STATEMENT OF RESPONSIBILITY
The products and services of Contrast Security, Inc. ("Contrast") represent a revolutionary approach to continuously protecting applications, just as the European Economic Area’s General Data Protection Regulation represented a revolutionary approach to affording individuals control over their personal information. Contrast has a deep commitment to ensuring maximum Privacy and Information Security standards as evidenced by our product offerings and our internal compliance environment.
Accountability, Integrity, Transparency, Privacy by Design, our internal Security posture, and following best-in-class standards such as NIST and OWASP, inform virtually all decisions at Contrast.
You will share information with us when you visit our Website and use our services. We want to be up front with you regarding the information we collect, how we use it, how we share it, and the controls we give you to access, update, and delete your information.
We also want to provide it in a way that is easy to understand. Legal and regulatory requirements are important, but our goal is to minimize any “legalese” that may be confusing. You are also welcome to contact email@example.com at any time.
We do not collect Personally Identifiable Information (“PII”) or Personal Information ("PI") on our Website unless you provide it voluntarily. PII or PI is information that can be used to identify you as an individual and may include your name, address, company email, personal email, telephone number or any other information that personally relates to you.
If you are ever asked to provide PII, PI or other confidential information such as a Social Security number, My Number or National ID to someone claiming to represent Contrast, please do not share that information and notify firstname.lastname@example.org. If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please click here: Vulnerability Disclosure and/or email email@example.com.
We are committed to safeguarding the information in our custody and under our control. Our Operational Risk program is dynamic and proactive allowing us to stay abreast of the latest changes and enhancements to the ever-evolving global compliance landscape. We have implemented practical and sound administrative, technical and physical safeguards to protect against unauthorized access, use, modification and disclosure of this information. This is a responsibility that we take seriously, and we have strong internal controls around change management and employee accountability.
A co-founder of Contrast was a founder of The Open Web Application Security Project (“OWASP”) and he served as the Chair of the OWASP Board for 8 years. Both of our co-founders are major contributors to OWASP and authored the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. OWASP is a global not-for-profit charitable organization focused on improving the security of software. They provide impartial, practical information about AppSec to individuals, corporations, and other organizations worldwide. To further demonstrate the priority that Contrast gives to our compliance environment, we have a dedicated Data Privacy Officer with over 25 years’ experience. Our Data Privacy Officer serves as our designated Data Protection Officer for the GDPR.
Our hosted product environment resides with Amazon Web Services (“AWS”) and they adhere to the strictest compliance standards. For the full listing of their current certifications or compliance standards, please see https://aws.amazon.com/compliance/programs/ While we do not accept any online payments or otherwise collect payment information through our website, we believe this proactive compliance indicates the strength of our hosting provider’s information security framework.
Contrast has entered into a Data Processing Addendum and Standard Contractual Clauses with AWS relative to the GDPR and CCPA. AWS allows for alignment with FISMA and adheres to the NIST framework.
Contrast is primarily responsible for the management of any PI that you voluntary provide us and jointly used with our affiliates or third parties. We do not provide your information to third parties for marketing purposes without your prior consent. We never sell your data.
As mentioned above, Contrast does not collect PII or PI on our Website unless you provide it voluntarily. Contrast does not use any information provided by the Japan My Number system.
CONTRAST SECURITY AND THE EU-U.S. / SWISS-U.S. PRIVACY SHIELD FRAMEWORK
On July 16, 2020, transfers of EU data to our international locations outside of the European Economic Area (“EEA”) (including locations in the U.S.) that do not have an adequacy decision from the European Commission are supported by EU Standard Contractual Clauses. Contrast has Standard Contractual Clauses where needed. On September 8, 2020, The Federal Data Protection and Information Commissioner (FDPIC) for Switzerland reassessed the data protection conformity of the Privacy Shield regime for the Swiss-U.S. Privacy Shield and determined that, as long as the U.S. does not revoke the Privacy Shield regime, the Swiss-U.S. Privacy Shield Framework is not impacted.
Contrast remains a member of the EU-U.S. Privacy Shield network as the U.S. Department of Commerce and European Commission are working closely to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework that will be in compliance with the July 16, 2020 ruling.
CONTRAST SECURITY AND THE EU GENERAL DATA PROTECTION REGULATION ("GDPR") AND THE CALIFORNIA CONSUMER PRIVACY ACT ("CCPA")
As mentioned above, Contrast products represent a revolutionary approach to continuously protecting applications. The GDPR represents a revolutionary approach to affording individuals control over their PI.
