Skip to content

Privacy Matters at Contrast Security

Back to Trust Center

 

Privacy Policy

Key updates

Clarification of language regarding sale and sharing, more detail around GPC signals and other OOPS, and around California privacy rights

Last Updated: 10 December 2024
About Contrast

The products and services of Contrast Security, Inc. ("Contrast") represent a revolutionary approach to continuously protecting applications, and Contrast has a deep commitment to ensuring maximum privacy and information security standards as evidenced by our product offerings and our internal compliance environment.   Contrast prides itself on operating with accountability, integrity and transparency, and constantly works to ensure that your personal information is protected in line with applicable data protection regulations and the highest information security standards.

This Privacy Policy tells you:
  1. What personal data we collect and the sources of that information
  2. Purposes for which we use your data
  3. Contrast's use of cookies and other tracking technologies
  4. Disclosures of your personal data
  5. Security
  6. Your privacy rights
  7. Children's data
  8. Changes to this Privacy Policy
  9. Contact us

Your Consent: If you reside outside the United States, by submitting your personal data through this website, https://www.contrastsecurity.com  (the “Site”), you consent to our processing that data as described in this Privacy Policy.  Please understand that you are not obliged to provide your personal data to us. However, if you do not provide your personal data, or otherwise do not consent to the processing of your personal data or withdraw your consent to the processing, Contrast may not be able to provide you with certain services and may be required to terminate the services currently provided to you.

 

1. What personal data we collect and the sources of that information

Through our website

The categories of personal data we collect, whether through the Site or from offline interactions with you when we act as a data controller, include the following:

Category of personal information Examples
Identifiers (contact information) Name, email address, telephone, signature
Commercial information Records of products or services purchased or considered
Internet activity information IP address, device and browser information, cookies
Professional or employment-related information Job title, employer, place of employment
User content Contents of emails or messages you submit to Contrast through chatbots, help portals, etc.
Communications data Metadata from texts, calls or emails with Contrast, as well as the contents of those communications
Audio, electronic, visual or similar information Video or audio recordings when you interact with us by phone or web conferencing, video surveillance recordings if you visit a Contrast office
Social media information Social media account, interactions with Contrast social media

 

Through our products

Contrast products are not designed to capture and process personal data, but our products may incidentally capture personal information as part of an attack or vulnerability trace. If our products capture personal information, we act as a data processor. We only process this data in line with our customers' instructions. Please refer to the privacy policy or other terms applicable to those customers for more information about how they handle your data.

Contrast does not collect or process the sensitive personal information of its customers, prospects, or website visitors for any purpose, including the purpose of inferring characteristics about the individual.

 

Categories of sources

Collection method Explanation
Directly from you Information that you deliberately provide us, such as when you submit a form or send an email to an @contrastsecurity.com email address.
Indirectly from you Data gathered through cookies and other tracking technologies.
Through your employer If your employer is a customer of Contrast, we may receive personal information about you from your employer which we use to provision you with a Contrast account.
Marketing partners We receive lists from marketing partners of qualified leads who have opted into sharing their information with us.
Data brokers We use data brokers in our sales outreach to enrich existing data and to identify potential leads.

 

2. Purposes for which we use your personal data

We use the information we collect for a variety of purposes depending upon the nature of your relationship and how you interact with us, including as detailed below:

Website visitors

Processing activity Categories of personal data Legal basis for processing (GDPR only)
Answering inquiries from customers Identifiers, such as names and email addresses, user content, commercial information, and professional or employment-related information Legitimate interest in providing our customers and with responses to their questions
Qualifying marketing leads through our website chatbot Identifiers and professional or employment-related information Consent or legitimate interest in sourcing and qualifying sales leads
Complying with data subject rights requests Identifiers, such as names and email addresses Compliance with a legal obligation
Logging and monitoring for security purposes Identifiers, such as names and email addresses
Attack trace logs
Legitimate interest in securing our systems and resolving errors
Website tracking to understand how visitors are using our site Internet activity information, such as IP addresses Consent
Email marketing Identifiers, such as names and email addresses Consent or legitimate interest
Cross-contextual behavioral advertising Internet activity information, such as IP addresses Consent

 

