Privacy Matters at Contrast Security
Quick Links: Privacy Policy, CCPA, GDPR, Vulnerability Disclosure
Statement of Responsibility
The products and services of Contrast Security, Inc. ("Contrast") represent a revolutionary approach to continuously protecting applications and Contrast has a deep commitment to ensuring maximum Privacy and Information Security standards as evidenced by our product offerings and our internal compliance environment.
Accountability, Integrity, Transparency, Privacy by Design, our internal Security posture, and following best-in-class standards such as NIST and OWASP, inform virtually all decisions at Contrast.
You will share information with us when you visit our Website and use our Services. We want to be up front with you regarding the information we collect, how we use it, how we share it, and the controls we give you to access, update, and delete your information.
We also want to provide it in a way that is easy to understand. Legal and regulatory requirements are important, but our goal is to minimize any “legalese” that may be confusing. You are also welcome to contact privacy@contrastsecurity.com at any time.
Privacy is especially important to us given regulations across the globe, especially Japan’s Act on Protection of personal Information (“APPI”), Canada’s Anti-Spam Law (“CASL”), the European Economic Area’s (“EEA”) General Data Protection Regulation (“GDPR”) and the United Kingdom's GDPR-UK, and the California Consumer Privacy Act ("CCPA") to name a few. In the U.S We also remain compliant with the Can Spam Act. Regardless of your location, Contrast makes every effort to be fully compliant with Privacy regulations in your country or place of residence.
We do not collect Personally Identifiable Information (“PII”) or Personal Information ("PI") on our Website unless you provide it voluntarily. PII or PI is information that can be used to identify you as an individual and may include your name, address, company email, personal email, telephone number or any other information that personally relates to you. Contrast does not use any information provided by the Japan My Number system.
If you are ever asked to provide PII, PI or other confidential information such as a Social Security number, My Number or National ID to someone claiming to represent Contrast, please do not share that information and notify privacy@contrastsecurity.com. If you believe you have discovered a security vulnerability at Contrast or with one of our products or services, please click here: Vulnerability Disclosure and/or email security@contrastsecurity.com.
We are committed to safeguarding the information in our custody and under our control. Our Operational Risk program is dynamic and proactive allowing us to stay abreast of the latest changes and enhancements to the ever-evolving global compliance landscape. We have implemented practical and sound administrative, technical, and physical safeguards to protect against unauthorized access, use, modification and disclosure of this information. This is a responsibility that we take seriously, and we have strong internal controls around change management and employee accountability.
A co-founder of Contrast was a founder of The Open Web Application Security Project (“OWASP”) and he served as the Chair of the OWASP Board for 8 years. Both of our co-founders are major contributors to OWASP and authored the OWASP Top 10, OWASP Enterprise Security API, OWASP Application Security Verification Standard, XSS Prevention Cheat Sheet, and many other widely adopted free and open projects. OWASP is a global not-for-profit charitable organization focused on improving the security of software. They provide impartial, practical information about AppSec to individuals, corporations, and other organizations worldwide. To further demonstrate the priority that Contrast gives to our compliance environment, we have a dedicated Data Privacy Officer with over 25 years’ experience. Our Data Privacy Officer serves as our designated Data Protection Officer for the GDPR.
Our hosted product environment resides with Amazon Web Services (“AWS”) and they adhere to the strictest compliance standards. For the full listing of their current certifications or compliance standards, please see https://aws.amazon.com/compliance/programs/ While we do not accept any online payments or otherwise collect payment information through our website, we believe this proactive compliance indicates the strength of our hosting provider’s information security framework.
Contrast has entered into a Data Processing Addendum and Standard Contractual Clauses with AWS relative to the GDPR and CCPA. AWS allows for alignment with FISMA and adheres to the NIST framework.
Contrast is primarily responsible for the management of any PI that you voluntarily provide us and jointly used with our affiliates or third parties. We do not provide your information to third parties for marketing purposes without your prior consent. We never sell your data.
CONTRAST SECURITY AND GEOGRAPHICAL TRANSFERS OF DATA
As a global organization with Headquarters in the U.S.A we may transfer a limited amount of PII across international borders including to our authorized processors, in accordance with applicable laws. There is the possibility that these third parties may be in jurisdictions which do not have an adequate level of data protection as determined by the European Commission. When these transfers are necessary, we use a variety of legal mechanisms to ensure the protection of the information transferred, these include:
- Transfers within the European Economic Area are covered by agreements which include the Standard Contractual Clauses as ratified by the European parliament in June 2021.
- For transfers outside of the EEA we ensure contractual agreements and commitments are obtained such as SCCs or other certification schemes such as the EU-US Privacy Shield.
Privacy Shield
Following on from the Schrems II judgment which invalidated the EU-US Privacy Shield, Contrast has worked to ensure other transfer mechanisms such as the SCCs mentioned above are in place where necessary. We are continually following developments and on March 25 2022 the European Commission and United States announced that they have agreed in principle on a new Trans-Atlantic Data Privacy Framework. We are constantly monitoring the updates and when the Framework has been ratified, we will ensure all our relevant requirements are updated. For more information on this please see
https://ec.europa.eu/commission/presscorner/detail/en/ip_22_2087
(FDPIC) for Switzerland reassessed the data protection conformity of the Privacy Shield regime for the Swiss-U.S. Privacy Shield and determined that, as long as the U.S. does not revoke the Privacy Shield regime, the Swiss-U.S. Privacy Shield Framework is not impacted.
Contrast remains a member of the EU-U.S. Privacy Shield network and continues to comply with the EU-U.S. Privacy Shield (where applicable) and the Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) as set forth by the U.S. Department of Commerce and continues to comply with the EU-U.S. Privacy Shield (where applicable) and the Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield”) as set forth by the U.S. Department of Commerce regarding the collection, use and retention of PI transferred from the EU, the UK and Switzerland to the United States in reliance on Privacy Shield. Contrast has certified to the Department of Commerce that it adheres to the Privacy Shield Principles ("Principles") with respect to such information regardless of the recent decisions as outlined above. If there is any conflict between the terms in this privacy policy and the Principles, the Principles shall govern. To learn more about the Privacy Shield program, and/ or to view our certification, please visit https://www.privacyshield.gov/.
CONTRAST SECURITY AND THE EU GENERAL DATA PROTECTION REGULATION ("GDPR") AND THE CALIFORNIA CONSUMER PRIVACY ACT ("CCPA")
Contrast has taken all measures to ensure compliance with the GDPR and the UK-GDPR and continues to monitor the international landscape for recommendations as to enhancements and changes to the regulations.
As with the GDPR, Contrast continues to keep an eye on the regulatory scene related to CCPA and any forthcoming amendments. If there are any relevant amendments, we will incorporate them into our privacy program and comply with all requirements for consumers.
- For more information, see our Privacy Policy
- For more information on GDPR please click here.
- For more information on CCPA, and U.S. privacy legislation overarching, please click here.
- For more information about NIST, please click here.
As of January 31, 2017, Contrast was SOC2 Type II compliant and, as of October 31, 2017, we began maintaining a rolling, annual SOC2 schedule. Our most recent SOC2 Type II Report was issued November 6, 2021. We are audited for Availability, Confidentiality, Privacy and Security and the audit maps to HITRUST controls.
