- CrowdStrike Services
- Cyber Front Lines Report
- Incident Response Insights that Matter for 2020
- Download Now
Code of ethics and
This Code of Ethics and Business Conduct (this “Code”) describes CrowdStrike’s core values and its expectations for how you act when conducting business on CrowdStrike’s behalf. We expect all employees, officers, Board members and independent contractors (“CrowdStrikers” or “you”) to know and follow this Code.
CrowdStrikers should exercise good judgment, uphold these standards in their day-to-day activities, and comply with all applicable policies and procedures in the course of their relationship with CrowdStrike. Although this Code does not cover every issue that may arise, it will provide you with general guidelines for exercising good judgment and you can refer to CrowdStrike’s other policies and procedures for more information on how to implement the general principles described below. CrowdStrike may issue additional policies on the topics below from time to time.
This Code is intended to deter wrongdoing, as well as the appearance of wrongdoing. Doing the right thing is more important than winning while doing the wrong thing. We never want to jeopardize our reputation or the trust of our customers, partners, stockholders, fellow employees and the communities we operate in.
All CrowdStrikers, regardless of tenure or title, are responsible for recognizing legal and ethical issues and doing the right thing in conducting business activities. CrowdStrike managers should demonstrate not only compliance with the Code but support direct reports in learning and adhering to the Code and speaking up if they see a problem. If you are approached with a question or concern related to the Code or any other CrowdStrike policy, listen carefully and give the person your complete attention. Seek guidance if you need it and report concerns if you see something that doesn’t seem in line with the Code or our values.
CrowdStrike takes allegations of wrongdoing seriously and promptly conducts investigations into reported violations of this Code. Your failure to comply with this Code or any other CrowdStrike policy can result in disciplinary action, up to and including suspension or termination of employment or affiliation with CrowdStrike, as well as civil or criminal penalties, depending on the nature of the violation and applicable law. In addition, CrowdStrike may report civil or criminal violations to the relevant authorities. If you have knowledge of a potential violation and fail to report it, you too may be subject to disciplinary action under this Code.
Raising Concerns and Reporting Violations
If you have a concern regarding conduct that you believe to be a violation of a law, regulation, the Code, or other CrowdStrike policy, or you are aware of questionable legal, financial, or accounting matters, or simply are unsure whether a situation violates any applicable law, regulation, or CrowdStrike policy, speak up and reach out. Although CrowdStrike encourages you to share your name so we can more effectively address your concern, we provide ways for you to report concerns anonymously. CrowdStrike also provides reporting procedures that allow you to bypass a supervisor if you believe the supervisor is engaged in prohibited conduct. Here are the ways you can make an attributed or anonymous report:
- Contact your manager, People Organization, Legal Team, or the Chief Financial Officer
- Send an email to firstname.lastname@example.org
- File an attributed or anonymous report through crowdstrike.ethicspoint.com or through our ethics hotline at any of the numbers below (collectively, “EthicsPoint”). Regardless of the number below you dialed, when prompted dial 844-330-7796. EthicsPoint is operated by a third-party service provider.
- 1-844-330-7796 (USA/Canada)
- 1-800-881-011 (Australia)
- 000-117 (India)
- 001-800-462-4240 (Mexico)
- 0-800-89-0011 (UK)
- 00-800-222-55288 (Ireland)
- 800-172-444 (Italy)
- 0800-022-9111 (Netherlands)
- 0-800-225-5288 (Germany)
- 0808-03-4288 (Romania)
- 800-011-1111 (Singapore)
- 0034-811-001 (Japan)
Non-US CrowdStrikers: You may not use EthicsPoint for matters that are required to be handled locally in accordance with local law. If you are unsure, please reach out to your manager, the People Organization, or the Legal Team.
The Chief Financial Officer, a member of the People Organization or the Legal Team will review concerns submitted through EthicsPoint. If you are submitting an unattributed report, please provide as much information as possible so CrowdStrike can conduct an efficient and effective review.