As with the GDPR, Contrast continues to keep an eye on the regulatory scene related to CCPA and any forthcoming amendments. If there are any relevant amendments, we will incorporate them into our privacy program and comply with all requirements for consumers.
- For more information on GDPR please click here.
- For more information on CCPA, and U.S. privacy legislation overarching, please click here.
- For more information about NIST, please click here.
As of January 31, 2017, Contrast was SOC2 Type II compliant and, as of October 31, 2017, we began maintaining a rolling, annual SOC2 schedule. Our most recent SOC2 Type II Report was issued November 25, 2020. We are audited for Availability, Confidentiality, Privacy and Security and the audit maps to HITRUST controls.
Updated 31 August 2021
Information About Our Website
When you visit Our Website at https://www.contrastsecurity.com (the “Website”), We collect Your Internet Protocol (“IP”) address as well as other related information such as page requests, browser type, referring and exit pages, the files viewed on Our site (for example, HTML pages, graphics, or other), operating system and average time spent on Our Website. We use this information to help us understand Our Website activity, and to monitor and improve Our Website.
Our Website uses a technology called "cookies". For more information about cookies, please click here: Cookies. Cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. You may set Your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from Our Website, certain features may not function as designed. You may also remove cookies. To learn how to do so, please click here: Clear Cookies
The Cookies and Web Trackers on our site, and their purpose:
There are different ways you can prevent tracking of Your online activity. One of them is setting a preference in Your browser that alerts websites you visit that you do not want them to collect certain information about you. This is referred to as a Do-Not-Track (“DNT”) signal.
Contrast’s Website may not recognize or react in response to DNT signals from web browsers as, currently, there is no universally accepted standard for what a company should do when a DNT signal is detected. At such time as a standard is established, We will assess how to best respond to the signals. For more information, please click here: DNT Signals
Links to Our Website may be featured or referenced on other websites that are not under Our control and therefore We have no responsibility or liability for the manner in which they operate their sites. Be sure to understand the privacy policies and terms of service of any site you visit. If you believe another entity has posted a link to Contrast that is misleading or that compromises the integrity of Contrast, please contact firstname.lastname@example.org. Such notifications will be kept in strict confidence.
We encourage you to carefully read the privacy statement of any website you visit whether visiting https://www.contrastsecurity.com or another.
Promotional Events / Sweepstakes
Collection and Use of Information
When you provide us with Data, it is primarily used to respond to requests or to allow us to provide better service to you. Once you become a Customer of Contrast, We may send you a welcome e-mail, administrative e-mail notifications such as security or support and maintenance advisories; promotional communications, requests to participate in a survey, send upgrades and special offers related to Our Service and for other Contrast-specific purposes. We may contact you by telephone for the purpose of verifying information, reviewing potential vulnerabilities or to solicit feedback.
As We provide web application security services and products, Our software is either embedded into our clients’ web applications or used to scan our client’s source code to monitor for vulnerabilities and prevent attacks. For the purposes of performing the web application security services on behalf of Our clients, We may collect and use Data through Our clients’ web applications. We do not collect or use PI through Your web applications for any purpose other than to provide the Service to which you have subscribed; this includes providing support and answering questions that you may have about the Service.
“Application Data” means data about the performance of Your application, system data (such as version data, names of plug-ins, etc.) about the environment in which Your application is operating, data about transactions in Your application (“Transaction Data”), stack traces and source code (source code if you are a customer who has purchased our Scan product), and other similar data related to Your application.
Any Application Data We collect is used to notify you of vulnerabilities and attacks and to share application performance information with you. We may also aggregate Application Data across multiple accounts and use this data to create and publish industry benchmarks or comparative application performance metrics. By default, We obfuscate any Individual Transaction Data that We collect. You have the option of changing the configuration of Our products so that individual Transaction Data is not obfuscated. You can also disable certain vulnerability rules and/ or the collection of certain types of Application Data collected through Our Service. Information as to how to do so can be found here.
We may collect telemetry and diagnostic data about how Our products and services are working to provide improvements and enhancements. This will enable us to not only give you a better user experience, but also enhance Our products and services for Your benefit. You expressly consent to the sharing of Your Application Data as described in this Policy.
Choices Regarding Your Information
When We delete account information, it will be deleted from the active database but may remain in Our archives. We will otherwise retain Your information for as long as Your account is active or as needed to provide you with the Service to which you have subscribed. It will also be retained as is necessary to comply with Our legal obligations, resolve disputes, and enforce Our agreements. Unless contractually obligated otherwise, and not in conflict with legal obligations, customer data will be deleted within 37 days of the end of Our agreement. The 7 days is for backup data purposes only. Customers can download their own data at any time.
