Privacy Matters at Contrast Security
Privacy Policy
Key updates
Updated to remove reference to Swiss-US Data Privacy Framework not being enacted yet.
Last Updated: 17 september 2024
About Contrast
The products and services of Contrast Security, Inc. ("Contrast") represent a revolutionary approach to continuously protecting applications, and Contrast has a deep commitment to ensuring maximum privacy and information security standards as evidenced by our product offerings and our internal compliance environment. Contrast prides itself on operating with accountability, integrity and transparency, and constantly works to ensure that your personal information is protected in line with applicable data protection regulations and the highest information security standards.
This Privacy Policy tells you:
- What personal data we collect and the sources of that information
- Purposes for which we use your data
- Contrast's use of cookies and other tracking technologies
- Disclosures of your personal data
- Security
- Your privacy rights
- Children's data
- Changes to this Privacy Policy
- Contact us
Your Consent: If you reside outside the United States, by submitting your personal data through this website, https://www.contrastsecurity.com (the “Site”), you consent to our processing that data as described in this Privacy Policy. Please understand that you are not obliged to provide your personal data to us. However, if you do not provide your personal data, or otherwise do not consent to the processing of your personal data or withdraw your consent to the processing, Contrast may not be able to provide you with certain services and may be required to terminate the services currently provided to you.
1. What personal data we collect and the sources of that information
Through our website
The categories of personal data we collect, whether through the Site or from offline interactions with you when we act as a data controller, include the following:
Category of personal information | Examples |
Identifiers (contact information) | Name, email address, telephone, signature |
Commercial information | Records of products or services purchased or considered |
Internet activity information | IP address, device and browser information, cookies |
Professional or employment-related information | Job title, employer, place of employment |
User content | Contents of emails or messages you submit to Contrast through chatbots, help portals, etc. |
Communications data | Metadata from texts, calls or emails with Contrast, as well as the contents of those communications |
Audio, electronic, visual or similar information | Video or audio recordings when you interact with us by phone or web conferencing, video surveillance recordings if you visit a Contrast office |
Social media information | Social media account, interactions with Contrast social media |
Through our products
Although Contrast products are not designed to capture and process personal data, our products may incidentally capture personal information from our customers’ employees, users, or other affiliated parties as part of an attack of vulnerability trace. Where we do capture personal information for our customers, we act as a data processor, and we will process the personal information only in accordance with our customer’s instructions. Please refer to the privacy policy or other terms applicable to those customers for more information about how your data will be handled.
Contrast does not collect or process the sensitive personal information of its customers, prospects, or website visitors for any purpose, including the purpose of inferring characteristics about the individual.
Categories of sources
Collection method | Explanation |
Directly from you | Information that you deliberately provide us, such as when you submit a form or send an email to an @contrastsecurity.com email address. |
Indirectly from you | Data gathered through cookies and other tracking technologies. |
Through your employer | If your employer is a customer of Contrast, we may receive personal information about you from your employer which we use to provision you with a Contrast account. |
Marketing partners | We receive lists from marketing partners of qualified leads who have opted into sharing their information with us. |
Data brokers | We use data brokers in our sales outreach to enrich existing data and to identify potential leads. |
2. Purposes for which we use your personal data
We use the information we collect for a variety of purposes depending upon the nature of your relationship and how you interact with us, including as detailed below:
Website visitors
Processing activity | Categories of personal data | Legal basis for processing (GDPR only) |
Answering inquiries from customers | Identifiers, such as names and email addresses, user content, commercial information, and professional or employment-related information | Legitimate interest in providing our customers and with responses to their questions |
Qualifying marketing leads through our website chatbot | Identifiers and professional or employment-related information | Consent or legitimate interest in sourcing and qualifying sales leads |
Complying with data subject rights requests | Identifiers, such as names and email addresses | Compliance with a legal obligation |
Logging and monitoring for security purposes | Identifiers, such as names and email addresses Attack trace logs |
Legitimate interest in securing our systems and resolving errors |
Website tracking to understand how visitors are using our site | Internet activity information, such as IP addresses | Consent |
Email marketing | Identifiers, such as names and email addresses | Consent or legitimate interest |
Customers and Prospects
Processing activity | Categories of personal data | Legal basis for processing (GDPR only) | Data subjects |
Customer sentiment analysis | Identifiers and contact information | Legitimate interest in understanding how we are serving our customers | Customers |
Account provisioning for users of Contrast's services | Identifiers, such as names and email addresses | Performance of a contract | Customers |
Cloud hosting of our SaaS product offerings | Identifiers, such as names and email addresses Internet activity information, such as IP addresses Attack trace logs |
Performance of a contract | Customers |
Customer relationship management | Identifiers and business contact information Message contents |
Legitimate interest in maintaining records related to our sales efforts | Customers and prospects |
Communications with prospects and customers by email, telephone, and video call | Identifiers, such as names and email addresses Email/message contents Audio/visual recordings |
Legitimate interest in communicating with our customers and prospects Consent where we record video or telephone calls |
Customers and prospects |
Free trial/proof of value environments for product demonstrations | Identifiers, such as names and email addresses Internet activity information, such as IP addresses |
Performance of a contract | Prospects |
Prospecting and sales outreach | Identifiers, such as names and email addresses | Legitimate interest in generating new business for Contrast | Prospects |
Improving our products and services | Internet activity information, such as IP addresses |
Legitimate interest in improving our products and services Consent where such collection uses cookies or similar technology |
Customers |
Contrast retains the data that we process on behalf of our customers (i.e. we are the data processor) for the length of the customer relationship plus 37 days, which is the time it takes to purge our systems and backups of customer data. Customers can delete certain personal information themselves from within their Contrast accounts, and we are able to delete specific pieces of information for our customers on request.
