple accounts and use this data to create and publish industry benchmarks or comparative application performance metrics. By default, we obfuscate any Individual Transaction Data that we collect. You have the option of changing the configuration of our products so that individual Transaction Data is not obfuscated. You can also disable certain vulnerability rules and/ or the collection of certain types of Application Data collected through our Service. Information as to how to do so can be found here.  

You expressly consent to the sharing of your Application Data as described in this Statement.


Choices Regarding Your information

We offer you choices regarding the collection, use, and sharing of your information. We may, from time to time, send e-mails regarding scheduled maintenance, or that promote the purchase of our Products or Service, etc. You may “opt out” of further communications by following the unsubscribe instructions embedded in the email or by contacting privacy@contrastsecurity.com. Should you decide to opt-out of receiving future communications, we will advise third-parties with whom we may be associated related to the servicing of your account to ensure you do not receive further communications from them. Regardless of whether you “opt out” or not, we may, but are not obligated to, send you emails and/ or notices related to updates to our Privacy Statement or Terms of Service.

When we delete account information, it will be deleted from the active database, but may remain in our archives. We will otherwise retain your information for as long as your account is active or as needed to provide you with the Service to which you have subscribed. It will also be retained as is necessary to comply with our legal obligations, resolve disputes, and enforce our agreements.

We will not disclose, sell or otherwise transfer personal information without your prior consent except as otherwise set out herein or, if applicable, in your Agreement or Contract for Service with us.  

We may transfer or disclose personal information as follows:

  • In connection with our Website or the Service, we may transfer (or otherwise make available) personal information to third parties who provide services on our behalf but the information is limited to what they need to perform their designated functions, and they are not authorized to use or disclose personal information for their own marketing or other purposes. That condition is, and will continue to be, included in all Agreements that we have with any service provider or third party.
  • If Contrast is involved in a merger, sale or acquisition, we may transfer personal information in connection with the transaction. We will make every effort to notify you in advance of any such merger, sale or acquisition as well as any significant corporate reorganization or change in control.
  • Contrast may be required to provide personal information responsive to a subpoena or to an investigative body or Federal, state or other regulatory agency. Where a disclosure of your information is required under such circumstances, we will promptly notify you, whenever possible, prior to complying with such requirements (to the extent we are not prohibited from doing so). To this end, it is important that you maintain current information with us at all times.

Please note:

  • You do not have to register in order to browse our Website.  However, if you are interested in a Product Demo, you will need to provide a name, company email address and a phone number. We use this information to communicate with you and otherwise administer your use of our Service for a trial period.
  • Contrast does not collect any Personally Identifiable Information (“PII”) unless you provide it voluntarily. We do not collect any financial information online. All Orders are placed and managed directly with a Client Manager.  
  • Our Website includes a “Careers” link.  If you apply for a job with us, you may provide certain personal information about yourself (cover letter, resume, references, eligibility, or other employment-related information).  We use this information for the purpose of processing and responding to your application for current and future career opportunities.
  • Our Website includes a “Contact Us” page. If you use this form, you may provide certain personal information about yourself (name, email, phone number, company name, the number of employees at your company, your industry, your job function and the location of your company) plus the content of any message you choose to send. We use this information to contact you.
  • If you subscribe to our Blog notifications we collect your name, email address and company name. If you post comments on our blog, the information contained in your posting will be stored on our servers and other users will be able to see it. To request removal of your personal information from our blog or community forum, please contact marketing@contrastsecurity.com.
  • From time to time, Contrast may conduct surveys, the results of which drive improved customer service and/ or products. If you choose to participate in one of our surveys, we may collect information such as your name, company email, company phone number, company name, etc.
  • If you contact us otherwise to ask a question, provide feedback, file a complaint, etc. you may be asked for information that identifies you (such as your name, company affiliation, email address and/ or a telephone number) along with additional information we may need to promptly and accurately respond.  We may retain this information to assist you in the future and to improve our customer service, service offerings, and our Website.
  • We also collect other types of Data such as operating system and version, information about your application and operating environment, and other requested information if you contact us via e-mail regarding support for the Service.


The Children's Online Privacy Protection Act ("COPPA")

Contrast will never intentionally collect data from children who are 13 years of age or younger. If a parent, guardian or other individual suspects that a child 13 or younger has provided data to Contrast, that individual should immediately report such information to privacy@contrastsecurity.com. Contrast will only retain the data for as long as it is necessary to delete the information using every reasonable measure to protect against its unauthorized access or use.