We will not disclose, sell or otherwise transfer PI without Your prior consent except as otherwise set out herein or, if applicable, in Your Agreement or Contract for Service with us.
We may transfer or disclose PI as follows:
- In connection with Our Website or the Service, We may transfer (or otherwise make available) PI to third parties who provide services on Our behalf. The information is limited to what they need to perform their designated functions, and they are not authorized to use or disclose PI for their own marketing or other purposes. That condition is, and will continue to be, included in all Agreements that We have with any service provider or third party.
- If Contrast is involved in a merger, sale or acquisition, We may transfer PI in connection with the transaction. We will make every effort to notify you in advance of any such merger, sale or acquisition as well as any significant corporate reorganization or change in control.
- Contrast may be required to provide PI responsive to requests from a governmental, law enforcement or regulatory agency. We will only disclose PI in response to:
- A subpoena, warrant or other process issued by a court of competent jurisdiction;
- A legal process having the same impact as a court-issued request for information where, if by refusing to do so, We would be in breach of local law and/ or where We or Our officers, executives or employees would be subject to liability for failing to honor such legal process;
- A situation where such disclosure is necessary for us to enforce Our legal rights pursuant to the laws of the jurisdiction from which such information was gathered; or
- Lessening a serious and/ or imminent threat of bodily harm.
Where a disclosure of Your information is required under such circumstances, we will promptly notify you, whenever possible, prior to complying with such requirements (to the extent We are not prohibited by law from doing so). To this end, it is important that you maintain current information with us at all times.
- You do not have to register in order to browse Our Website. However, if you are interested in a Product Demo, a Free Trial or downloading a whitepaper, for example, you will need to provide a name, company email address and a phone number. We use this information to communicate with you and otherwise administer Your use of Our Service for a trial period.
- Contrast does not collect any PI unless you provide it voluntarily. We do not collect any financial information online. All Orders are placed and managed directly with a Client Manager.
- Our Website includes a “Careers” link. If you apply for a job with us, you may provide certain PI about Yourself (cover letter, resume, references, eligibility, or other employment-related information). We use this information for the purpose of processing and responding to Your application for current and future career opportunities. If you are a resident of the EEA, please see the GDPR Section below as you can opt out of future contact.
- Our Website includes a “Contact Us” page. If you use this form, you may provide certain PI about Yourself (name, company email, phone number, company name, the number of employees at Your company, Your industry, Your job function and the location of Your company, etc.) plus the content of any message you choose to send. We use this information to contact you and will only do so for legitimate business purposes.
- If you subscribe to Our Blog notifications We collect Your name, email address and company name. If you post comments on Our blog, the information contained in Your posting will be stored on Our servers and other users will be able to see it. To request removal of Your PI from Our blog or community forum, please contact email@example.com.
- From time to time, Contrast may conduct surveys, the results of which drive improved customer service and/ or products. If you choose to participate in one of Our surveys, we may collect information such as Your name, company email, company phone number, company name, etc.
- If you contact us otherwise to ask a question, provide feedback, file a complaint, report abuse, etc. you may be asked for information that identifies you (such as Your name, company affiliation, email address and/ or a telephone number) along with additional information We may need to promptly and accurately respond. We may retain this information to assist you in the future and to improve Our customer service, service offerings, and Our Website.
- We also collect other types of Data such as operating system and version, information about Your application and operating environment, and other requested information if you contact us via e-mail regarding support for the Service.
THE CHILDREN'S ONLINE PRIVACY PROTECTION ACT ("COPPA")
Contrast will never intentionally collect data from children who are 13 years of age or younger. If a parent, guardian or other individual suspects that a child 13 or younger has provided data to Contrast, that individual should immediately report such information to firstname.lastname@example.org. Contrast will only retain the data for as long as it is necessary to delete the information using every reasonable measure to protect against its unauthorized access or use or to comply with legal or regulatory requirements.
DIGITAL MILLENNIUM COPYRIGHT ACT
Contrast respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act of 1998 (the “DMCA”), the text of which may be found on the U.S. Copyright Office website at http://www.copyright.gov/legislation/dmca.pdf, Contrast will promptly respond to claims of copyright infringement using Our Service or Website. Such claims must be reported to Contrast’s Designated Copyright Agent identified below.
If you are a copyright owner, authorized to act on behalf of a copyright owner, or are authorized to act under any exclusive right under copyright, please report alleged copyright infringements by completing the DMCA Notice of Alleged Infringement and delivering it to Contrast’s Designated Copyright Agent. Upon receipt of Notice as described below, Contrast will take whatever action it deems appropriate, including removal of the challenged content from the Website.