Contrast Security—Privacy Policy
Updated 28 June 2022
Contrast Security, Inc. (“Contrast,” “We,” “Us,” or “Our”) is committed to protecting Customer's ("Customer," "User," "Your,") applications from vulnerabilities. We have prepared this Privacy Policy to describe our protocol around the collection, use, and disclosure of data related to Contrast Products and Offerings (the “Service”) or related products and offerings. This Policy is incorporated into and an inherent component of Our Terms of Service which can be found at: Terms. The use of the collected information will be limited to the purpose of providing the Service for which you have engaged us.
Our Privacy Policy is subject to change due to modifications with regulatory agencies, best practices, or enhancements to the compliance and control environment. If We should ever make a substantial change to the way We use Your Application Data or Personal Data, We will notify you by sending you an e-mail to the last e-mail address you provided to us and/or by prominently posting notice of the changes on Our Website. Any material changes to this Privacy Policy will be effective as of the date and time they are updated on Our Website. These changes will be effective immediately for new users of Our Website or Service. Continued use of Our Website, Service, or related products, following notice of such changes shall indicate Your acknowledgment of such changes and agreement to be bound by the terms and conditions of such changes.
Information About Our Website
When you visit Our Website at https://www.contrastsecurity.com (the “Website”), We collect Your Internet Protocol (“IP”) address as well as other related information such as page requests, browser type, referring and exit pages, the files viewed on Our site (for example, HTML pages, graphics, or other), operating system and average time spent on Our Website. We use this information to help us understand Our Website activity, and to monitor and improve Our Website.
Cookies
Our Website uses a technology called "cookies". For more information about cookies, please click here: Cookies. Cookies are small, often encrypted text files, located in browser directories. They are used by web developers to help users navigate their websites efficiently and perform certain functions. You may set Your browser to notify you when you receive a cookie or to not accept certain cookies. However, if you decide not to accept cookies from Our Website, certain features may not function as designed. You may also remove cookies. To learn how to do so, please click here: Clear Cookies
The Cookies and Web Trackers on our site, and their purpose:
Do-Not-Track
There are different ways you can prevent tracking of Your online activity. One of them is setting a preference in Your browser that alerts websites you visit that you do not want them to collect certain information about you. This is referred to as a Do-Not-Track (“DNT”) signal.
Contrast’s Website may not recognize or react in response to DNT signals from web browsers as, currently, there is no universally accepted standard for what a company should do when a DNT signal is detected. At such time as a standard is established, We will assess how to best respond to the signals. For more information, please click here: DNT Signals
Other Links
Our Website may contain links to other websites that We do not own or operate. We provide these links as a convenience to you, for informational purposes only. These links are not intended as an endorsement of or referral to the linked websites. The linked websites have separate and independent privacy statements, notices, and terms of use. We do not have any control over these websites, and therefore We have no responsibility or liability for the manner in which they operate their sites nor what they may collect, use, disclose, secure or otherwise do with PI. If you choose to click on these links, you will leave Our site and be redirected to another site. During this process, a third party may collect Personal or Anonymous Data from you and Contrast is not responsible for their use of Your data. If you have concerns about Your data, you will need to contact the Privacy department of the third party or their designated Data Protection / Privacy Officer.
Links to Our Website may be featured or referenced on other websites that are not under Our control and therefore We have no responsibility or liability for the manner in which they operate their sites. Be sure to understand the privacy policies and terms of service of any site you visit. If you believe another entity has posted a link to Contrast that is misleading or that compromises the integrity of Contrast, please contact privacy@contrastsecurity.com. Such notifications will be kept in strict confidence.
Social Media
Our Website includes social media features, such as Twitter, LinkedIn, Google Circles, etc. If you access these sites, they may collect Your IP address, the page from which you are visiting Our site, and they may set a cookie to enable the feature to function properly. Social media features and widgets are either hosted by a third party or hosted directly on Our Website. Your interactions with these features are governed by the privacy policy of the company providing it and not by Contrast.
We encourage you to carefully read the privacy statement of any website you visit whether visiting https://www.contrastsecurity.com or another.
Promotional Events / Sweepstakes
When you provide us with your data as part of a promotional event or sweepstakes, we may use that information to contact you to verify your information, provide the goods, services or other offerings we have advertised and to deliver or distribute the items included in the promotional event or sweepstakes. We may use third parties to assist with the distribution of these goods; each of our third parties are compliant with CCPA, GDPR, UK-GDPR and other relevant Privacy regulations. You may “opt out” of further communications at any time by following the unsubscribe instructions embedded in any email or on our website or by contacting privacy@contrastsecurity.com. Regardless of whether you “opt out” or not, we may, but are not obligated to, send you emails and/ or notices related to updates to our Privacy Policy or Terms of Service.
Collection and Use of Information
By submitting Application, Personal or other data or information (the “Data”), or making it available to Contrast, you agree to the terms of this Privacy Policy and you expressly consent to the processing of Your Data in accordance with it. We may collect your data in the following ways (but not limited to):
- When you enquire about the services we offer
- When you become a Customer of Contrast to enable us to administer your account including notifications such as security or support and maintenance advisories; promotional communications, requests to participate in a survey, send upgrades and special offers related to Our Service and for other Contrast-specific purposes
- When you register to use our website
- When you visit any of our offices or attend events, we have either organized or contributed to
- When you engage with us over social media
- When you apply to work for us
- When you contact us with a query, request or complaint
The information that we collect about you may include the following (but is not limited to):
PERSONAL INFORMATION |
DETAIL |
Demonstration, product, free trial, or whitepaper request |
Name, company email, telephone, Company name, IP address |
Customer information |
Name, signature, corporate email, job function, company name and location of company |
Career candidate information “Careers” | Name, email address, resume information, job references, employment history, additional ad hoc information provided by yourself |
Marketing | Name, email address, company name |
Contact us “Contact Us” | Name, company email, telephone, job function, location of company name, additional ad hoc information provided by yourself |
SaaS Use (Serverless) |
Contrast deploys 2 Lambda functions to perform in depth activities such as code analysis and code fuzzing, Metadata about the scanned resources (Lambda functions) is sent back for further evaluation |
Blog | Name, email address, company name, ad hoc information provided by yourself directly to the blog |
Event participation | Name, email address, company name |
Social media | Name, email address, social media identifier, company name |
Surveys (voluntary participation) |
Name, company name, email address, telephone |
Other information collected such as for service support
|
operating system and version, information about Your application and operating environment, and other requested information |
When you provide us with Data, it is primarily used to respond to requests or to allow us to provide better service to you. We may contact you by telephone for the purpose of verifying information, reviewing potential vulnerabilities or to solicit feedback.
As We provide web application security services and products, Our software is either embedded into our clients’ web applications or used to scan our client’s source code to monitor for vulnerabilities and prevent attacks. For the purposes of performing the web application security services on behalf of Our clients, We may collect and use Data through Our clients’ web applications. We do not collect or use PI through Your web applications for any purpose other than to provide the Service to which you have subscribed; this includes providing support and answering questions that you may have about the Service.
“Application Data” means data about the performance of Your application, system data (such as version data, names of plug-ins, etc.) about the environment in which Your application is operating, data about transactions in Your application (“Transaction Data”), stack traces and source code (source code if you are a customer who has purchased our Scan product), and other similar data related to Your application.
