May 20, 2020

CrowdStrike Falcon Prevent for Home Use for CrowdStrikers Privacy Notice

CrowdStrike, Inc. and its affiliates (collectively, “CrowdStrike”) are on a mission to stop breaches. To further this mission, CrowdStrike has many offerings, including but not limited to platform, cloud-based security for enterprises, and Falcon Prevent for Home Use for CrowdStrikers for CrowdStrike employees and certain personnel providing us services and members of their households (“Falcon Prevent for Home Use for CrowdStrikers”). This Privacy Notice describes how CrowdStrike collects, uses, maintains, and discloses personal information related to the Falcon Prevent for Home for CrowdStrikers Program. No other CrowdStrike Privacy Notice is applicable to this offering.

If you have any questions or concerns relating to the use of your personal information, please contact us using the contact details provided at the bottom of this Privacy Notice.

1. Quick Links

We recommend reading this privacy notice in full to ensure you are fully informed, however if you wish to access a particular section, then click the relevant link below to jump to that section.

2. Data Collection and Use
2.1 Why Does CrowdStrike Collect Personal Information?
2.2 What Personal Information Does CrowdStrike Process?
2.3 With Whom Does CrowdStrike Share My Personal Information?
3. Legal Basis for Processing Personal Information
4. Further Use of Your Personal Information
5. How We Protect Your Personal Information
6. International Data Transfers
7. Retention of Personal Information
8. Your Data Protection Rights
8.1 European Economic Area, United Kingdom, and Switzerland
8.2 California Consumer Protection Act
9. Changes to this Privacy Notice
10. Contacting Us

 

2. DATA COLLECTION AND USE

 

2.1 Why Does CrowdStrike Collect Personal Information?

Falcon Prevent for Home Use for CrowdStrikers is designed to provide next generation endpoint security and protect the user’s personal endpoints. When you participate in this program, CrowdStrike collects personal information to protect your device(s) from breaches, provision, maintain, and improve the Falcon Prevent for Home Use for CrowdStrikers offering, communicate with you, identify adversaries, analyze trends and software performance, and administer its business.

2.2 What Personal Information Does CrowdStrike Process?

Provisioning. CrowdStrike collects personal information about you when you choose to enroll in the Falcon Prevent for Home Use for CrowdStrikers program. This information includes your contact information, such as your name, phone number, email address, and address.

Software. Once installed, Falcon Prevent for Home Use for CrowdStrikers sends data to CrowdStrike’s Falcon Platform in order to provide cloud-native, crowdsourced cybersecurity protection. When a threat is detected, machine event data related to the process tree of the event is uploaded to the Falcon Platform, which enables CrowdStrike to detect, prevent, and alert you to potential cyber threats. This data may include information such as command lines, scripts, device identifiers, file names, usernames, DNS telemetry, file paths, and metadata associated with the potential adversary activity.

Most information collected by Falcon Prevent for Home Use for CrowdStrikers is metadata, but in some cases personal information may appear within the metadata, such as that associated with usernames, filenames, file paths, and machine names.

As Falcon Prevent for Home Use for CrowdStrikers is expected to be used outside of a traditional enterprise environment, the sensor is designed to redact document file names that would otherwise appear in detection-related event data. Furthermore, cloud-based file analysis features, such as for uploading quarantined or unknown files, and direct connections to hosts are disabled.

By design, relatively few machine event fields uploaded to the cloud should contain personal information. Nonetheless, each end user’s environment is different, and the processing of machine events necessary to protect data inevitably requires the processing of certain data elements that may include personal data. You, rather than CrowdStrike, determines which types of data, whether personal or not, exist on your systems. Accordingly,  each user’s endpoint environment is unique in configurations and naming conventions. The machine event elements listed below are examples of common fields that could potentially include personal data. This data may be accessible by CrowdStrike employees where it is relevant to their job roles, such as for purposes of troubleshooting, support, engineering, product maintenance, and security.