Customers and Prospects

Processing activity Categories of personal data Legal basis for processing (GDPR only) Data subjects
Customer sentiment analysis Identifiers and contact information Legitimate interest in understanding how we are serving our customers Customers
Account provisioning for users of Contrast's services Identifiers, such as names and email addresses Performance of a contract Customers
Cloud hosting of our SaaS product offerings Identifiers, such as names and email addresses
Internet activity information, such as IP addresses
Attack trace logs
Performance of a contract Customers
Customer relationship management Identifiers and business contact information
Message contents
Legitimate interest in maintaining records related to our sales efforts Customers and prospects
Communications with prospects and customers by email, telephone, and video call Identifiers, such as names and email addresses
Email/message contents
Audio/visual recordings
Legitimate interest in communicating with our customers and prospects
Consent where we record video or telephone calls
Customers and prospects
Free trial/proof of value environments for product demonstrations Identifiers, such as names and email addresses
Internet activity information, such as IP addresses
Performance of a contract Prospects
Prospecting and sales outreach Identifiers, such as names and email addresses Legitimate interest in generating new business for Contrast Prospects
Improving our products and services Internet activity information, such as IP addresses

Legitimate interest in improving our products and services

Consent where such collection uses cookies or similar technology

Customers

 

Contrast retains the data that we process on behalf of our customers (i.e. we are the data processor) for the length of the customer relationship plus 37 days, which is the time it takes to purge our systems and backups of customer data. Customers can delete certain personal information themselves from within their Contrast accounts, and we are able to delete specific pieces of information for our customers on request.

Where Contrast collects personal information for our own purposes, we retain information for as long as necessary to achieve the purpose for which we collected your data. We will retain personal information longer as necessary to comply with legal, administrative, or procedural requirements, for example, a litigation hold.

Depending on your location, individuals may be able to exercise certain rights over how we process your personal data. To learn more about the rights available to you, please see section 6: Your privacy rights.

3. Contrast's use of cookies and other tracking technologies

We collect information through technology to enhance our ability to serve you. When you access and use the Site, Contrast and, in some cases, our third-party service providers collect information about how you interact with the Site.

Contrast uses a number of tracking technologies on the Site to understand how Site visitors are using and navigating the Site, and to assist with our marketing and sales efforts. These technologies include cookies, web beacons, and pixels. Where required, we will ensure that we have your consent before using these technologies, and that you can revoke your consent at any time.

Contrast uses cookies on the Site for a number of purposes. Some of these cookies are “essential” or “strictly necessary” cookies, whose use enables critical functionality on this site, such as for security and load balancing purposes. We also use cookies for personalization, analytics, and advertisement purposes. To learn more about our use of cookies, and your choices regarding cookies on our Site, please refer to our Cookie Policy.

The Site tracks your online activities over time and across websites or online services on an individually identifiable basis. For example, we may serve you advertisements on other websites based on what appeared to interest you on our Site. We do allow third parties to use our Site to track your activities over time or across other websites.

 

Do Not Track signals and the Global Privacy Control

Your web browser may provide you with opt-out preference signals such as Do Not Track (DNT) or Global Privacy Control (GPC), which can be used to transmit your preferences to the websites that you visit. Contrast respects both DNT and GPC signals received from your browser and applies them to that browser only. If you have an opt-out preference signal enabled, you do not need to take further action to opt out of the sale or sharing of your personal information. Please refer to your browser provider for more information on activating or deactivating your DNT and GPC signals.

4. Disclosures of your personal data

We may disclose your personal data to third parties in the following circumstances:

  • Third-party service providers: We disclose your personal data to third-party service providers to help us provide services to you. We limit the disclosed information to that required to perform their designated functions. Service providers are not authorized to use, sell or disclose personal data for their own marketing or other purposes.
    • Data types: all types of personal data that we collect
  • Press releases: Contrast may disclose personal information as part of a press release or other publicity to announce, with your organization’s permission, that we have entered into a significant contract for our services.
    • Data types: identifiers
  • Required disclosures: We may be required to disclose personal information in a court proceeding, in response to a court order, subpoena, civil discovery request, or other legal process, or as otherwise required by law.
    • Data types: all types of personal data that we collect
  • Government or law-enforcement request: Contrast also discloses personal information to government agencies, law enforcement, and other parties as required by law and as necessary to protect the rights, property, or safety of Contrast, its subsidiaries or affiliates, employees, customers, and users.
    • Data types: all types of personal data that we collect
  • Advertising partners: Contrast shared limited personal information with third-party advertisers so that we can show you adverts for Contrast on other websites.
    • Data types: internet activity information

Where Contrast discloses personal information to third parties in its role as a data processor, we ensure that each third party has signed a data processing agreement and that each third party has security and privacy controls at least as rigorous as our own. For a list of Contrast’s sub-processors, please see: Sub-Processor Listing.

You may have the right to opt out of the sharing of your personal information with our advertising partners. Please see the Region-Specific Information section for more information about your opt out rights.

 

Third-party sites

The Site includes links from the Site to, and plug-ins (such as Twitter, Instagram, and Facebook buttons) from, sites or applications operated by third parties (“Third-Party Sites”). Contrast does not control any Third-Party Sites and is not responsible for any information they may collect. The information collection practices of a Third-Party Site are governed by its privacy policy. It is your choice to enter any Third-Party Site. We recommend that you read its privacy policy if you choose to do so.