Any Application Data We collect is used to notify you of vulnerabilities and attacks and to share application performance information with you. We may also aggregate Application Data across multiple accounts and use this data to create and publish industry benchmarks or comparative application performance metrics. By default, We obfuscate any Individual Transaction Data that We collect. You have the option of changing the configuration of Our products so that individual Transaction Data is not obfuscated. You can also disable certain vulnerability rules and/ or the collection of certain types of Application Data collected through Our Service. Information as to how to do so can be found here.
We may collect telemetry and diagnostic data about how Our products and services are working to provide improvements and enhancements. This will enable us to not only give you a better user experience, but also enhance Our products and services for Your benefit. You expressly consent to the sharing of Your Application Data as described in this Policy.
Choices Regarding Your Information
We offer you choices regarding the collection, use, and sharing of Your information. We may, from time to time, send emails regarding scheduled maintenance, or that promote the purchase of Our Products or Service, etc. You may “opt out” of further communications by following the unsubscribe instructions embedded in the email or by contacting privacy@contrastsecurity.com. Regardless of whether you “opt out” or not, We may, but are not obligated to, send you emails and/ or notices related to updates to Our Privacy Policy or Terms of Service.
When We delete account information, it will be deleted from the active database but may remain in Our archives. We will otherwise retain Your information for as long as Your account is active or as needed to provide you with the Service to which you have subscribed. It will also be retained as is necessary to comply with Our legal obligations, resolve disputes, and enforce Our agreements. Unless contractually obligated otherwise, and not in conflict with legal obligations, customer data will be deleted within 37 days of the end of Our agreement. The 7 days is for backup data purposes only. Customers can download their own data at any time.
We will not disclose, sell or otherwise transfer PI without Your prior consent except as otherwise set out herein or, if applicable, in Your Agreement or Contract for Service with us.
We may transfer or disclose PI as follows:
- In connection with Our Website or the Service, We may transfer (or otherwise make available) PI to third parties who provide services on Our behalf. The information is limited to what they need to perform their designated functions, and they are not authorized to use or disclose PI for their own marketing or other purposes. That condition is, and will continue to be, included in all Agreements that We have with any service provider or third party.
- If Contrast is involved in a merger, sale or acquisition, We may transfer PI in connection with the transaction. We will make every effort to notify you in advance of any such merger, sale or acquisition as well as any significant corporate reorganization or change in control.
- Contrast may be required to provide PI responsive to requests from a governmental, law enforcement or regulatory agency. We will only disclose PI in response to:
- A subpoena, warrant or other process issued by a court of competent jurisdiction;
- A legal process having the same impact as a court-issued request for information where, if by refusing to do so, We would be in breach of local law and/ or where We or Our officers, executives or employees would be subject to liability for failing to honor such legal process;
- A situation where such disclosure is necessary for us to enforce Our legal rights pursuant to the laws of the jurisdiction from which such information was gathered; or
- Lessening a serious and/ or imminent threat of bodily harm.
Where a disclosure of Your information is required under such circumstances, we will promptly notify you, whenever possible, prior to complying with such requirements (to the extent We are not prohibited by law from doing so). To this end, it is important that you maintain current information with us at all times.
THE CHILDREN'S ONLINE PRIVACY PROTECTION ACT ("COPPA")
Contrast will never intentionally collect data from children who are 13 years of age or younger. If a parent, guardian, or other individual suspects that a child 13 or younger has provided data to Contrast, that individual should immediately report such information to privacy@contrastsecurity.com. Contrast will only retain the data for as long as it is necessary to delete the information using every reasonable measure to protect against its unauthorized access or use or to comply with legal or regulatory requirements.
DIGITAL MILLENNIUM COPYRIGHT ACT
Contrast respects the intellectual property rights of others and expects its users to do the same. In accordance with the Digital Millennium Copyright Act of 1998 (the “DMCA”), the text of which may be found on the U.S. Copyright Office website at http://www.copyright.gov/legislation/dmca.pdf, Contrast will promptly respond to claims of copyright infringement using Our Service or Website. Such claims must be reported to Contrast’s Designated Copyright Agent identified below.
If you are a copyright owner, authorized to act on behalf of a copyright owner, or are authorized to act under any exclusive right under copyright, please report alleged copyright infringements by completing the DMCA Notice of Alleged Infringement and delivering it to Contrast’s Designated Copyright Agent. Upon receipt of Notice as described below, Contrast will take whatever action it deems appropriate, including removal of the challenged content from the Website.
DMCA NOTICE OF ALLEGED INFRINGEMENT ("NOTICE")
Identify the copyrighted work that you claim has been infringed or, if multiple copyrighted works are covered by this Notice, you may provide a representative list of the copyrighted works that you claim have been infringed.
- Identify the material or link you claim is infringing (or the subject of infringing activity) and to which access is to be disabled. If applicable, include the URL of the link shown on Our Website or the exact location where such material may be found.
- Include both of the following statements in the body of the Notice:
“I hereby state that I have a good faith belief that the disputed use of the copyrighted material is not authorized by the copyright owner, its agent, or the law (e.g., as a fair use).”
“I hereby state that the information in this Notice is accurate and, under penalty of perjury, that I am the owner, or authorized to act on behalf of the owner, of the copyright or of an exclusive right under the copyright that is allegedly infringed.”
You are required to provide Your full legal name and Your electronic or physical signature. It is helpful, but not required, to also provide Your company affiliation (if applicable), mailing address, telephone number, and email address. - Deliver your Notice to Contrast's Designated Copyright Agent:
Contrast Security, Inc.
Attn: Copyright Agent
240 3rd Street
Los Altos, CA 94022
NOTICE TO END USERS
Where Our Services are made available to you through an organization (e.g. Your employer), that organization is the administrator of the Services and is responsible for the accounts and/or Service sites over which it has control. If this is the case, please direct Your data privacy questions to Your administrator, as Your use of the Services is subject to Your organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different from this policy.
Your Company’s administrators are able to:
- require you to reset Your account password;
- restrict, suspend or terminate Your access to the Services and Your account access;
- access information in and about Your account;
- access or retain information stored as part of Your account; and/or
- install or uninstall third-party apps or other integrations.
In some cases, administrators can also:
- change the email address associated with Your account;
- change Your information, including profile information;
- restrict Your ability to edit, restrict, modify or delete information.
Even if the Services are not currently administered to you by an organization, if you use an email address provided by an organization (such as Your work email address) to access the Services, then the owner of the domain associated with Your email address (e.g. Your employer) may assert administrative control over Your account and use of the Services at a later date.
Please contact Your organization or refer to Your administrator’s organizational policies for more information.
TESTIMONIALS
We may post client endorsements on Our website which may contain PI. All client endorsements require the voluntary consent of the client to provide the endorsement and for us to publicly post it. Should you provide an endorsement and later want it removed, please contact corpmarketing@contrastsecurity.com.
CONTACT
Please contact privacy@contrastsecurity.com with any questions or comments you may have regarding Our Privacy Policy or if you would like to report an issue. You may also call +1(650) 567-4734, extension 8, to report an alleged ethics violation or email compliance@contrastsecurity.com.
Alternatively, you may write to us, anonymously or otherwise, at:
Contrast Security, Inc.
Attn: Privacy (or Compliance) accordingly
240 3rd Street
Los Altos, CA 94022
YOUR CALIFORNIA PRIVACY RIGHTS - THE CALIFORNIA CONSUMER PRIVACY ACT 2018 ("CCPA")
The California Consumer Privacy Act of 2018 ("CCPA") became enforceable on January 1, 2020. The law enhances privacy rights and consumer protection of residents of California. CCPA is the first law of its kind to impact the U.S. and has some similarities to GDPR.
