July 17, 2020 Customer Update regarding Cross Border Data Flows
CrowdStrike is in the business of data protection and closely monitors legal developments. CrowdStrike customers can continue to use CrowdStrike’s offerings in compliance with European data protection law after the European Court of Justice’s recent ruling regarding the EU-US Privacy Shield. CrowdStrike’s terms already provide customers with GDPR protections and redundant international transfer adequacy mechanisms, including the Standard Contractual Clauses.
CrowdStrike’s Global DPA, incorporating Standard Contractual Clauses, can be found here: https://www.crowdstrike.com/data-protection-agreement/
CrowdStrike is on a mission to stop breaches. We have numerous Offerings, including but not limited to platform and cloud-based security and intelligence subscription services, app store software and integrations, professional services, free community security tools, and more. Our Offerings are designed to provide cutting-edge security solutions to our customers. We lead the industry in cloud-native crowdsourced security, applying big data analytics in order to detect, contain, and mitigate network intrusions, protect data, assess risk, and identify attackers. For more information about CrowdStrike, please see the “About Us” section of our Website at https://www.crowdstrike.com/about-crowdstrike/
This Privacy Notice (“Notice”) describes the manner in which CrowdStrike, Inc. and its affiliates (collectively “CrowdStrike”) collect, use, maintain, and disclose information from users of our websites (e.g., crowdstrike.com, supportportal.crowdstrike.com, falcon.crowdstrike.com, crowdstrike.org) (collectively, “Websites”), event participants, prospective customers or job candidates, situations in which CrowdStrike is a data controller, and from the use of our products and the performance of our services (our “Offerings”). For purposes of this Notice, the terms “user,” “customer,” “you,” and “your” are meant to refer to the individuals about whom we may collect personal information, and at times may be used within the Notice interchangeably.
If you have any questions or concerns about our use of your personal information, then please contact us using the contact details provided at the bottom of this Privacy Notice.
1. Quick Links
3. Legal Basis for Processing Personal Information
4. Cookies and Similar Technology
6. How We Protect Your Personal Information
7. International Data Transfers
8. Retention of Personal Information
9. Your Data Protection Rights
10. Changes to this Privacy Notice
11. Contacting Us
2. Data Collection and Use
2.1 Why Does CrowdStrike Collect Personal Information?
CrowdStrike processes personal information in the course of running our websites, processing payments, registering visitors to our offices and events, managing contests and promotions, providing support, improving user experience, running our infrastructure, preventing fraud, protecting intellectual property, maintaining endpoint and network security, enforcing our legal rights, sending marketing and other communications, processing agreements, complying with our legal obligations, and to achieve other legitimate interests as well as where you have provided consent. Personal information, such as contact information, is collected from websites, web portals, offerings, events, partners, office visitor registration systems, and where you have provided it directly to CrowdStrike.
2.2 Where Does CrowdStrike Obtain Personal Information?
CrowdStrike Websites provide Internet based access for users to learn about CrowdStrike and its Offerings and to communicate with CrowdStrike and with others. CrowdStrike web portals that may exist within our Offerings (“Web Portals”) provide customers with Internet based access to our Offerings. When an individual uses our Websites and Web Portals, CrowdStrike gathers information, some of which may be considered personal information in your jurisdiction. Information collected and used by CrowdStrike may include, among other things, the Internet Protocol (IP) address, browser information, device ID, the type of computer and technical information about a user’s means of connection to our Websites or Web Portals, such as the operating system and the Internet service providers utilized and other similar information. From users who are required to login to gain access to a particular Website feature or Web Portal, we collect usernames, passwords, and other login credentials that are used for the purpose of verifying user authorization to access the feature or Offering.
Mailing List – If you opt-in to our mailing list online or in person, you will receive emails that may include company news, updates, related product or service information, and other CrowdStrike related information. We may also associate personal information that you submit to us, including email addresses, with information collected about you through other means such as cookies, web beacons, or social media plugins. This will help us better tailor content delivered to you through a variety of ways, including online advertisements. We include unsubscribe instructions at the bottom of each email if at any time you would like to unsubscribe from receiving future emails.