DMCA NOTICE OF ALLEGED INFRINGEMENT ("NOTICE")
Identify the copyrighted work that you claim has been infringed or, if multiple copyrighted works are covered by this Notice, you may provide a representative list of the copyrighted works that you claim have been infringed.
- Identify the material or link you claim is infringing (or the subject of infringing activity) and to which access is to be disabled. If applicable, include the URL of the link shown on Our Website or the exact location where such material may be found.
- Include both of the following statements in the body of the Notice:
“I hereby state that I have a good faith belief that the disputed use of the copyrighted material is not authorized by the copyright owner, its agent, or the law (e.g., as a fair use).”
“I hereby state that the information in this Notice is accurate and, under penalty of perjury, that I am the owner, or authorized to act on behalf of the owner, of the copyright or of an exclusive right under the copyright that is allegedly infringed.”
You are required to provide Your full legal name and Your electronic or physical signature. It is helpful, but not required, to also provide Your company affiliation (if applicable), mailing address, telephone number, and email address.
- Deliver your Notice to Contrast's Designated Copyright Agent:
Contrast Security, Inc.
Attn: Copyright Agent
240 3rd Street
Los Altos, CA 94022
NOTICE TO END USERS
Where Our Services are made available to you through an organization (e.g. Your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct Your data privacy questions to Your administrator, as Your use of the Services is subject to Your organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different than this policy.
Your Company’s administrators are able to:
- require you to reset Your account password;
- restrict, suspend or terminate Your access to the Services and Your account access;
- access information in and about Your account;
- access or retain information stored as part of Your account; and/or
- install or uninstall third-party apps or other integrations.
In some cases, administrators can also:
- change the email address associated with Your account;
- change Your information, including profile information;
- restrict Your ability to edit, restrict, modify or delete information.
Even if the Services are not currently administered to you by an organization, if you use an email address provided by an organization (such as Your work email address) to access the Services, then the owner of the domain associated with Your email address (e.g. Your employer) may assert administrative control over Your account and use of the Services at a later date.
Please contact Your organization or refer to Your administrator’s organizational policies for more information.
We may post client endorsements on Our website which may contain PI. All client endorsements require the voluntary consent of the client to provide the endorsement and for us to publicly post it. Should you provide an endorsement and later want it removed, please contact email@example.com.
Alternatively, you may write to us, anonymously or otherwise, at:
Contrast Security, Inc.
Attn: Privacy (or Compliance) accordingly
240 3rd Street
Los Altos, CA 94022
YOUR CALIFORNIA PRIVACY RIGHTS - THE CALIFORNIA CONSUMER PRIVACY ACT 2018 ("CCPA")
What is CCPA?
The California Consumer Privacy Act of 2018 ("CCPA") became enforceable on January 1, 2020. The law is meant to enhance privacy rights and consumer protection of residents of California. CCPA is the first law of its kind to impact the U.S. and has some similarities to GDPR.
Contrast has put processes in place to ensure CCPA compliance and to meet Our obligations to Our Customers and consumers. As such, We have reviewed Our policies and procedures, including collection methods, to make sure they align with the requirements of CCPA.
What does this mean to you?
Contrast falls under the definition of both a "Business" and a "Service Provider" per CCPA and we will assist Our Customers/ consumers with exercising their rights under CCPA. This includes ensuring any requests from you, or if applicable, Your employees in the case of opt-out, for example, are handled promptly. We will work with third parties who may be involved to make sure requests are honored as soon as possible.
Contrast currently has three areas of activity that are related to the CCPA:
- Contrast may collect PI from consumers in the course of providing services to Our Customers. In this activity, Contrast acts strictly as a "service provider".
- Contrast collects respondent data strictly based on our customers' instructions. Contrast's Customers also decide how to use or respond to any PI that is collected.
- Contrast may collect PI from consumers in the course of Our marketing efforts. This includes PI We collect from forms on Our Website and event registrations, the information We collect automatically when users visit Our Website, and information We obtain from third party sources. In this activity, Contrast acts as a "business" under the CCPA.
Regardless of which area of activity applies to you, Contrast does not sell Your information.
To be clear, We have not sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated a consumer's PI to another business or third party for monetary or other valuable consideration since the CCPA legislation was passed.
Further, when We provide the services to Our Customers, We do not:
- process PI for any commercial purpose other than providing Our Customers the products and services they have purchased; or
- retain, use or disclose PI outside of the scope of the agreements We have with Our Customers.