Where Contrast collects personal information for our own purposes, we retain information for as long as necessary to achieve the purpose for which we collected your data. We will retain personal information longer as necessary to comply with legal, administrative, or procedural requirements, for example, a litigation hold.
Depending on your location, individuals may be able to exercise certain rights over how we process your personal data. To learn more about the rights available to you, please see section 6: Your privacy rights.
3. Contrast's use of cookies and other tracking technologies
We collect information through technology to enhance our ability to serve you. When you access and use the Site, Contrast and, in some cases, our third-party service providers collect information about how you interact with the Site.
Contrast uses a number of tracking technologies on the Site to understand how Site visitors are using and navigating the Site, and to assist with our marketing and sales efforts. These technologies include cookies, web beacons, and pixels. Where required, we will ensure that we have your consent before using these technologies, and that you can revoke your consent at any time.
Contrast uses cookies on the Site for a number of purposes. Some of these cookies are “essential” or “strictly necessary” cookies, whose use enables critical functionality on this site, such as for security and load balancing purposes. We also use cookies for personalization, analytics, and advertisement purposes. To learn more about our use of cookies, and your choices regarding cookies on our Site, please refer to our Cookie Policy.
The Site tracks your online activities over time and across websites or online services on an individually identifiable basis. For example, we may serve you advertisements on other websites based on what appeared to interest you on our Site. We do allow third parties to use our Site to track your activities over time or across other websites.
Do Not Track signals and the Global Privacy Control
Your web browser may provide you with options such as Do Not Track (DNT) or Global Privacy Control (GPC), which can be used to transmit your preferences to the websites that you visit. Contrast respects both DNT and GPC signals. Please refer to your browser provider for more information on activating or deactivating your DNT and GPC signals.
4. Disclosures of your personal data
We may disclose your personal data to third parties in the following circumstances:
- Third-party service providers: We may disclose your personal data to third-party service providers under contract with Contrast to help us provide services to you. The information disclosed is limited to what they need to perform their designated functions, and they are not authorized to use, sell or disclose personal data for their own marketing or other purposes.
- Data types: all types of personal data that we collect
- Press releases: Contrast may disclose personal information to the public as part of a press release or other publicity materials to announce, with your organization’s permission, that we have entered into a significant contract for our services.
- Data types: identifiers
- Required disclosures: We may be required to disclose personal information in a court proceeding, in response to a court order, subpoena, civil discovery request, or other legal process, or as otherwise required by law.
- Data types: all types of personal data that we collect
- Government or law-enforcement request: Contrast also discloses personal information to government agencies, law enforcement, and other parties as required by law and as necessary to protect the rights, property, or safety of Contrast, its subsidiaries or affiliates, employees, customers, and users.
- Data types: all types of personal data that we collect
Where Contrast discloses personal information to third parties in its role as a data processor, we ensure that each third party has signed a data processing agreement and that each third party has security and privacy controls at least as rigorous as our own. For a list of Contrast’s sub-processors, please see: Sub-Processor Listing.
You may have the right to opt out of the sharing of your personal information with our advertising partners. Please see the Region-Specific Information section for more information about your opt out rights.