If you encounter a situation where you have a question about the law, the Code or any CrowdStrike policy or are unsure of the best course of action, you should always seek guidance. When you have a specific question, you may reach out to the appropriate resources below:
- Your local manager, the People Organization, Legal Team, or the Chief Financial Officer
- By email to email@example.com
- Through the EthicsPoint website or hotlines listed above
CrowdStrike prohibits retaliation against any individual for reporting in good faith a concern regarding non-compliance with this Code, or for participating in a compliance investigation, even when allegations are not substantiated. Any acts that appear to be retaliatory should be immediately reported to the People Organization, the Legal Team or through EthicsPoint.
Equal Opportunity and Discrimination Free
CrowdStrike is committed to a policy of equal employment opportunity and creating a discrimination and harassment free work environment. CrowdStrikers are expected to create a respectful workplace that supports a culture of diversity and to make all employment decisions based on a principle of mutual respect and dignity consistent with applicable laws. CrowdStrike strictly prohibits discrimination or harassment of any kind on the basis of a person’s legally protected characteristics or status.
“Harassment” is generally a form of discrimination that consists of unwelcome behavior, based on a person’s legally protected characteristic or status, that has the purpose or effect of creating an intimidating, hostile, or offensive work environment. Harassment can come in many forms including physical actions, verbal or written remarks, cartoons, or pictures. CrowdStrike strongly disapproves of, and will not tolerate, harassment by any employees or non-employees.
Examples of legally protected characteristics or status are: age, ancestry, color, gender (including pregnancy, childbirth, or related medical conditions), gender identity or expression, genetic information, marital status, medical condition, mental of physical disability, national origin, protected family care or medical leave status, race, religion (including beliefs and practices or their absence), sexual orientation, military or veteran status, and other considerations protected by national, state or local law.
If you experience or witness any discrimination or harassment, report the incident as described above. No adverse employment action will be taken against any person for making a good-faith complaint or report of discrimination, harassment or improper conduct, assisting in an investigation, or exercising rights under applicable laws. Retaliation against any person for any such protected activity will not be tolerated.
See also, CrowdStrike’s Policy Against Unlawful Harassment and applicable local policies.
CrowdStrike values and promotes diversity not only in its workplace, but in its suppliers and community as well. We strive to obtain the best possible products and services to support our business regardless of the legally protected characteristic or status of the supplier’s owners or employees. Where possible, CrowdStrike is proud to use as its suppliers small business vendors, as well as minority owned, women owned, veteran owned, and LGBTQ owned suppliers.
Substance abuse is contrary to the health and safety of CrowdStrikers and their ability to perform their job duties. While working or on the job, consuming, possessing, distributing, selling or purchasing illegal substances or being under the influence of an illegal substance is prohibited. At CrowdStrike-sponsored events where alcohol is made available, the moderate consumption of alcohol by legal-age individuals is permitted, provided, good judgment is exercised. You must comply with all laws and under no circumstances should you drive a vehicle while under the influence of alcohol or an illegal or controlled substance while on CrowdStrike business or to and from CrowdStrike events or work.
Child and Forced Labor
CrowdStrike’s policy on child labor and forced labor is based on International Labour Organization conventions and national laws. CrowdStrike restricts employment to those who have reached the age of 16 years or older, or the local minimum employment age, or the mandatory school age, whichever is higher. CrowdStrike explicitly bans the use of any forced labor or exploitative working conditions.
Combating Trafficking in Persons
CrowdStrike has a zero-tolerance policy regarding trafficking in persons and slavery. As required by law and pursuant to CrowdStrike policy, all CrowdStrikers are prohibited from engaging in any practice that constitutes trafficking in persons or slavery.
Political Activity and Contributions
CrowdStrikers are free to participate in personal political activities. This means that you must: make all political contributions with your own money, conduct political activities on your own time, and not use CrowdStrike resources to participate in your personal political activities or request reimbursement for expenses associated with these activities. CrowdStrikers should never make political donations or contributions on behalf of, or using CrowdStrike’s name, time, funds, or other resources.