Consumer Rights under the CCPA
Your rights under the CCPA include the right to request a copy of the specific PI collected about you in the 12 months prior to the request, and Our data collection practices (including categories of information collected, how the information is used, and to whom it is disclosed). We will generally refer to these as "access requests".
In addition, with some exceptions, you can request deletion of the PI that is collected about you. We will generally refer to these as "deletion requests".
With respect to the personal data of consumers collected in Contrast's marketing efforts, We are responsible for fulfilling access and deletion requests.
Pursuant to California Civil Code Section 1798.83, residents of the State of California have the right to request certain information relating to third parties to which Contrast may have disclosed certain categories of PI during the preceding year for the third parties’ direct marketing purposes. Contrast does not sell consumer data to any third parties. If you have any questions regarding Your rights, please email CCPA@contrastsecurity.com.
THE GENERAL DATA PROTECTION REGULATION ("GDPR") and GDPR-UK
What is GDPR?
GDPR addresses the technological changes in the global business environment over the past two decades and seeks to harmonize the approach to data protection across the EEA by establishing a single set of rules and associated penalties for non-compliance. The regulation was adopted on 27 April 2016 and became enforceable on 25 May 2018. The GDPR replaced the Data Protection Directive, a 20-year old law with similar requirements to the GDPR, but varying interpretation and application among member states of the EEA, and a lack of enforcement powers. GDPR has a global reach, however, as it even applies to companies who are outside the area that control or process the data of EEA subjects, making the GDPR the first global privacy standard.
Contrast has processes in place to ensure GDPR compliance and to meet Our obligations to Our Customers and employees. We have appointed a Data Protection Officer to oversee compliance, conducted a full Data Protection Impact Assessment (DPIA), and tuned Our current incident response and breach notification policy and process to align with the requirements of the GDPR. We have also implemented business processes to deal with privacy-related requests outside the Contrast platform and to ensure any requests from Your employees directed to us, are made known to you in a timely manner, if applicable and permissible.
With the enforcement of Brexit, we also comply with privacy regulations by having a Data Processing Addendum and Standard Contractual Clauses in place where applicable. At present, the General Data Protection Regulation regulators recognize GDPR-UK.
LAWFUL BASIS FOR PROCESSING
The GDPR defines 6 lawful bases for processing:
- Consent: an individual has given clear consent for the processing of their personal data for a specific purpose.
- Contract: processing is necessary for a contract that a company has with an individual, or because they have asked a company to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for a company to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for a company to perform a task in the public interest or for a company’s official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for a company’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
CONTRAST PROCESSES ALL DATA IN THE EEA AND THE UK BASED ON LEGITIMATE INTEREST
CONTRAST SECURITY PRODUCTS AND SERVICES
Contrast collects limited Corporate and Personal Data. The data We collect can be categorized as:
- data that We control for purposes of Corporate Business to Business marketing efforts,
- data We may collect from Your browsing on Our public Website, and
- data collected from Your Company’s indication of interest in Our product or Your application as a part of Our security services.
For business to business marketing efforts, We do not currently collect Personal Data (i.e. names, phone number, corporate email addresses) for the purpose of marketing Our services. Rather, We only maintain contacts that have expressed interest in Our services. If you have expressed interest in Our services, We may contact you about updates or product offerings that may be of interest to you. If these communications are no longer of use, We invite you to unsubscribe at any time. Contrast believes We have a legitimate interest in offering business more information about Our services and have controls in place to ensure the way in which We store and handle such data is subject to Our Information Security Program.
We believe a very important piece of Our continued compliance with privacy best practices, as well as compliance with the GDPR, is to ensure that We hold Our vendors and sub-processors accountable for their security and privacy commitments. Contrast has a robust Third-Party Vendor Management program, and We frequently assess all third parties for continued compliance with their security, privacy and confidentiality commitments.
CONTRAST’S COOKIES, WEBTRACKERS AND PURPOSE:
THE PRIVACY SHIELD PROGRAM
On July 16, 2020, transfers of EU data to Our international locations outside of the European Economic Area (“EEA”) (including locations in the US) that do not have an adequacy decision from the European Commission are supported by EU Standard Clauses. Contrast has Standard Contractual Clauses and Data Processing Addenda where needed. On September 8, 2020, The Federal Data Protection and Information Commissioner (FDPIC) for Switzerland has reassessed the data protection conformity of the Privacy Shield regime for the Swiss-U.S. Privacy Shield and determined that, as long as the U.S. does not revoke the Privacy Shield regime, the Swiss-U.S. Privacy Shield Framework is not impacted.