Third-party sites
The Site includes links from the Site to, and plug-ins (such as Twitter, Instagram, and Facebook buttons) from, sites or applications operated by third parties (“Third-Party Sites”). Contrast does not control any Third-Party Sites and is not responsible for any information they may collect. The information collection practices of a Third-Party Site are governed by its privacy policy. It is your choice to enter any Third-Party Site. We recommend that you read its privacy policy if you choose to do so.
5. Security
The security and confidentiality of your personal data is important to us. We have technical, administrative, and physical security measures in place to protect your personal data from unauthorized access or disclosure and improper use.
For example, we use Transport Layer Security (TLS) encryption to protect the data collected through marketing forms on our Site. In addition, we restrict access to your personal data. Only employees who need the personal data to perform a specific job (for example, a customer service representative) are granted access to personal data. Employees with access to personal data are kept up to date on our security and privacy practices and all employees acknowledge Contrast’s Privileged User Agreement and Acknowledgement of Responsibilities policy. This policy is predicated on the NIST Rules of Behaviour. For more information on our Security practices, please visit our Trust Center.
Contrast also operates a bug bounty program. If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please report it through our Vulnerability Disclosure page or email security [at] contrastsecurity.com.
Please note that despite our reasonable efforts, no security measure is ever perfect or impenetrable, so we cannot guarantee the security of your personal data.
6. Your privacy rights
Depending on where you reside, you may have certain rights with regards to your personal data, such as the right to access your personal data, to correct inaccuracies, or to delete the personal data that we hold about you. To learn more about the specific rights available to you based on where you reside, please refer to the relevant section below.
Nonetheless, at Contrast we believe that everyone should be able to take control of their personal data. Wherever you reside, you may contact privacy [at] contrastsecurity.com to ask us to access, update, correct, or delete your personal data. We will respond to your request in accordance with any applicable law, or if no law applies, consistent with our legitimate business interests.
7. Region-specific information
United states
California
This section applies only to individuals who reside in the state of California in the United States (“California residents”), and only when Contrast processes their personal data subject to the amended California Consumer Privacy Act (“CCPA”).
Assistance for the disabled: Alternative formats of this Privacy Policy are available to individuals with a disability. Please contact privacy [at] contrastsecurity.com for assistance.
California notice at collection: Contrast collects the categories of personal information identified in section 1: What personal data we collect and the sources of that information for the purposes identified in section 2: Purposes for which we use your personal data and retains personal information for the period described in section 2. We do not sell or share your personal information or disclose it to third parties for cross-context behavioral advertising. We also do not collect or process sensitive personal information for the purpose of inferring characteristics about you.
Disclosures for business purposes: Contrast may disclose the categories of personal data described in section 1 to the categories of third-party recipients listed below for the purposes described in section 2, as well as for the following “business purposes” (as defined by the CCPA):
- Affiliated Companies. We may disclose your personal data to other members of Contrast’s corporate group for the business purposes of (a) auditing compliance with policies and applicable laws, (b) helping to ensure security and integrity, (c) debugging, (d) short-term transient use, (e) internal research, (f) activities to maintain or improve the quality or safety of a service or device, and (g) performing services on our behalf.
- Service Providers. We may disclose your personal data to the types of third-party service providers listed section 4 so that they can perform services on our behalf.
- Professional Services Providers. We may disclose your personal data to these service providers, including lawyers, accountants and consultants, for the business purposes of auditing compliance with policies and applicable laws, in addition to performing services on Contrast’s behalf.
Your California privacy rights: Subject to certain limitations and exceptions, California residents have the following rights:
- Right to Know: You have the right to know (a) specific pieces of your personal information obtained from or about you and (b) information about Contrast’s collection, use, and disclosure of categories of your personal information.
- Right to Delete: You have the right to delete personal information that Contrast has collected from you.
- Right to Correct: You have the right to correct inaccurate personal information about you maintained by Contrast, taking into account the nature of the personal information and the purposes of processing the personal information.
- Right to Non-Discrimination: Contrast will not discriminate against you for exercising your rights.
If you would like to exercise these rights, please contact us through one of the below methods:
- Call (888) 371-1333 extension 9 (please provide your name and email address and any other information that may help us identify you in our systems)
- Email privacy [at] contrastsecurity.com
- Submit a request through our Contact Us form
Contrast reserves the right to request additional information from you if additional information is necessary for us to verify your request. Depending on the nature and sensitivity of your request, we will match at least two data points that you provide against information that we already hold about you in our systems. We may need to request additional information from you in order to verify your request. Any information that you do provide for verification purposes will only be used to verify your request.