Contrast has put processes in place to ensure CCPA compliance and to meet Our obligations to Our Customers and consumers. As such, We have reviewed Our policies and procedures, including collection methods, to make sure they align with the requirements of CCPA.
Contrast falls under the definition of both a "Business" and a "Service Provider" per CCPA and we will assist Our Customers/ consumers with exercising their rights under CCPA. This includes ensuring any requests from you, or if applicable, Your employees in the case of opt-out, for example, are handled promptly. We will work with third parties who may be involved to make sure requests are honored as soon as possible.
Contrast currently has three areas of activity that are related to the CCPA:
- Contrast may collect PI from consumers in the course of providing services to Our Customers. In this activity, Contrast acts strictly as a "service provider".
- Contrast collects respondent data strictly based on our customers' instructions. Contrast's Customers also decide how to use or respond to any PI that is collected.
- Contrast may collect PI from consumers in the course of Our marketing efforts. This includes PI We collect from forms on Our Website and event registrations, the information We collect automatically when users visit Our Website, and information We obtain from third party sources. In this activity, Contrast acts as a "business" under the CCPA.
Regardless of which area of activity applies to you, Contrast does not sell Your information.
To be clear, We have not sold, rented, released, disclosed, disseminated, made available, transferred, or otherwise communicated a consumer's PI to another business or third party for monetary or other valuable consideration since the CCPA legislation was passed.
Further, when We provide the services to Our Customers, We do not:
- process PI for any commercial purpose other than providing Our Customers the products and services they have purchased; or
- retain, use or disclose PI outside of the scope of the agreements We have with Our Customers.
Consumer Rights under the CCPA
Your rights under the CCPA include the right to request a copy of the specific PI collected about you in the 12 months prior to the request, and Our data collection practices (including categories of information collected, how the information is used, and to whom it is disclosed). We will generally refer to these as "access requests".
In addition, with some exceptions, you can request deletion of the PI that is collected about you. We will generally refer to these as "deletion requests".
With respect to the personal data of consumers collected in Contrast's marketing efforts, We are responsible for fulfilling access and deletion requests.
Pursuant to California Civil Code Section 1798.83, residents of the State of California have the right to request certain information relating to third parties to which Contrast may have disclosed certain categories of PI during the preceding year for the third parties’ direct marketing purposes. Contrast does not sell consumer data to any third parties. If you have any questions regarding Your rights, please email CCPA@contrastsecurity.com.
THE GENERAL DATA PROTECTION REGULATION ("GDPR") and GDPR-UK
GDPR addresses the technological changes in the global business environment over the past two decades and seeks to harmonize the approach to data protection across the EEA by establishing a single set of rules and associated penalties for non-compliance. GDPR has a global reach, as it applies to companies who are outside the area that control or process the data of EEA subjects, making the GDPR the first global privacy standard.
Contrast has processes in place to ensure GDPR and UK-GDPR compliance and to meet Our obligations to Our Customers and employees. We have appointed a Data Protection Officer to oversee compliance, conducted a full Data Protection Impact Assessment (DPIA), and tuned Our current incident response and breach notification policy and process to align with the requirements of the GDPR and UK-GDPR. We have also implemented business processes to deal with privacy-related requests outside the Contrast platform and to ensure any requests from Your employees directed to us, are made known to you in a timely manner, if applicable and permissible.
With the enforcement of Brexit, we also comply with privacy regulations by having a Data Processing Addendum and Standard Contractual Clauses in place where applicable. At present, the General Data Protection Regulation regulators recognize GDPR-UK.
LAWFUL BASIS FOR PROCESSING
The GDPR defines 6 lawful bases for processing:
- Consent: an individual has given clear consent for the processing of their personal data for a specific purpose.
- Contract: processing is necessary for a contract that a company has with an individual, or because they have asked a company to take specific steps before entering into a contract.
- Legal obligation: the processing is necessary for a company to comply with the law (not including contractual obligations).
- Vital interests: the processing is necessary to protect someone’s life.
- Public task: the processing is necessary for a company to perform a task in the public interest or for a company’s official functions, and the task or function has a clear basis in law.
- Legitimate interests: the processing is necessary for a company’s legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.
CONTRAST PROCESSES ALL DATA IN THE EEA AND THE UK BASED
ON LEGITIMATE INTEREST
CONTRAST SECURITY PRODUCTS AND SERVICES
On 28 June 2021, the EU formally granted Adequacy to the UK, this means the flow of personal information can continue as it did before Brexit, without the need for additional safeguards such as SCC’s. The UK has confirmed that that the EEA is adequate for flows of personal information to the EEA without further hindrance, this includes the Frankfurt and Ireland instances. Adequacy has been granted by the EU for a period of 4 years.
Contrast collects limited Corporate and Personal Data. The data We collect can be categorized as:
- data that We control for purposes of Corporate Business to Business marketing efforts,
- data We may collect from Your browsing on Our public Website, and
- data collected from Your Company’s indication of interest in Our product or Your application as a part of Our security services.
For business-to-business marketing efforts, We do not currently collect Personal Data (i.e. names, phone number, corporate email addresses) for the purpose of marketing Our services. Rather, We only maintain contacts that have expressed interest in Our services. If you have expressed interest in Our services, We may contact you about updates or product offerings that may be of interest to you. If these communications are no longer of use, We invite you to unsubscribe at any time. Contrast believes We have a legitimate interest in offering business more information about Our services and have controls in place to ensure the way in which We store and handle such data is subject to Our Information Security Program.
Contrast does not collect “Personal Data” from Data Subjects in the course of offering Our application security services. We only obtain Your Company’s consent to collection and use of Your Company’s confidential data (application performance data, application transaction records, etc.). This confidential data is of paramount importance to us, and We go to great lengths to protect it, however, this data is not to be confused with “Personal Data” of Data Subjects as contemplated under the GDPR. Thus, Contrast makes the general Privacy commitments as stated in Our Privacy Policy as well as those more specific to GDPR. We are committed to the confidentiality of Our Customer’s information. In addition, We are independently audited on an annual basis.
We believe a very important piece of Our continued compliance with privacy best practices, as well as compliance with the GDPR, is to ensure that We hold Our vendors and sub-processors accountable for their security and privacy commitments. Contrast has a robust Third-Party Vendor Management program, and We frequently assess all third parties for continued compliance with their security, privacy and confidentiality commitments. If you wish to receive notifications when we make a change to our sub-processors, you can do so here
Contrast informs individuals about:
- The type or identity of third parties to whom Contrast discloses PI and the purposes for which it does so (Please see section entitled, "Collection and Use" here)
- The right of individuals to access their personal data (Please see section entitled, "Choices Regarding Your Information" here)
- The choices and means Contrast offers individuals for limiting the use and disclosure of their personal data (Please see section entitled, "Choices Regarding Your Information" here)
- The requirements for Contrast to disclose PI in response to lawful requests by public authorities, including the requirement to meet national security, law enforcement, or regulatory requirements (Please see section entitled, "Choices Regarding Your Information" here).
In addition, Contrast is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission ("FTC") regarding personal data received or transferred pursuant to the Privacy Shield Framework.
Under Privacy Shield, an individual has the option, under certain conditions, to invoke binding arbitration for complaints regarding Privacy Shield compliance not resolved by any of the other Privacy Shield mechanisms. Under Privacy Shield, Contrast must respond to individual complaints within 45 days. For additional information, visit: Privacy Shield / Complaints.