 

Machine Event Element Potential for Personal Data Reason Processed
Device Identifier Could include personal data if used in the naming convention or if the identifier is specific to an individual, such as the only user of a specific machine or device This element is necessary to identify the machine or device on which potential adversary activity occurs in order to protect, defend against, and respond to intrusions.
User Name Could include personal data if used in the naming convention or if the identifier is specific to an individual, such as the only user of a specific login account This element is necessary to identify the user account through which potential adversary activity occurs in order to protect, defend against, and respond to intrusions.
File Name Could include personal data if used in the naming convention for the file This element is necessary to identify the chain of events in an intrusion, detect source and target files, stop malicious files, and mitigate threats.
File Path Could include personal data if the file path includes a directory name or file name that includes personal data in the naming convention This element is necessary to identify the chain of events in an intrusion, detect source and target files, stop malicious files, and mitigate threats.
CommandLine Could include personal data if the command uses a user name, file path, or file name that includes personal data in the naming convention This element is necessary to identify the chain of events in an intrusion and methods deployed by an adversary, detect binary executions, determine source and target files, stop malicious files, and mitigate threats.
IP Address Could include personal data if the IP address can be used to identify a specific individual, rather than a shared network This element is necessary to identify the network source and target through which potential adversary activity occurs in order to protect, defend against, and respond to intrusions.
Volume Name Could include personal data if the name of a volume, such as a drive, includes personal data in the naming convention This element is necessary to identify the network source and target through which potential adversary activity occurs in order to protect, defend against, and respond to intrusions.
Group Name Could include personal data if the name of a volume, such as a network group or domain, includes personal data in the naming convention This element is necessary to identify the network source and target through which potential adversary activity occurs in order to protect, defend against, and respond to intrusions.

2.3 With whom does CrowdStrike share your personal information?

Service Providers. We may use third party service providers or partners to help us operate our business; provide, support, maintain, or secure our offerings and our Websites; or administer activities on our behalf, such as events or marketing campaigns. It may be necessary to provide or allow access to your personal information to these third-party service providers or partners for those purposes. CrowdStrike requires third-party service providers to keep your personal information secure and confidential.

We provide information regarding our business to our auditors and legal counsel. In some cases, the shared information may contain personal information, but the auditors and legal counsel may only use it for the purpose of providing their professional services.

Legal Disclosures. We may also disclose your personal information as required by law, such as to comply with a subpoena or similar legal process; or when we believe that disclosure is necessary or appropriate to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. We may transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets.

Per Art. 6 of the GDPR, if you are from the European Economic Area or the United Kingdom, we will only collect and process your personal information if we have a lawful basis to do so and as described in this notice. The various lawful bases, and examples of each, by which CrowdStrike processes your personal information are as follows:

  • Performance of a Contract (Art. 6(1)(b) of the GDPR): CrowdStrike’s lawful basis for processing your personal information for performance of a contract includes processing your personal data to provision and provide you with the Falcon Prevent for Home Use for CrowdStrikers offering.
  • Legitimate Interests (Art. 6(1)(f) of the GDPR): CrowdStrike’s legitimate interests in processing personal data include the protection of intellectual property, fraud prevention (Rec. 47), and cybersecurity (Rec.49). CrowdStrike processes Falcon Prevent for Home Use for CrowdStrikers data, which may incidentally include personal data to detect and prevent cyberattacks, theft of intellectual property, and fraud, and improve CrowdStrike’s ability to do so.
  • With Consent (Art. 6(1)(a) of the GDPR): CrowdStrike may obtain your consent for optional communications or offerings.
  • Where it is necessary to comply with a legal obligation (Art. 6(1)(c) of the GDPR): CrowdStrike may need to process your personal information in order to comply with legal requirements such is in the event of a valid, duly authorized legal request from a competent government authority.

4. Further Use of your Information

An important type of data we detect, collect, analyze, and use through our offerings  is information about adversaries, for example, malware and URLs where adversaries try to send your data. We often discover this type of information by analyzing samples you provide to us, or from the data collected from you through our offerings. We use the information we collect about adversaries to help all of our users and customers and the public – DETECT, RESPOND, REVEAL. However, when we share information that we learn about adversaries, we don’t identify users or individuals, other than, of course, the adversary, that’s the WHO, WHAT, and WHY of our security mission.

We may use personal information collected such as your name, phone number, mailing address, and email address to contact you to answer questions, and provide support.