If you choose to authorize an agent to submit a request on your behalf, we reserve the right to request additional information from you or your agent to prove that they have been authorized by you before we take any action to fulfill your request.
Contrast has not, and has no actual knowledge that we have, sold or “shared” the personal information of children under 16, in the last 12 months.
Other US States
At this time, Contrast does not meet the applicability thresholds for any other U.S. state privacy laws. We proactively monitor for new state privacy laws and requirements, and regularly assess our business against the applicability thresholds of existing state privacy laws.
Europe (including EU and EEA countries, United Kingdom and Switzerland)
The information in this section applies to individuals who reside in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland (collectively, “Europe”). Residents of Europe are not required by statute or by contract to provide any personal data to the Site.
Subject to certain limitations and exceptions, residents of Europe have the following rights:
- Right of access: You have the right to confirm with us whether we process your personal data, and if so to access that data.
- Right to rectification: You have the right to correct inaccuracies in the personal data we hold about you.
- Right to erasure (to be forgotten): You have the right to delete the personal data that we hold about you.
- Right to restriction of processing: You have the right to restrict processing of your personal data, based on the circumstances outlined in article 18 of GDPR.
- Right to data portability: You have the right to receive a copy of your personal information in a structured, commonly-used, and machine-readable format.
- Right to object: You have the right to object to our processing of your personal data based on our legitimate interests, including for direct marketing.
- Right not to be subject to decisions based solely on automated processing: You have the right to request human intervention on any automated decision, including profiling, which results in a legal or other significant effect. Please note though that Contrast does not currently make decisions based on automated processing.
To exercise any of these rights, please email privacy [at] contrastsecurity.com with the details of your rights request, as well as any information that may be needed to fulfill your request.
If you are unhappy with our response to your privacy request, we encourage you to contact us directly at privacy [at] contrastsecurity.com, and we will take reasonable efforts to resolve your issue. However, you have the right to submit a complaint to the regulatory body where you work, where you reside, or whether the suspected violation occurred. For UK residents, you may contact the Information Commissioner’s Office. For EEA residents, please refer to this list of European Data Protection Authorities to find your applicable DPA. Swiss residents should refer their complaints to the Federal Data Protection and Information Commissioner.
Cross-Border Data Transfers
Contrast is headquartered in the United States. When you submit personal data through our Site, your information is transferred to, processed and stored in the United States. Please note that U.S. data protection laws may not be considered equivalent to your local laws. Nonetheless, Contrast is an active participant in the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as set forth by the U.S. Department of Commerce. Contrast may rely on these frameworks as its legal basis for transfers of EU, UK, and Swiss residents’ personal data to the U.S. Contrast’s Data Privacy Framework Privacy Policy can be found here.
Where Contrast needs to execute an onward transfer of personal data outside of the U.S. to countries that have not been granted an adequacy status, or to service providers who are not themselves certified to the Data Privacy Framework, we use the appropriate Standard Contractual Clauses, approved by the competent supervisory authority, to govern those data transfers.
Customer data transferred to Contrast as part of our product offering is stored in the US, EU or Japan, depending on the customer’s location and request.
8. Children's data
Contrast’s products and services are not targeted at or developed for children, and we do not intentionally process children’s personal data. If you are under the age of 18, you are not authorized to use our Site or services. If Contrast becomes aware that we have inadvertently collected children’s personal data, we will immediately delete such information and inform relevant third parties to do likewise. If you have reason to believe that Contrast is processing the personal data of a child, please email privacy [at] contrastsecurity.com, and we resolve the issue as soon as reasonably practicable.
9. Changes to this Privacy Policy
If we change this Privacy Policy, we will post those changes on this page and update the Privacy Policy modification date above. If we materially change this Privacy Policy in a way that affects how we use or disclose your personal data, we will provide a prominent notice of such changes and the effective date of the changes before making them. Continued use of the Site, service, or related products, following notice of such changes shall indicate your acknowledgement of such changes and agreement to be bound by the terms and conditions of such changes.
For previous versions/updates, please email privacy [at] contrastsecurity.com.
10. Contact us
If you have any questions about this Privacy Policy, please email us at privacy [at] contrastsecurity.com.
Contrast's Data Protection Officer is David Lindner. To contact David, please email privacy [at] contrastsecurity.com or write to:
Contrast Security, Inc.
Attn: Privacy
6800 Koll Center Parkway, Ste. 235
Pleasanton, CA 94566