In the context of an onward transfer, Contrast has responsibility for the processing of the PI it receives under the Privacy Shield and subsequently transfers to a third party acting as an agent on its behalf. Contrast shall remain liable under the Principles if its agent processes such PI in a manner inconsistent with the Principles, unless the organization proves that it is not responsible for the event giving rise to the damage.
In compliance with the Principles, Contrast commits to resolve complaints about our collection or use of your PI. EU, UK or Swiss individuals with inquiries or complaints regarding Our Privacy Shield policy should first contact Contrast at: privacy@contrastsecurity.com.
Contrast has further committed to cooperate with the panel established by the EU data protection authorities ("DPA"s) with regard to unresolved Privacy Shield complaints concerning Human Resources data transferred from the EU or the UK in the context of the employment relationship. Contrast also agrees to cooperate with the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) and comply with the advice given by such authorities with regard to Human Resources data transferred from Switzerland in the context of the employment relationship. Finally, Contrast agrees to cooperate with the DPAs and/ or the FDPIC and to comply with the advice given by such authorities with regard to non-Human Resources data transferred from the EU to Switzerland.
Contrast continues to self-certify with Privacy Shield while the U.S. Department of Commerce partners with the EU and Swiss bodies toward resolution. A self-assessment is signed by a company officer or other authorized representative of the organization at least once a year and can be made available upon request by individuals or in the context of an investigation or a complaint related to non-compliance. Contrast is required to respond promptly to individual inquiries, and other requests for information from the Department of Commerce relating to its adherence to the Principles.
EMPLOYMENT WITH CONTRAST SECURITY
CANDIDATES
If you reside in the EEA or the UK and are interested in employment with Contrast, you will need to provide certain information (cover letter, resume, references, eligibility, or other employment-related information). We use this information for the purpose of processing and responding to Your application for current and future career opportunities. In this respect, you would be considered a Data Subject and the information you provide to us would represent Personal Data.
Our Website includes a “Careers” link. All applications must originate from this Website. Any entity that processes data on behalf of Contrast will be fully GDPR compliant. You will need to provide Your Consent for us to contact you as part of Your application. You have the right not to provide Consent but We will be unable to process Your application and consider you for employment if you do not provide it. While We will obtain Your Consent, We also process and manage Your data based on legitimate interests.
A limited number of employees of Contrast will also have access to Your data once you apply for a position. The recipients of Your personal data will be select employees of Contrast such as Human Resources, Your hiring leader, individuals with whom you will need to interview, etc. All information is shared according to the principle of least privilege and need-to-know. These employees have all undergone GDPR-related training. A limited number of third-party providers, under contract with Contrast, may also have access to Your Personal Data. We ensure that any such provider has data protection levels equivalent to those set forth in this privacy notice, at a minimum. We have entered into Data Processing Addenda (and Standard Contractual Clauses where applicable) with all such vendors or ensure appropriate language is in Our Agreements with them.
If you are selected as a final candidate for a position, We will enter into the appropriate contract, agreement, or other documentation as appropriate for Your country of residence. All documentation and actions, including those requiring additional Consent, will reflect full compliance with GDPR or GDPR-UK.
EMPLOYEES
As part of becoming an employee of Contrast you will be provided with a GDPR Employee Privacy Notice outlining Your rights, remedies and a list of third parties with access to your data. You may request an updated listing at any time. You will also be provided with any and all documentation and information related to Your status as both a Data Subject under the GDPR and an employee of Contrast.
SUBJECT ACCESS REQUESTS
A subject access request is a written request for PI/ Personal Data held about you by us. You have the right to see what PI We hold about you. You are entitled to be given a description of the information, what We use it for, who We might pass it on to, and any information We might have about the source of the information. However, this right is subject to certain exemptions or restrictions that are set out in the GDPR.
DATA PROTECTION OFFICER AND SUBJECT ACCESS REQUESTS
To make a Subject Access Request, email GDPR@contrastsecurity.com or write:
Sharron Reed Gavin, Data Protection Officer
Contrast Security, Inc.
240 3rd Street
Los Altos, CA 94022
The GDPR requires that We provide you with the following information:
- Company Name: Contrast Security, Inc.
Address:
240 3rd Street
Los Altos, CA 94022
001 650.567.4734
- Data Protection Officer: Sharron Reed Gavin
sharron.reed@contrastsecurity.com
GDPR@contrastsecurity.com
001 650.567.4734
Finally, you have the right to lodge a complaint with the Information Commissioners’ Office (“ICO”) if you believe that We have not complied with the requirements of the GDPR with regard to Your personal data. The ICO encourages individuals to first report their concern to the organization controlling or processing Your data. For more information, please refer to ICO/ Raising a Concern.
OTHER
Contrast ensures compliance with Privacy Regulations wherever we have a presence, both in the United States and globally. Other than California, states such as Colorado and Virginia have enacted privacy legislation and many other states, including Nevada and New York have privacy regulations in place. The landscape is ever changing.
SECURITY STANDARDS AT CONTRAST (BEYOND DATA PRIVACY)
Keeping Your data secure is critical to us at Contrast. We follow industry best practices in application, network, and product security to ensure that Your data is safe. We envision a world where We can trust software with the most important activities of humanity. We love software, and it hurts us to see it misused to cause harm to others. As a security company, We not only protect Our business, but Yours as well. Contrast is committed to the highest standards of application and network security for Our hosted products. At the core of Our approach to security is a commitment to transparency – across Our protections, processes, and even potential issues.
Contrast has successfully undergone a third party Service Organization Control audit (SOC 2 Type II). The SOC 2 report verifies the existence of internal controls that have been designed and implemented to meet or exceed the requirements for the security principles set forth in the Trust Services Principles and Criteria. It provides a thorough review of how Contrast’s internal controls affect the security, availability, and confidentiality of the systems it uses to support its customers. Contrast was audited on the following controls:
- Organization and management
- Communications
- Risk management, design, and implementation of controls
- Monitoring of controls
- Logical and physical access controls
- Systems operation
- Privacy
- Change Management
DATA CENTER AND NETWORK SECURITY
Physical Security
Contrast's security application services and data are currently hosted on servers in Amazon Web Services (AWS) facilities in the United States, Europe, UK and Japan. AWS is routinely audited and believes in transparent security. A few of AWS’ Assurance Programs are as follows: FedRAMP, ISO 27001, FIPS, SOC2/Type 2, FERPA, and HIPAA. Contrast also monitors AWS’s compliance posture with respect to the GDPR, the CCPA and other key Privacy regulations as referenced on their website:
A full list of AWS certifications is available here: http://aws.amazon.com/compliance/.
Amazon Web Services has published the Shared Responsibility Model where they describe the division of responsibilities between AWS and the Customer. In general, AWS is responsible for security of the cloud and the Customer is responsible for security in the cloud. No Contrast employees have physical access to AWS Data Centers.
DATA BACK UPS & DISASTER RECOVERY
We perform multiple database backups each day. These backups are stored in geographically distributed object storage AWS Simple Storage Service (S3) buckets for 7 days; they are only accessible by automated processes and a limited number of employees who require access to support critical business functions. All access is role based. Data is encrypted in transit and at rest. Data in transit is TLS 1.2. Data at rest is AWS KMS with AES 256 GCM. backup integrity is automatically tested daily, and backup data is retained for 7 days.. We have a dedicated AWS instance in Japan.