The laws regarding political involvement and contributions by employees, contractors or Board members of a company that does business with the government are complicated and vary between jurisdictions. If your job involves working with the government, you may not engage in lobbying on behalf of CrowdStrike unless approved by your manager and in coordination with the Legal Team. If you have any questions about how your personal political activities or contributions or work related political activities could affect CrowdStrike, please contact the Legal Team.
See also CrowdStrike’s Lobbying Policy
The Code and the Law
Because CrowdStrike is a global company, we are subject to the laws of many countries and jurisdictions. CrowdStrikers should be aware of and comply with all applicable laws. The application of laws to particular situations can be complex. CrowdStrike’s policies and guidelines are intended to assist in navigating many of these laws. In some instances, the Code and other CrowdStrike policies might go beyond the requirements of applicable laws, rules and regulations, and in those instances, you must follow our Code and policies. However, if a provision of the Code or other policy conflicts with applicable law, the law supersedes.
Violations of laws, rules, and regulations may subject the violator to individual criminal or civil liability, as well as to disciplinary action by CrowdStrike. These violations may also subject CrowdStrike to civil or criminal liability or the loss of business. If you have any questions on how to interpret or comply with applicable law, please contact a member of the Legal Team.
Global Trade Regulation
A wide range of complex laws and regulations dictate where and how CrowdStrike can send and receive its products, services and technology. The U.S. and several other countries limit the export and import of such goods, typically those that use or contain encryption. In some cases the United States or other governments may prohibit doing any business with certain countries, organizations, or individuals. If you are involved in sending or making available CrowdStrike software, services or any form of technical data from one country to another, work with the Legal Team to be sure that the transaction stays within the bounds of applicable laws. This is a complex and technical area, so you should always seek help if you have any questions about export (or import) controls matters.
CrowdStrike shares non-public information with CrowdStrikers to successfully carry out our business. You may also inadvertently learn non-public information – for example by overhearing a conversation. “Non-public” information is any information that has not yet been disclosed or absorbed by the public. Examples of material non-public information include: unreleased sales figures, pending mergers or acquisitions, earnings estimates, labor disputes, and introduction of new products or services. Buying or selling stock while in possession of material non-public information, or passing such information along to others so that they may buy or sell stock, constitutes illegal insider trading. Insider trading violates this
Code and the law, and may result in substantial civil and criminal penalties, including the possibility of a jail sentence.
If you have questions about whether a stock transaction is legal or may violate insider trading laws, promptly contact the Legal Team.
See also, CrowdStrike’s Insider Trading and Trading Window Policy
CrowdStrike is proud to support numerous government and quasi-governmental entities across the world. Doing business with the government is highly regulated and driven by statutory requirements. Activities that may be appropriate when dealing with commercial customers may be improper, and even illegal, when dealing with the government. The penalties for failing to follow government procurement laws are severe and include substantial civil and criminal fines, imprisonment for responsible individuals, and debarment of CrowdStrike from doing business with the government. If your work involves a government entity, you are responsible for knowing the specific requirements that apply. Always ask your manager or contact the Legal Team if you are unclear about what is required.
FAIRNESS AND HONESTY
Honest and Ethical Conduct
This Code flows directly from our commitment to our mission and core values. We consistently aim for excellence and to provide value for both our customers and shareholders, and it is critical that we do so with integrity and high ethical standards. It is unacceptable to cut legal or ethical corners for the benefit of our company or for your personal benefit.
Consistent with our core values, you must act and perform your duties ethically, honestly and with integrity — doing the right thing even when “no one is looking.” We are honest and trustworthy in our dealings with partners, customers, vendors and other third parties. We must only enter into agreements on behalf of CrowdStrike that contain terms which CrowdStrike can honor. No winks. No nods.
See also CrowdStrike’s Fraud Policy.
Antitrust and Competition Laws
CrowdStrike is committed to fair and open competition, and the advancement and protection of a vibrant marketplace. Most countries in which CrowdStrike operates have antitrust and positive competition laws
and regulations that prohibit agreements or actions that reduce competition without benefiting consumers.