Contrast remains a member of the EU-U.S. Privacy Shield network as the U.S. Department of Commerce and European Commission are working closely to evaluate the potential for an enhanced EU-U.S. Privacy Shield framework that will be in compliance with the July 16, 2020 ruling.
Contrast informs individuals about:
- The type or identity of third parties to whom Contrast discloses PI and the purposes for which it does so (Please see section entitled, "Collection and Use" here)
- The right of individuals to access their personal data (Please see section entitled, "Choices Regarding Your Information" here)
- The choices and means Contrast offers individuals for limiting the use and disclosure of their personal data (Please see section entitled, "Choices Regarding Your Information" here)
- The requirements for Contrast to disclose PI in response to lawful requests by public authorities, including the requirement to meet national security, law enforcement, or regulatory requirements (Please see section entitled, "Choices Regarding Your Information" here).
In addition, Contrast is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission ("FTC") regarding personal data received or transferred pursuant to the Privacy Shield Framework.
Under Privacy Shield, an individual has the option, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Contrast must respond to individual complaints within 45 days. For additional information, visit: Privacy Shield / Complaints.
In the context of an onward transfer, Contrast has responsibility for the processing of the PI it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Contrast shall remain liable under the Principles if its agent processes such PI in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
In compliance with the Principles, Contrast commits to resolve complaints about our collection or use of your PI. EU, UK or Swiss individuals with inquiries or complaints regarding Our Privacy Shield policy should first contact Contrast at: firstname.lastname@example.org.
Contrast has further committed to cooperate with the panel established by the EU data protection authorities ("DPA"s) with regard to unresolved Privacy Shield complaints concerning Human Resources data transferred from the EU or the UK in the context of the employment relationship. Contrast also agrees to cooperate with the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by such authorities with regard to Human Resources data transferred from Switzerland in the context of the employment relationship. Finally, Contrast agrees to cooperate with the DPAs and/ or the FDPIC and to comply with the advice given by such authorities with regard to non-Human Resources data transferred from the EU to Switzerland.
Contrast continues to self-certify with Privacy Shield while the U.S. Department of Commerce partners with the EU and Swiss bodies toward resolution. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and can be made available upon request by individuals or in the context of an investigation or a complaint related to non-compliance. Contrast is required to respond promptly to individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Principles.
EMPLOYMENT WITH CONTRAST SECURITY
If you reside in the EEA or the UK and are interested in employment with Contrast, you will need to provide certain information (cover letter, resume, references, eligibility, or other employment-related information). We use this information for the purpose of processing and responding to Your application for current and future career opportunities. In this respect, you would be considered a Data Subject and the information you provide to us would represent Personal Data.
Our Website includes a “Careers” link. All applications must originate from this Website. Any entity that processes data on behalf of Contrast will be fully GDPR compliant. You will need to provide Your Consent for us to contact you as part of Your application. You have the right not to provide Consent but We will be unable to process Your application and consider you for employment if you do not provide it. While We will obtain Your Consent, We also process and manage Your data based on legitimate interests.
A limited number of employees of Contrast will also have access to Your data once you apply for a position. The recipients of Your personal data will be select employees of Contrast such as Human Resources, Your hiring leader, individuals with whom you will need to interview, etc. All information is shared according to the principle of least privilege and need-to-know. These employees have all undergone GDPR-related training. A limited number of third-party providers, under contract with Contrast, may also have access to Your Personal Data. We ensure that any such provider has data protection levels equivalent to those set forth in this privacy notice, at a minimum. We have entered into Data Processing Addenda (and Standard Contractual Clauses where applicable) with all such vendors or ensure appropriate language is in Our Agreements with them.
If you are selected as a final candidate for a position, We will enter into the appropriate contract, agreement, or other documentation as appropriate for Your country of residence. All documentation and actions, including those requiring additional Consent, will reflect full compliance with GDPR or GDPR-UK.
As part of becoming an employee of Contrast you will be provided with a GDPR Employee Privacy Notice outlining Your rights, remedies and a list of third parties with access to your data. You may request an updated listing at any time. You will also be provided with any and all documentation and information related to Your status as both a Data Subject under the GDPR and an employee of Contrast.
SUBJECT ACCESS REQUESTS
A subject access request is a written request for PI/ Personal Data held about you by us. You have the right to see what PI We hold about you. You are entitled to be given a description of the information, what We use it for, who We might pass it on to, and any information We might have about the source of the information. However, this right is subject to certain exemptions or restrictions that are set out in the GDPR.
DATA PROTECTION OFFICER AND SUBJECT ACCESS REQUESTS
To make a Subject Access Request, email GDPR@contrastsecurity.com or write:
Sharron Reed Gavin, Data Protection Officer
Contrast Security, Inc.