However, we do not use any personal information collected from you through Falcon Prevent for Home Use for CrowdStrikers machine event data to contact or market products or services to you. We also do not provide any personal information obtained through Falcon Prevent for Home Use for CrowdStrikers to third parties for the purpose of contacting or marketing third party products or services to you.

5. How We Protect Your Information

The security of your data and your personal information is not only important to us, it is our mission. We adopt data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of user data and your personal information. We follow generally accepted practices to protect your data and the personal information collected and submitted to us, both during transmission and once we receive it.

6. International Data Transfers

CrowdStrike’s mission is global, and therefore, we may store information in the United States and other locations worldwide where we or our service providers have facilities.

CrowdStrike, Inc., CrowdStrike Services, Inc., and CrowdStrike Holdings, Inc. participate in and have certified compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. CrowdStrike is committed to subjecting personal information received from the European Economic Area (EEA), the United Kingdom, and Switzerland, in reliance on each Privacy Shield Framework to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.

CrowdStrike is responsible for the processing of personal information it receives under each Privacy Shield Framework, and subsequently transfers personal information to a third party acting as an agent on our behalf. CrowdStrike complies with the Privacy Shield Principles for all onward transfers of personal information from the EEA, the United Kingdom, and Switzerland, including the onward transfer liability provisions. With respect to all such transfers, CrowdStrike is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, CrowdStrike may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Under certain conditions, more fully described on the Privacy Shield website here, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

7. Retention of Personal Information

We will retain your personal information for as long as needed to fulfill the purpose for which we collected it and for a reasonable period thereafter in order to comply with audit, contractual, or legal requirements, or where we have a legitimate interest in doing so. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may retain aggregated or de-identified data indefinitely or to the extent allowed by applicable law. We may retain personal information preserved in automatically generated computer back up or archival copies generated in the ordinary course of our information technology systems procedures.

8. Your Data Protection Rights

8.1 European Economic Area, United Kingdom, and Switzerland

Subject to exceptions, if you are a resident of the European Economic Area, United Kingdom, or Switzerland, your data protection rights are as follows:

  • You have a right to access, correct, update, of request deletion of your personal information.
  • You have a right to object to processing of your personal information, ask us to restrict processing of your personal data, or request portability of your personal information.
  • You have a right to opt-out of marketing communications to include e-mail, telemarketing, and any other form of marketing we send to you at any time. You can opt out of marketing e-mails by clicking on the “unsubscribe” or “opt-out” link in the marketing emails we send you. To opt out of other forms of marketing, reference the contact information below.

To exercise any of the rights enumerated above, use the contact details provided below (Section 10: Contact Us) or email at privacy@crowdstrike.com.

If CrowdStrike has collected and currently processes your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

You have the right to complain to a data protection authority about CrowdStrike’s collection and use of your personal information.

8.2 California Consumer Protection Act

The California Consumer Protection Act (CCPA) provides consumers (California residents) with specific rights regarding the processing of their Personal Information. Section 2 of this Notice includes the categories of user/consumer Personal Information CrowdStrike has processed during the past 12 months. CrowdStrike does not sell your Personal Information.

Subject to exceptions, you may request disclosure or request deletion of your Personal Information at any time by contacting CrowdStrike using the contact details provided below or by email at privacy@crowdstrike.com.

CrowdStrike responds to verifiable requests received from individuals who wish to exercise their data protection rights in accordance with applicable data protection laws. When contacting us, please provide us with detailed information about the personal information you are requesting we correct, update, amend, or remove, and the timeframe and manner in which you believe we came to collect your personal information. If we obtained your personal information from  a third party (i.e., the CrowdStrike employee participating in the Falcon Prevent for Home Use for CrowdStrikers program) acting on your behalf, you should contact the person you provided your information to.

9. Changes to this Privacy Notice

CrowdStrike may update this Privacy Notice at any time to reflect changes to our information practices. If we make significant changes in how we use your personal information, we will notify you by email if feasible or by means of a notice on this Website. We encourage you to periodically review this page for the latest information on our privacy practices.

10. Contacting Us

If you have any questions about this Privacy Notice or our privacy practices, please contact us at:

Vice President, Privacy
CrowdStrike
150 Mathilda Place
Sunnyvale, CA 94068
privacy@crowdstrike.com

 

If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.