5. Security

The security and confidentiality of your personal data is important to us. We have technical, administrative, and physical security measures in place to protect your personal data from unauthorized access or disclosure and improper use.

For example, we use Transport Layer Security (TLS) encryption to protect the data collected through marketing forms on our Site. In addition, we restrict access to your personal data. Only employees who need the personal data to perform a specific job (for example, a customer service representative) are granted access to personal data. Employees with access to personal data are kept up to date on our security and privacy practices and all employees acknowledge Contrast’s Privileged User Agreement and Acknowledgement of Responsibilities policy. This policy is predicated on the NIST Rules of Behaviour. For more information on our Security practices, please visit our Trust Center.

Contrast also operates a bug bounty program.  If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please report it through our Vulnerability Disclosure page or email security [at] contrastsecurity.com.

Please note that despite our reasonable efforts, no security measure is ever perfect or impenetrable, so we cannot guarantee the security of your personal data.

6. Your privacy rights

Depending on where you reside, you may have certain rights with regards to your personal data, such as the right to access your personal data, to correct inaccuracies, or to delete the personal data that we hold about you. To learn more about the specific rights available to you based on where you reside, please refer to the relevant section below.

Nonetheless, at Contrast we believe that everyone should be able to take control of their personal data. Wherever you reside, you may contact privacy [at] contrastsecurity.com to ask us to access, update, correct, or delete your personal data. We will respond to your request in accordance with any applicable law, or if no law applies, consistent with our legitimate business interests.

7. Region-specific information
United states

California

This section applies only to individuals who reside in the state of California in the United States (“California residents”), and only when Contrast processes their personal data subject to the amended California Consumer Privacy Act (“CCPA”).

Assistance for the disabled: Alternative formats of this Privacy Policy are available to individuals with a disability. Please contact privacy [at] contrastsecurity.com for assistance.

California notice at collection: Contrast collects the categories of personal information identified in section 1: What personal data we collect and the sources of that information for the purposes identified in section 2: Purposes for which we use your personal data and retains personal information for the period described in section 2. When you visit our website, we may share your personal information, namely identifiers such as your IP address, with third-party advertising partners, such as Microsoft, for cross-context behavioral advertising. Under California law, this is considered a sale of your personal information and you have the right to opt out of this sale at any time.

We do not collect or process sensitive personal information for the purpose of inferring characteristics about you.

Disclosures for business purposes: Contrast may disclose the categories of personal data described in section 1 to the categories of third-party recipients listed below for the purposes described in section 2, as well as for the following “business purposes” (as defined by the CCPA):

  • Affiliated Companies. We may disclose your personal data to other members of Contrast’s corporate group for the business purposes of (a) auditing compliance with policies and applicable laws, (b) helping to ensure security and integrity, (c) debugging, (d) short-term transient use, (e) internal research, (f) activities to maintain or improve the quality or safety of a service or device, and (g) performing services on our behalf.
  • Service Providers. We may disclose your personal data to the types of third-party service providers listed section 4 so that they can perform services on our behalf.
  • Professional Services Providers. We may disclose your personal data to these service providers, including lawyers, accountants and consultants, for the business purposes of auditing compliance with policies and applicable laws, in addition to performing services on Contrast’s behalf.

In the preceding 12 months, Contrast has shared the following categories of personal data to third-party advertising partners:

  • Internet activity information, such as IP addresses

We do this for marketing purposes, to serve you Contrast advertisements on other websites.

Your California privacy rights: Subject to certain limitations and exceptions, California residents have the following rights:

  • Right to Know: You have the right to know what categories of information we collect about you, categories of sources that we collect information from, our purpose for collecting and, where applicable, selling your personal data, the categories of third parties to whom we disclose your personal data, and the specific pieces of information we have collected from or about you.
  • Right to Delete: You have the right to delete personal information that Contrast has collected from you.
  • Right to Correct: You have the right to correct inaccurate personal information about you maintained by Contrast, taking into account the nature of the personal information and the purposes of processing the personal information.
  • Right to Non-Discrimination: Contrast will not discriminate against you for exercising your rights.

If you would like to exercise these rights, please contact us through one of the below methods:

  • Call (888) 371-1333 extension 9 (please provide your name and email address and any other information that may help us identify you in our systems)
  • Email privacy [at] contrastsecurity.com
  • Submit a request through our Contact Us form

Contrast reserves the right to request additional information from you if additional information is necessary for us to verify your request. Depending on the nature and sensitivity of your request, we will match at least two data points that you provide against information that we already hold about you in our systems. We may need to request additional information from you in order to verify your request. Any information that you do provide for verification purposes will only be used to verify your request.