OPERATING SYSTEM, NETWORK AND FIREWALL CONFIGURATION
Operating Systems are hardened using Center for Internet Security standards and other industry best practices depending on the host's role. Operating systems are based on the Amazon machine Images (AMI provided by the Centre of Internet Security (CIS) via their subscription. In addition to standards and software from CIS, additional industry best practises are included depending opn the hosts role.
System configuration and patches occur through both scheduled and ad-hoc processes that are driven by configuration management tools. The code is committed, tested, and peer reviewed before deployment.
Security patch management is an automated task for all hosts. Should a security patch be needed outside this process, We can apply patches in bulk to all hosts. If an urgent patch needs to be applied outside the regular schedule, We first verify that Our infrastructure is vulnerable and then apply the patch.
We observe communications from cert.org, us-cert.gov, and our own software processes to alert us of vulnerabilities that should be patched.
Our network is engineered and designed to limit access by origin and port between hosts and services (AWS Security Groups). Where possible, separate private networks (AWS VPCs) are created and are completely separate from other networks. All network and firewall rules are checked into Our source code repository and reviewed by staff via Pull Requests and only deployed once tested and reviewed. The network is designed with limited public facing systems.
In addition to our own product, We deploy several monitoring solutions to measure the health of Our service:
- Datadog - Application Performance Monitoring (APM), Log Aggregation and Alerting
- SumoLogic - Log Aggregation, Alerting and Security Anomaly detection
- Tenable, Inc. - Vulnerability Scanning, Container Scanning, Endpoint Vulnerability Analysis
- Lacework - Infrastructure Monitoring, Vulnerability Management, Threat Intelligence, Compliance Reporting
PRODUCT SECURITY
Minimal Data Collection
Contrast only collects the data absolutely necessary to provide the analysis and metrics. Our agent minimizes the amount of data collected by reporting only confirmed vulnerabilities to the Contrast TeamServer. A customer's source code and binaries never leave their servers when utilizing the Contrast Assess, Protect or SCA products. Contrast collects the following types of data:
- Vulnerability and attack data that includes HTTP request data and a series of method invocations
- Summary information about what libraries and classes are loaded by each application
- Sitemap information, including URLs, but not parameters
- Software architecture information about back-end components and connections
- Site usage metrics (opt-out)
- Confidential information that may be included as part of attack tracing and / or if a support ticket is opened and the customer inadvertently includes such information. In this instance, Contrast support would redact the information and advise the customer.
All Contrast employees are required to acknowledge and sign off on the Privileged User Agreement and Acknowledgement of Responsibilities Policy (predicted on NIST’s rules of behavior).
Encryption
Our primary defenses keep out attackers and control access, but We also use strong encryption to ensure that all of the data We store is inaccessible to attackers. All Contrast data is stored on encrypted volumes or object storage. We extend the use of encryption to backups, logs, and any other data associated with the Contrast service.
We utilize Amazon's Key Management Service to generate and rotate keys used across Our services. Amazon’s overall key management infrastructure uses Federal Information Processing Standards (FIPS) 140-2 approved cryptographic algorithms and is consistent with the National Institute of Standards and Technology (NIST) 800-57 recommendations.
Contrast uses strong encryption and mutual authentication on all connections. This protects against sniffing, spoofing, and other communications attacks. The connection from the Contrast Agents’ connection to the Contrast TeamServer uses a SSL socket connection that can be configured to use an outbound proxy. The Agents verify the Contrast TeamServer certificate and sends the client authorization key to the TeamServer to establish mutual authentication. Back-end connections are also both encrypted and mutually authenticated. Any attempt to access Our service over a non-SSL connection is redirected to use HTTPS.
We leverage the following AWS services relating to encryption:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
https://docs.aws.amazon.com/AmazonS3/latest/userguide/UsingEncryption.html
https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/what-is-load-balancing.html
https://aws.amazon.com/certificate-manager/
Permissions
We enable administrator, manager, or individual contributor permission levels within the app to be set for Your individual users. Permission levels determine the user’s ability to change settings, view information, and edit, delete, or export data. These are configurable by Customer.
Authentication
We believe that everything that happens within Contrast should be fully authenticated and traceable to a particular individual and We prohibit the use of shared logins. We do not charge or limit the number of users within an organization. We check password strength and failed login lockouts to ensure that Contrast is not susceptible to brute force attacks. We allow organizations and users to configure Our Two Step Verification process that leverages time-based one-time passwords ("TOTP"). We also provide organizations the ability to utilize their own Single-Sign-On (SSO) mechanism for authentication.
Access Control
Role based access is built into Contrast TeamServer, and you can limit/grant users the privilege to administer your organization or only make API calls.
All of the security defenses in the Contrast TeamServer are centralized into a security API based on the widely used OWASP Enterprise Security API (ESAPI), that we designed and contributed to the open source community through OWASP. Contrast data is accessible by a limited number of Contrast Employees who administer the Contrast Service. All employees have background checks and are under strict confidentiality agreements.
All application and system logins are written to an audit log. The logs are ingested into SumoLogic for analysis and automated alerts when privileged escalation occurs. These logs expire in 30 days from the SumoLogic system but are kept by Contrast (AWS S3) for 2 years.
Secure Coding
Contrast was designed from the ground up to be resilient against injection attacks like SQL injection, cross-site scripting (XSS), LDAP injection, XML entity attacks, command injection, and other risks. Our software architecture requires strict input validation on all input before it can be used. Where possible, We minimize the use of interpreters and use parameterized interfaces, if available.
Contrast Software Engineers are required to undergo annual secure code training.
Contrast uses TeamServer to identify, track, and remediate vulnerabilities during the Software Development Life Cycle. All code commits and pull requests require a minimum of 2 approvers, of which the application security team is a part.
Our agent runs in automated testing and manual verification environments, we perform ad-hoc threat modeling of newly proposed software/functionality and also when significant changes occur to existing functionality. Additionally we verify that our 3rd party libraries are not exposed to vulnerabilities on a continuous basis. This helps determine vulnerabilities early in the life cycle and ensures robust controls to protect our customer data and environment.
APPLICATION SECURITY
Vulnerability Scanning
Contrast performs regular vulnerability scanning using several tools. Contrast performs external infrastructure scans on a quarterly basis, at minimum. Also, Contrast uses Contrast Assess (IAST), Contrast Protect (RASP), and Contrast SCA/OSS on the staging and production environments to detect vulnerabilities before they make it to production, and to protect against application security attacks in production.
Penetration Testing
Contrast requires an annual full access penetration test of the TeamServer SaaS application environment. An industry-recognized third-party performs the test and they are provided full source code access, access to a live production-like environment and access to our on-premises install. The assessment focuses on the OWASP Top Ten and CWE/SANS Top 25 vulnerabilities and control families.
Also, Contrast consistently performs internal design reviews, threat modeling, penetration testing, scanning, and code review of Our SaaS application and agents. Alongside the internal assessments, the application security team is also a part of approving code pull requests should security components be affected.
Monitoring
Contrast restricts access to Our production environment on a need-to-know basis and maintains a comprehensive logging system to track access and events. Contrast closely monitors potential attacks both at a network and application security level with automated alerting to internal chat and paging systems.