The following are examples of prohibited conduct under antitrust and pro-competition laws:
- Agreeing with competitors about prices
- Agreeing with distributors or resellers about prices to customers
- Agreeing with competitors to structure or orchestrate bids to direct a contract to a certain bidder (also known as bid rigging)
- Agreeing with competitors to boycott a supplier or customer
- Entering into a business arrangement or pursuing a strategy with the sole purpose of harming a competitor
Illegal agreements do not have to be signed contracts and may be as simple as informal understandings between two parties. If any of these topics of discussion arise when talking with a competitor, such as at an industry association meeting or a trade show, employees should stop the conversation immediately and report it to the CrowdStrike Legal Team.
If you have questions about antitrust laws, promptly contact the Legal Team.
Anti-Corruption, Bribery, and Kickbacks
CrowdStrike has a zero tolerance policy for kickbacks, bribery and corruption. We seek to act, and to be treated, at all times with the utmost integrity, honesty and transparency, and in compliance with anti-corruption laws in all countries in which we do business.
You are strictly prohibited from improperly promising, offering, providing, or authorizing the provision of money or anything else of value (such as an expensive gift or favor) directly or indirectly to any government, government official or other individual, entity, or organization in exchange for business or any benefit for CrowdStrike or any other person associated with CrowdStrike’s business. The definition of “government official” is broad and can vary depending on the applicable law. In general, a “government official” is any government officer, employee or consultant, candidate for public office, or employee of government owned or controlled companies, publicly operated or funded international organizations, or political parties or the spouse of immediate family members of any of the persons mentioned above.
You are also prohibited from soliciting or accepting improper payments or other things of value in relation to CrowdStrike’s business or to otherwise engage in activities that conflict with your duties to CrowdStrike; this includes soliciting or accepting payments or other things of value for the purpose of improperly obtaining or rewarding favorable treatment in connection with fostering a business arrangement.
There are no exceptions to this policy, even if our competitors engage in corrupt behavior or corruption is an accepted practice in a country where we operate. You are required to adhere to both the spirit and the letter of this policy with respect to our business anywhere in the world.
See also CrowdStrike’s Anti-Bribery & Corruption Policy.
Financial Integrity, Records, and Accounting
All of CrowdStrike’s books, records, accounts and financial statements must be maintained in reasonable detail, must accurately, fairly and completely reflect the transactions and matters to which they relate and must conform both to applicable legal requirements and to CrowdStrike’s system of internal controls. All assets of CrowdStrike must be carefully and properly accounted for. The making of false or misleading records or documentation is strictly prohibited. Unrecorded funds or assets should not be maintained.
For additional information on your specific responsibilities in ensuring the integrity of CrowdStrike’s books, records, accounts, and financial statements, see CrowdStrike’s Fraud Policy and CrowdStrike’s Anti-Bribery & Corruption Policy. Any questions about the Fraud Policy should be directed to the CrowdStrike Controller and questions about the Anti-Bribery & Corruption Policy should be directed to the Legal Team.
Money laundering is an act of concealing the source of money to avoid disclosing its sources or use and/or to avoid paying taxes. CrowdStrike is committed to complying fully with all anti-money laundering and anti-terrorism laws throughout the world. CrowdStrikers should avoid engaging in any transaction that is structured in a way that could be viewed as concealing illegal conduct or the tainted nature of the proceeds or assets at issue in a transaction. Consult with the Legal Team if you have any questions regarding the appropriate due diligence to be taken before conducting business with any vendor, supplier, contractor, reseller, distributor, customer or other third party.