If you choose to authorize an agent to submit a request on your behalf, we reserve the right to request additional information from you or your agent to prove that they have been authorized by you before we take any action to fulfill your request. Agents can submit requests through any of the methods listed above.

Contrast has not, and has no actual knowledge that we have, sold or shared the personal information of children under 16, in the last 12 months.

Notice of right to opt out: You have the right to opt out of the sale or sharing of your personal information. You can submit your request by interacting with our cookie banner, or by using one of the contact methods listed above.

Other US States

At this time, Contrast does not meet the applicability thresholds for any other U.S. state privacy laws. We proactively monitor for new state privacy laws and requirements, and regularly assess our business against the applicability thresholds of existing state privacy laws. 

Europe (including EU and EEA countries, United Kingdom and Switzerland)

The information in this section applies to individuals who reside in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland (collectively, “Europe”). Residents of Europe are not required by statute or by contract to provide any personal data to the Site.

Subject to certain limitations and exceptions, residents of Europe have the following rights:

  • Right of access: You have the right to confirm with us whether we process your personal data, and if so to access that data.
  • Right to rectification: You have the right to correct inaccuracies in the personal data we hold about you.
  • Right to erasure (to be forgotten): You have the right to delete the personal data that we hold about you.
  • Right to restriction of processing: You have the right to restrict processing of your personal data, based on the circumstances outlined in article 18 of GDPR.
  • Right to data portability: You have the right to receive a copy of your personal information in a structured, commonly-used, and machine-readable format.
  • Right to object: You have the right to object to our processing of your personal data based on our legitimate interests, including for direct marketing.
  • Right not to be subject to decisions based solely on automated processing: You have the right to request human intervention on any automated decision, including profiling, which results in a legal or other significant effect. Please note though that Contrast does not currently make decisions based on automated processing.

To exercise any of these rights, please email privacy [at] contrastsecurity.com with the details of your rights request, as well as any information that may be needed to fulfill your request.

If you are unhappy with our response to your privacy request, we encourage you to contact us directly at privacy [at] contrastsecurity.com, and we will take reasonable efforts to resolve your issue. However, you have the right to submit a complaint to the regulatory body where you work, where you reside, or whether the suspected violation occurred. For UK residents, you may contact the Information Commissioner’s Office. For EEA residents, please refer to this list of European Data Protection Authorities to find your applicable DPA. Swiss residents should refer their complaints to the Federal Data Protection and Information Commissioner.

Cross-Border Data Transfers
Contrast is headquartered in the United States. When you submit personal data through our Site, your information is transferred to, processed and stored in the United States. Please note that U.S. data protection laws may not be considered equivalent to your local laws. Nonetheless, Contrast is an active participant in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce. Contrast may rely on these frameworks as its legal basis for transfers of EU, UK, and Swiss residents’ personal data to the U.S. Contrast’s Data Privacy Framework Privacy Policy can be found here.

Where Contrast needs to execute an onward transfer of personal data outside of the U.S. to countries that have not been granted an adequacy status, or to service providers who are not themselves certified to the Data Privacy Framework, we use the appropriate Standard Contractual Clauses, approved by the competent supervisory authority, to govern those data transfers.

Customer data transferred to Contrast as part of our product offering is stored in the US, EU or Japan, depending on the customer’s location and request.

8. Children's data

Contrast’s products and services are not targeted at or developed for children, and we do not intentionally process children’s personal data. If you are under the age of 18, you are not authorized to use our Site or services. If Contrast becomes aware that we have inadvertently collected children’s personal data, we will immediately delete such information and inform relevant third parties to do likewise. If you have reason to believe that Contrast is processing the personal data of a child, please email privacy [at] contrastsecurity.com, and we resolve the issue as soon as reasonably practicable.

9. Changes to this Privacy Policy

If we change this Privacy Policy, we will post those changes on this page and update the Privacy Policy modification date above. If we materially change this Privacy Policy in a way that affects how we use or disclose your personal data, we will provide a prominent notice of such changes and the effective date of the changes before making them. Continued use of the Site, service, or related products, following notice of such changes shall indicate your acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.

For previous versions/updates, please email privacy [at] contrastsecurity.com.

10. Contact us

If you have any questions about this Privacy Policy, please email us at privacy [at] contrastsecurity.com.

Contrast's Data Protection Officer is David Lindner. To contact David, please email privacy [at] contrastsecurity.com or write to:

Contrast Security, Inc.
Attn: Privacy
6800 Koll Center Parkway, Ste. 235
Pleasanton, CA 94566