KEY CHANGES TO THIS POLICY:
Updated 28 June 2022 - Information related to
- Added PII / PI table
- Link to sub-processors added
- Link to sub-processor register page included
- Updated Security Controls to match 2022 Security Statement
- Included Serverless Lambda function in the PII Table
Updated 7 March 2022 - Information related to
- European Data Protection Board, Standard Contractual Clauses
- AWS Instances in the EU and the UK
Updated 31 August 2021 - Information related to
- Contrast’s new product, Scan,
- Inclusion of Cookies, Webtrackers and their purpose;
- Inclusion of Third Party Service Providers, and
- References to changes in multiple locations related to Privacy.
Updated 13 Nov 2020 - Included Promotional Events / Sweepstakes information
Updated 14 September 2020 - Updates to language regarding EU-U.S. Privacy Shield.
Updated 30 May 2020 - Updates to reference Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)
Updated 28 February 2020
Changes made to this Policy on 2/28/20 include:
- Updates to information regarding Japan's Act on the Protection of Personal Information ("APPI") and the My Number Act.
- Clarification as to Contrast's notification to individuals about the key goals of Privacy Shield and onward transfer of data.
Updated 30 December 2019 - Changes made to this Policy on 12/30/19 are related to the California Consumer Privacy Act.
Updated 21 November 2019
Updated 29 March 2019 - Changes made to this Policy on 3/29/19 are related to data being sent to the UK from the EU (see Privacy Shield Information).
Updated 24 May 2018 - Changes made to this Policy on 5/24/18 are related to the enforcement of the General Data Protection Regulation
Updated 1 February 2018
Updated 9 January 2018
Updated 29 September 2017
Originally published 1 September 2016
List of Sub-Processors as of 28 June 2022
Contrast Security, Inc. (“Contrast”) uses Sub-processors to help in the delivery of products and to provide related support services to our customers. A sub-processor is a 3rd party organisation used by Contrast where we are acting as a processor that may process or have access to personal data.
To ensure that we remain transparent to our customers and to comply with regulatory requirements such as the General Data Protection Regulation (“GDPR”), we maintain an up-to-date list of the entities, functions, and locations of these sub-processors as referenced below. For any questions, please email rfp@contrastsecurity.com.
Contrast performs rigorous assessments on the information security and data protection practices of its sub-processors and requires each to commit to written obligations regarding their security measures and to demonstrate compliance with applicable personal data protection laws and regulations and other policies.
To be notified whenever our Sub-processor listing is updated, please follow the link below:
Tier 1 / Sub-processors for Infrastructure, Security and Business Operations (Potential Access to Confidential Data)
Sub-Processor |
Contact Details of Sub-Processor and Data Privacy Officer |
Processing Location of Data |
Processing Operations of Sub-Processor |
Amazon Web Services (“AWS”) |
410 Terry Avenue N Seattle, WA 98109 USA |
us-east-1 (Virginia USA) us-west-2 (Oregon, USA) eu-west-2 (London, UK) eu-central-1 (Frankfurt, Germany) ap-northeast-1 (Tokyo, Japan) |
Cloud Hosting Provider Confidential Data captured in Vulnerabilities or Attack Trace Data, Admin User Information |
Atlassian, Inc. |
350 Bush Street |
United States Privileged users could potentially process from any of these locations - Bulgaria, Canada, Germany, Isle of Man, Israel, Japan, Mexico, New Zealand, UK |
Bug Tracking, Project Management, Documentation, Internal Wiki |
Datadog |
620 8th Ave DPO: gdpr@datadoghq.com |
United States |
Log Aggregation, Alerting and Security Anomaly Detection Confidential Data captured in Vulnerabilities or Attack Trace Data, Admin User Information |
GitHub (“Microsoft”) |
88 Colin P. Kelly Jr. St DPO: privacy@github.com |
United States |
Code Hosting Platform Source Code Control Source Code |
Lacework |
6201 America DPO: privacy@lacework.net Attn: Chief Compliance Officer |
United States |
Infrastructure Monitoring, Vulnerability Management, Threat Intelligence, Compliance Reporting Vulnerability Data Related to the SaaS Environment |
Salesforce, Inc. |
415 Mission St. |
United States |
Customer Relationship Management (“CRM”), Collaboration and Communication (see also Slack) Customer and Prospect Data |
Slack Technologies, Inc. |
500 Howard Street DPO: dpo@slack.com |
United States |
Communication and Collaboration (see also Salesforce) |
Splunk On-Call (Formerly VictorOps) |
270 Brannan St. DPO: dpo@splunk.com |
United States |
On-call Paging Vulnerability Data Related to the SaaS Environment Incident Data Support Ticket Data |
Sumo Logic, Inc. |
305 Main Street or Sumo Logic Inc. |
United States |
Confidential Data captured in Vulnerabilities or Attack Trace Data, Admin User Information |
Tenable, Inc. |
6100 Merriweather DPO: privacy@tenable.com |
United States |
Vulnerability Scanning Vulnerability Data Related to the SaaS Environment |
Zendesk, Inc. |
999 Market Street DPO: privacy@zendesk.com Attn: Privacy Team and DPO |
United States Customer Success employees with privileged access could potentially access from any of these locations - Canada, Isle of Man, Japan, UK |
Customer Support Portal/Customer Relationship Management (“CRM”) Customer Support Ticket Data |
Tier 2 / Sub-Processors for CRM and Business Operations (Business Contact Information Processed)
Name of Sub-Processor |
Contact Details of Sub-Processor/ Data Privacy Officer Contact Information |
Processing Location of Data |
Processing Operations of Sub-Processor |
Gainsight, Inc. |
350 Bay Street Attn: Legal (Data Protection Officer) |
United States |
Customer Relationship Management (“CRM”) |
Google Workspace |
1600 Amphitheatre Pkwy DPO: https://support.google.com/policies/ |
United States |
Email |
Highspot, Inc. |
2211 Elliott Ave DPO: privacy@highspot.com |
United States |
Marketing Sales Enablement |
Hubspot, Inc. |
25 First Street DPO: security@hubspot.com |
United States |
Customer Relationship Management “(CRM”) |
iWAconsolti |
Prolongation of Oriente 6 DPO: Gerardo Arellano <garellano@iwa.com.mx> |
Mexico |
Engineering/ R&D Support |
JFrog (Artifactory) |
270 E Caribbean Dr." DPO: privacy@jfrog.com |
United States |
Enterprise Universal Repository Manager (Management of application binaries and artifacts) |
Mechdyne |
11 East Church
+44 116 318 4083 |
United States |
IT Support Services |
MentorMate |
(HQ) DPO: legal@mentormate.com |
Bulgaria |
Engineering/ R&D Support |
Microsoft |
One Microsoft Way DPO: Provides a public facing contact form |
United States |
Email, Office Suite |
Netsuite/ Oracle Corporation |
Willis Tower 233 DPO: Public facing contact form. |
United States |
Finance and Invoicing Software |
Pendo.io |
301 Hillsborough Street DPO: gdpr@pendo.io Attn: Data Protection Officer |
United States |
Platform Usage Analytics |
Propelo (Formerly LevelOps) |
700 S Bernardo Ave. Suite 103 DPO: nishant@propelo.ai |
United States |
Data Analytics |
Salesloft |
1180 West Peachtree St. NW |
United States |
Customer Relationship Management (“CRM”), Sales Engagement |
SonarCloud |
Route De PreBois DPO: info@sonarsource.com |
United States |
Analytics Tool |