240 3rd Street
Los Altos, CA 94022
The GDPR requires that We provide you with the following information:
- Company Name: Contrast Security, Inc.
240 3rd Street
Los Altos, CA 94022
- Data Protection Officer: Sharron Reed Gavin
Finally, you have the right to lodge a complaint with the Information Commissioners’ Office (“ICO”) if you believe that We have not complied with the requirements of the GDPR with regard to Your personal data. The ICO encourages individuals to first report their concern to the organization controlling or processing Your data. For more information, please refer to ICO/ Raising a Concern.
Contrast ensures compliance with Privacy Regulations wherever we have a presence, both in the United States and globally. Other than California, states such as Colorado and Virginia have enacted privacy legislation and many other states, including Nevada and New York have privacy regulations in place. The landscape is ever changing.
SECURITY STANDARDS AT CONTRAST (BEYOND DATA PRIVACY)
Keeping Your data secure is critical to us at Contrast. We follow industry best practices in application, network, and product security to ensure that Your data is safe. We envision a world where We can trust software with the most important activities of humanity. We love software, and it hurts us to see it misused to cause harm to others. As a security company, We not only protect Our business, but Yours as well. Contrast is committed to the highest standards of application and network security for Our hosted products. At the core of Our approach to security is a commitment to transparency – across Our protections, processes, and even potential issues.
Contrast has successfully undergone third party Service Organization Control auditing (SOC 2 Type II). The SOC 2 report provides assurance that We have designed and implemented effective security controls as defined by the SOC 2 standards which are based on defined Trust Services Criteria. During the examination, the independent auditors evaluated and tested controls over the following:
- Organization and management
- Risk management, design, and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- Systems operation
- Change Management
With respect to Security, Availability, Confidentiality and Privacy.
DATA CENTER AND NETWORK SECURITY
Contrast's security application services and data are currently hosted on servers in Amazon Web Services (AWS) ISO 27001 certified facilities in the United States. AWS is routinely audited and believes in transparent security. A few of AWS’ Assurance Programs are as follows: FedRAMP, ISO 27001, FIPS, SOC2/Type 2, FERPA, and HIPAA. As of March 26, 2018, AWS is fully compliant with the GDPR; more information can be found here: AWS/ GDPR Compliance. Contrast has entered into a Data Processing Addendum and Standard Contractual Clauses with AWS.
A full list of AWS certifications is available here: http://aws.amazon.com/compliance/.
In addition, Amazon Web Services has published the Shared Responsibility Model where they describe the division of responsibilities between AWS and the Customer. In general, AWS is responsible for security of the cloud and the Customer is responsible for security in the cloud. No Contrast employees have physical access to AWS Data Centers.
DATA BACK UPS & DISASTER RECOVERY
We store Our data across multiple AWS availability zones and perform multiple database backups each day. These backups are stored in geographically distributed object storage. Backup integrity is tested daily. Host logs are ingested into a log management platform for support and operational processes.
OPERATING SYSTEM, NETWORK AND FIREWALL CONFIGURATION
Operating Systems are hardened using Center for Internet Security standards and other industry best practices depending on the host's role. System configuration and patches occur through both scheduled and ad-hoc process that are driven by configuration management tools. The code is committed, tested, and peer reviewed before deployment.
Security patch management is an automated task for all hosts. Should a security patch be needed outside this process, We can apply patches in bulk to all hosts. If an urgent patch needs to be applied outside the regular schedule, We first verify that Our infrastructure is vulnerable and then apply the patch.
We observe communications from cert.org, us-cert.gov, and Our own software processes to alert us of vulnerabilities that should be patched.
Our network is engineered and designed to limit access by origin and port between hosts and services (AWS Security Groups). Where possible, separate private networks (AWS VPCs) are created and are completely separate from other networks. All network and firewall rules are checked into Our source code repository and reviewed by staff via Pull Requests and only deployed once tested and reviewed. The network is designed with limited public facing systems.
In addition to Our own product, We deploy several monitoring solutions to measure the health of Our service.
Minimal Data Collection
Contrast only collects the data absolutely necessary to provide the analysis and metrics. Our technology minimizes the amount of data collected by reporting only confirmed vulnerabilities and need to know information to the Contrast Platform. A customer's source code and binaries only ever leave their servers when utilizing the Contrast Scan product. Contrast collects the following types of data:
- Vulnerability and attack data that includes HTTP request data and a series of method invocations
- Summary information about what libraries and classes are loaded by each application
- Sitemap information, including URLs, but not parameters
- Software architecture information about back-end components and connections
- Source code and binaries (when using the Contrast Scan product);
- Stack Traces;
- Audit and Debug logs and/ or
- Site usage metrics (opt-out)
Contrast encrypts all data at rest and sends and receives all data over HTTPS using TLS 1.2 or higher..