The Privacy Shield Program

privacy_shieldContrast Security, Inc. complies with the EU-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union to the United States. Contrast has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.  If there is any conflict between the terms in this privacy policy and the Privacy Shield Principles, the Privacy Shield Principles shall govern.  To learn more about the Privacy Shield program, and to view our certification, please visit EU-U.S. Privacy Shield.

The key goals of Privacy Shield are to inform individuals about:

  • The type or identity of third parties to which an organization discloses personal information, and the purposes for which it does so
  • The right of individuals to access their personal data
  • The choices and means an organization offers individuals for limiting the use and disclosure of their personal data
  • An organization being subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC)  
  • The possibility, under certain conditions, for the individual to invoke binding arbitration
  • The requirements for an organization to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements
  • An organization’s liability in cases of onward transfers to third parties

In compliance with the Privacy Shield Principles, Contrast Security, Inc. commits to resolve complaints about our collection or use of your personal information.  EU individuals with inquiries or complaints regarding our Privacy Shield policy should first contact Contrast Security, Inc. at: Privacy@contrastsecurity.com.  



Contrast has further committed to cooperate with the panel established by the EU data protection authorities (DPAs) with regard to unresolved Privacy Shield complaints concerning human resources data transferred from the EU in the context of the employment relationship.

Contrast self-certifies with Privacy Shield. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and made available upon request by individuals or in the context of an investigation or a complaint about non-compliance. Contrast is required to respond promptly to individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Privacy Shield Principles.

Under Privacy Shield, an individual has the possibility, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Contrast must respond to individual complaints within 45 days. For additional information, visit: Privacy Shield/ Complaints.


Testimonials

We may post client endorsements on our web site which may contain personal information. All client endorsements require the voluntary consent of the client to provide the endorsement and for us to publicly post it. Should you provide an endorsement and later want it removed, please contact marketing@contrastsecurity.com.


Your California Privacy Rights

Pursuant to California Civil Code Section 1798.83, residents of the State of California have the right to request certain information relating to third parties to which the company has disclosed certain categories of personal information during the preceding year for the third parties’ direct marketing purposes. Alternatively, the law provides that a company that has a privacy policy that provides consumers choice regarding sharing personal information with third parties for those third parties’ direct marketing purposes, as Contrast does, may instead provide information on how to exercise that choice. If you would like to opt-out of this type of sharing with third parties, please email us at privacy@contrastsecurity.com with “Opt Out” as your subject line.


Contact

Please contact privacy@contrastsecurity.com with any questions or comments you may have or to file a complaint. We will use the same email address to update, and/ or correct any information that we may have on file for you.

You may also write to us at:
Contrast Security, Inc.
Attn: Privacy
240 3rd Street
Los Altos, CA 94022


Digital Millennium Copyright Act

Contrast Security, Inc. (“Contrast”) respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act of 1998 (the “DMCA”), the text of which may be found on the U.S. Copyright Office website at http://www.copyright.gov/legislation/dmca.pdf, Contrast will promptly respond to claims of copyright infringement using our Service or Website. Such claims must be reported to Contrast’s Designated Copyright Agent identified below.

If you are a copyright owner, authorized to act on behalf of a copyright owner, or are authorized to act under any exclusive right under copyright, please report alleged copyright infringements by completing the DMCA Notice of Alleged Infringement and delivering it to Contrast’s Designated Copyright Agent. Upon receipt of Notice as described below, Contrast will take whatever action it deems appropriate, including removal of the challenged content from the Website.

DMCA Notice of Alleged Infringement (“Notice”)

Identify the copyrighted work that you claim has been infringed or, if multiple copyrighted works are covered by this Notice, you may provide a representative list of the copyrighted works that you claim have been infringed.

  1. Identify the material or link you claim is infringing (or the subject of infringing activity) and to which access is to be disabled. If applicable, include the URL of the link shown on our Website or the exact location where such material may be found.
  2. Include both of the following statements in the body of the Notice:
    • “I hereby state that I have a good faith belief that the disputed use of the copyrighted material is not authorized by the copyright owner, its agent, or the law (e.g., as a fair use).”
    • “I hereby state that the information in this Notice is accurate and, under penalty of perjury, that I am the owner, or authorized to act on behalf of the owner, of the copyright or of an exclusive right under the copyright that is allegedly infringed.”

You are required to provide your full legal name and your electronic or physical signature. It is helpful, but not required, to also provide your company affiliation (if applicable), mailing address, telephone number, and email address.

  1. Deliver your Notice to Contrast’s Designated Copyright Agent:

Contrast Security, Inc.
Attn: Copyright Agent
240 3rd Street
Los Altos, CA 94022

Updated 9 January 2018
Updated 29 September 2017
Originally published 1 September 2016