Zoom |
55 Almaden Blvd DPO: privacy@zoom.us Attn: Data Protection Officer |
United States |
Conference Calling Communication |
ZoomInfo |
805 Broadway St DPO: legal@zoominfo.com |
United States |
Marketing, CRM Insights Tool, Advertising |
3rd Party Policy and Security Due Diligence Review:
Tier 1 / Sub-Processors for Infrastructure, Security and Business Operations (Potentials Access to Confidential Data)
Sub-Processor |
Audit Conducted |
Audit Method |
Evidence Reviewed by Contrast Security, Inc |
Amazon Web Services (“AWS”) |
Yes |
AWS engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (6 -month cadence to September 2021) ● ISO 27001:2013 certificate (issued January 2022) ● ISO 27017:2015 certificate (issued March 2022) ● ISO 27018:2019 certificate (issued March 2022) ● ISO 27701:2019 certificate (issued March 2022) ● AWS Privacy Notice ● AWS Security overview |
Atlassian, Inc. |
Yes |
Atlassian engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued January 2022) ● SOC 2 Type II Report (September 2021) ● Bridge Letter SOC 2, Type II (January 2022) ● Security at Atlassian ● Privacy Policy |
Datadog |
Yes |
Datadog engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (December 2021) ● ISO 27001:2013 certificate (issued December 2021) ● Pen Test Security Assessment (April 2022) ● SIG Core (2022) ● Privacy Policy |
GitHub (“Microsoft”) |
Yes |
GitHub engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● Pen Test Security Assessment (February 2021) ● SOC 2 Type II Report (September 2021) ● Privacy Statement |
Lacework |
Yes |
Lacework engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (August 2021) ● Bridge Letter SOC 2 Type II (October 2021) ● Privacy Policy |
Salesforce, Inc. |
Yes |
Salesforce engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (October 2021) ● ISO 27001:2013 (issued April 2022) ● ISO 27017:2015 (issued April 2022) ● ISO 27018:2019 (issued April 2022) ● CSA CAIQ (2022) ● Pen Test Security Assessment (February 2022) |
Slack Technologies, Inc. |
Yes |
Slack engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (November 2021) ● ISO 27001:2013 certificate (issued November 2021) ● ISO 27018:2019 certificate (issued November 2021) ● ISO 27017:2015 certificate (issued November 2021) ● CSA CAIQ (2021) ● Pen Test Security Assessment (November 2021) ● Privacy Policy |
Splunk On-Call (Formerly VictorOps) |
Yes |
Splunk engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (November 2021) ● Information Security Policy ● Corporate Security Policy ● Cloud Security Addendum ● Privacy Policy |
Sumo Logic, Inc. |
Yes |
Sumo Logic engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● Vendor Security Assessment (VSA) ● SOC 2 Type II Report (March 2021) ● Security Statement ● Pen Test Security Assessment (October 2021) ● ISO 27001:2013 certificate (issued February 2022) ● Privacy Policy |
Tenable, Inc. |
Yes |
Tenable engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued December 2020) ● Pen Test Security Assessment (July 2021) ● SIG Core (2022) ● Privacy Policy |
Zendesk, Inc. |
Yes |
Zendesk engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued April 2021) ● ISO 27018:2014 certificate (issued April 2021) ● SOC 2 Type II Report (September 2021) ● Pen Test Security Assessment (May 2021) ● CSA CAIQ ● Security Documentation ● Privacy Policy |
Tier 2 / Sub-Processors for CRM and Business Operations (Business Contact Information Processed)
Sub-Processor |
Audit Conducted |
Audit Method |
Evidence Reviewed by Contrast Security, Inc |
Gainsight, Inc. |
Yes |
Gainsight engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (December 2021) ● CSA CAIQ - 2022 ● SIG Lite - 2022 ● Privacy Policy ● Pen Test Security Assessment (October 2021)
|
Workspace |
Yes |
Google Workspace engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (April 2021) ● Privacy Policy ● ISO 27001:2013 (Issued May 2021) ● IS0 27018:2019 (issued May 2021) ● ISO 27017:2015 (issued May 2021) |
Highspot, Inc. |
Yes |
Highspot engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (August 2021) ● Privacy Policy |
Hubspot, Inc. |
Yes |
Hubspot engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate ● SOC 2 Type II Report (April 2021) ● SOC 2 Type II Bridge Letter (November 2021) ● Pen Test Security Assessment (November 2021) ● Security Overview ● Privacy Policy |
JFrog Artifactory |
Yes |
JFrog engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 certificate (issued January 2022) ● ISO 27017:2015 certificate (issued January 2022) ● SOC 2 Type II Report (December 2021) ● Privacy Policy |
Mechdyne |
|
Mechdyne engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
Privacy Policy |
MentorMate |
Yes |
MentorMate engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type I report (February 2022) ● Contrast Vendor Assessment ● Vendor Code Policy ● Privacy Policy |
Microsoft |
Yes |
Microsoft engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (September 2021) ● Privacy Policy ● Bridge Letter SOC 2 Type II (January 2022) |
Netsuite/ Oracle Corporation |
Yes |
Netsuite engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (September 2021) ● Privacy Policy |
Pendo.io |
Yes |
Pendo engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (December 2021) ● Privacy Policy |
Propelo (Formerly LevelOps) |
Yes |
Propelo engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● Security Datasheet • Privacy Datasheet ● SOC2 Type I Report (March 2021) ● Contrast Vendor Assessment ● Privacy Policy |
Salesloft |
Yes |
Salesloft engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (June 2021) ● ISO 27001:2013 certificate ● Privacy Policy |
SonarCloud |
Yes |
SonarCloud engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● ISO 27001:2013 Attestation ● Privacy Policy ● Pen Test Security Assessment Report (June 2021) |
Zoom |
Yes |
Zoom engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (October 2021) ● CSA CAIQ ● SIG Full ● ISO 27001:2013 (issued December 2021) ● Privacy Policy |
ZoomInfo |
Yes |
ZoomInfo engages an industry-recognized independent auditor to conduct the appropriate audit(s) on their systems and controls. As part of Contrast’s due diligence, we ensure current and appropriate reports, certifications, policies and, in some instances, vendor assessments are in place. These are reviewed by the appropriate stakeholders at Contrast, i.e., Compliance, Information Security, Privacy, etc. We escalate any findings to the appropriate business owner and ensure a remediation plan is identified and closed in accordance with defined timelines. |
● SOC 2 Type II Report (February 2021) ● ISO 27001:2013 certificate ● Security Overview ● Privacy Policy |
Please note that we reached out to all vendors related to Log4J by email (December 2021), Spring4Shell (March 2022) and Java Digital Signature (April 2022) and requested information via our website:
https://www.contrastsecurity.com/spring4shell-vendor-form and
https://www.contrastsecurity.com/java-zero-day-vendor-form
There were no findings of impact.
For any questions, please email rfp@contrastsecurity.com
Revision History (As posted to our public-facing website as of 13 May 2022)
DATE OF ISSUE / VERSION NO. |
PREVIOUS VERSION NO / DATE |
KEY MODIFICATIONS |
28 June 2022/ V2.0 |
V1.0 / 28 April 2022 |
Added Processing Location of Data |
28 April 2022 / V1.0 |
N/A |
Document modified to post on our public-facing website. |