Our primary defenses keep out attackers and control access, but We also use strong encryption to ensure that all of the data We store is inaccessible to attackers. All Contrast data is stored on encrypted volumes or object storage. We extend the use of encryption to backups, logs, and any other data associated with the Contrast service.
Where possible, We utilize Amazon's Key Management Service to generate and rotate keys used across Our services.
Amazon’s overall key management infrastructure uses Federal Information Processing Standards (FIPS) 140-2 approved cryptographic algorithms and is consistent with the National Institute of Standards and Technology (NIST) 800-57 recommendations.
Contrast uses strong encryption and mutual authentication on all connections. This protects against sniffing, spoofing, and other communications attacks. The connection from the Contrast Agents to the Contrast TeamServer uses a TLS socket connection that can be configured to use an outbound proxy. The Agents verify the Contrast TeamServer certificate and send the client authorization key to the TeamServer to establish mutual authentication. Back-end connections are also both encrypted and mutually authenticated. Any attempt to access Our service over a non-SSL connection is redirected to use HTTPS.
We leverage multiple AWS services relating to encryption.
We enable administrator, manager, or individual contributor permission levels within the app to be set for Your individual users. Permission levels determine the user’s ability to change settings, view information, and edit, delete, or export data. These are configurable by Customer.
We believe that everything that happens within Contrast should be fully authenticated and traceable to a particular individual and We discourage the use of shared logins. We do not charge or limit the number of users within an organization. We check password strength and failed login lockouts to ensure that Contrast is not susceptible to brute force attacks. We allow organizations and users to configure Our Two Step Verification process that leverages time-based one-time passwords ("TOTP").
Contrast was designed from the ground up to be resilient against injection attacks like SQL injection, cross-site scripting (XSS), LDAP injection, XML entity attacks, command injection, and other risks. Our software architecture requires strict input validation on all input before it can be used. We minimize the use of interpreters where possible and use parameterized interfaces, if available.
Contrast Software Engineers are required to undergo annual secure code training.
Contrast uses TeamServer to identify, track, and remediate vulnerabilities during the Software Development Life Cycle. Our agent runs in automated testing and manual verification environments.
Contrast performs regular vulnerability scanning using several tools. Contrast performs external infrastructure scans on a quarterly basis, at minimum. Also, Contrast uses Contrast Assess (IAST), Contrast Protect (RASP), and Contrast OSS on the staging and production environments to detect vulnerabilities before they make it to production, and to protect against application security attacks in production.
Annually, at a minimum, Contrast contracts with respected third-party security experts to execute a penetration test on Our source code and production infrastructure. Also, Contrast consistently performs internal design reviews, threat modeling, penetration testing, scanning, and code review of Our SaaS application and agents. Alongside the internal assessments, the application security team is also a part of approving code pull requests should security components be affected.
Contrast restricts access to Our production environment on a need-to-know basis and maintains a comprehensive logging system to track access and events. Contrast closely monitors potential attacks both at a network and application security level with automated alerting to internal chat and paging systems.
KEY CHANGES TO THIS POLICY:
Updated 31 August 2021 - Information related to
- Contrast’s new product, Scan,
- Inclusion of Cookies, Webtrackers and their purpose;
- Inclusion of Third Party Service Providers, and
- References to changes in multiple locations related to Privacy.
Updated 13 Nov 2020 - Included Promotional Events / Sweepstakes information
Updated 14 September 2020 - Updates to language regarding EU-U.S. Privacy Shield.
Updated 30 May 2020 - Updates to reference Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)
Updated 28 February 2020
Changes made to this Policy on 2/28/20 include:
- Updates to information regarding Japan's Act on the Protection of Personal Information ("APPI") and the My Number Act.
- Clarification as to Contrast's notification to individuals about the key goals of Privacy Shield and onward transfer of data.
Updated 30 December 2019 - Changes made to this Policy on 12/30/19 are related to the California Consumer Privacy Act.
Updated 21 November 2019
Updated 29 March 2019 - Changes made to this Policy on 3/29/19 are related to data being sent to the UK from the EU (see Privacy Shield Information).
Updated 24 May 2018 - Changes made to this Policy on 5/24/18 are related to the enforcement of the General Data Protection Regulation
Updated 1 February 2018
Updated 9 January 2018
Updated 29 September 2017
Originally published 1 September 2016