Conflicts of Interest
CrowdStrikers are expected to act, at all times and in all ways, in the best interest of CrowdStrike while performing their job duties. This means CrowdStrikers must avoid conflicts of interest. A “conflict of interest” occurs when a CrowdStriker’s ability to perform his or her job responsibilities or duties for CrowdStrike are impacted by personal interests or the interests of a third party. These competing interests may limit the ability to perform the job objectively and without bias. Some situations where a potential conflict of interest may arise include:
- Outside employment, advisory roles, board seats, or personally owned businesses
- Personal investments in companies that directly compete with or are similar to CrowdStrike
- CrowdStrike investing in a company in which you are a stockholder or a director
- Business opportunities found through your CrowdStrike duties
- Transacting CrowdStrike business with family members or other related persons
- Accepting excessive gifts, entertainment, or other business courtesies as part of your role at CrowdStrike, either directly or through a family member or a close friend
Potential conflicts of interest are not uncommon or necessarily prohibited. If you are faced with a situation that appears to present a potential conflict of interest, contact your manager or the Legal Team before taking any action. If CrowdStrike determines an actual conflict of interest exists or that the activity will interfere with your ability to perform your duties for CrowdStrike, we may ask you not to engage in the activity.
For more information, CrowdStrike employees can refer to the CrowdStrike Employee Handbook and applicable local policies.
SECURITY AND PRIVACY
CrowdStrike’s Security First initiative is designed to create a culture emphasizing physical and information security by focusing on three primary areas: people, facilities and information. Security First is more than “see something, say something.” At CrowdStrike, security is the responsibility of EVERY CrowdStriker. With Security First, if you see something, don’t just say something… DO something. Stopping breaches for our customers means our fight against the adversary is never ending, including internally with our own technology, people and partners. CrowdStrike’s expectation for you is to personally adopt CrowdStrike’s commitment to security and ethical conduct and apply it to all activities you perform within CrowdStrike as well as in the world at large, including your technology resource use, your social media practices, your handling of CrowdStrike and customer data, the way you collaborate with others, and creating and managing secure solutions.
See also CrowdStrike’s Employee Security Handbook and other security related policies
CrowdStrike is committed to having a safe and comfortable work environment and has zero tolerance for acts or threats of violence. Besides physical harm, this can also include abusive language, intimidation, or instilling fear in others. Any actual or implied threat will be treated as real and serious danger. All CrowdStrikers are expected to comply with health and safety laws, CrowdStrike policies and the safety procedures in the local facilities. All potentially violent or dangerous situations should be immediately reported to CrowdStrike’s physical security team, your local manager, the People Organization, or Legal Team, including when they occur at off-site events. If you feel that you or someone else is in imminent danger, call the local authorities.
Acceptable Use of CrowdStrike Assets
Given the very nature of its business, CrowdStrike has implemented a robust and detailed set of policies addressing CrowdStrike property, information security, acceptable use of CrowdStrike technology resources, home office, virtual private networks, and mobile equipment. CrowdStrikers should protect CrowdStrike’s assets and ensure their efficient use. Examples of CrowdStrike’s assets include its software (in all forms), technology resources, business and marketing plans, customer lists, engineering and manufacturing ideas, designs, its logos and tradenames, and any financial information that has not been made publicly available. Unauthorized use or distribution of this information is a violation of CrowdStrike policy.
See also CrowdStrike’s Acceptable Use Policy
Safeguarding Confidential Information
CrowdStrikers must protect CrowdStrike’s confidential information and the confidential information entrusted to us by our customers, partners, and suppliers. Confidential information is generally non-public information. Examples of confidential information are:
- data that identifies a customer
- software programs, including source and object code
- product development plans and release dates
- know-how, processes, and techniques unique to CrowdStrike
- marketing and sales plans
- competitive analyses
- potential contracts, mergers, acquisitions or divestitures
- financial statements, plans or forecasts prior to public release
- personnel information
Protecting confidential information means sharing information with other CrowdStrikers on a need-to-know basis, and not disclosing it to others outside of CrowdStrike except as strictly necessary to carry out a business purpose and under non-disclosure agreements or subject to a duty of confidentiality. Confidential information should not be shared with your family or friends. If you are requested by a government or regulatory authority to provide them with confidential information, consult with the Legal Team before responding. Your duty to safeguard confidential information continues after your relationship with CrowdStrike ends. All media inquiries should be directed to firstname.lastname@example.org.
For more information, CrowdStrike employees can refer to CrowdStrike’s Employee Security Handbook and applicable local policies.