Blog – Accessing our blog will load social media cookies that are necessary for displaying content and enabling user interaction. If you make posts to our blogs, your words and identity are made available to other people using the blog. We are under no obligation to publish, maintain, or retain any of your posts. If you provide us with feedback about our company, Offerings, or Websites, we consider this to be freely given and we may use your feedback without compensation or attribution to you.
We may use the information, including personal information, that we collect from users of our Websites and Web Portals for a number of reasons, including but not limited to the following purposes:
- Operate, secure, support, personalize, and improve our Websites
- Provide you requested information and Offerings
- Provide blogs and discussion groups
- Communicate through chat platforms
- Run promotions, contests, surveys, or other website features
- Send periodic emails
- Recruit new employees when you respond to career postings
- Analyze trends
- Digital marketing, which may include online advertisements appearing on cookie-based advertising networks
- Direct marketing, which may include postal mail or telemarketing from CrowdStrike or a service vendor
- Provide you our Offerings, including product updates, documentation, partner offerings, and related information
- Operate, secure, support, personalize, and improve our Web Portals and Offerings
- Connect you with partners
- Facilitate forum discussions
- Develop new features, products, and services
- Send periodic emails
- Analyze trends
Referrals – Where we provide a referral option that you choose to use to share information with a point of contact about us, we will ask you for the contact’s name and email address. We will automatically send your contact a one-time email inviting him or her to visit our Website. CrowdStrike will store this information for the sole purpose of sending the one-time email and for tracking the success of our referral program. An individual whose name has been provided to us may contact us at firstname.lastname@example.org to request that we remove their information from our database.
Information that we obtain from third party sources
From time to time, we may receive personal information about you from third party sources where those parties have indicated that they have your consent or are otherwise legally permitted or required to disclose your personal information to us. For example, we may be provided with information about individuals interested in using our offerings or joining our company.
2.3 With Whom Does CrowdStrike Share My Personal Information?
We do not sell, trade, or rent the personal information we collect from our Websites to others. We may share aggregated demographic information regarding visitors and users of our Websites with our affiliates, business partners, and advertisers for the purposes outlined above. When we collect personal information through our Offerings, it is made available to the CrowdStrike customer who was the source of the information and we use it as described in the Privacy Notice, terms and conditions, or otherwise as directed by our customers.
Online Behavioral Advertising – We partner with a third party to display advertising on our Websites or to manage our advertising on other sites. Our third party partner may use technologies such as cookies, beacons, scripts and tags to gather information about your activities on this site and other sites to provide you advertising based on your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt out by visiting Digital Advertising (DAA)’s self-regulatory opt-out page, click here. If you are located in the European Economic Area, click here. Please note this does not opt you out of being served ads; you will continue to receive generic ads.
Service Providers – We may use third party service providers or partners to help us operate our business; provide, support, maintain, or secure our Offerings and our Websites; or administer activities on our behalf, such as events or marketing campaigns. It may be necessary to provide or allow access to your personal information to these third-party service providers or partners for those purposes.
We provide information regarding our business to our auditors and legal counsel. In some cases, the shared information may contain personal information, but the auditors and legal counsel may only use it for the purpose of providing their professional services.
Legal Disclosures – We may also disclose your personal information as required by law, such as to comply with a subpoena or similar legal process; or when we believe that disclosure is necessary or appropriate to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. We may transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets.
Links to Other Websites – Our Websites include links to other websites whose privacy practices may differ from those of CrowdStrike. If you submit personal information to any of those sites or services, your information is governed by their privacy notices. We encourage you to carefully read the privacy notice of any website service you visit.
3. Legal Basis for Processing Personal Information (EEA Visitors Only)
If you are a visitor from the European Economic Area and the United Kingdom, CrowdStrike’s legal basis for collecting and using the personal information collected will depend on the personal information concerned and the specific context in which we collect it.
In most circumstances, we collect personal information (i) where it is needed for the performance of a contract, (ii) where the processing of the personal information is in our legitimate interests and not overridden by your rights, or (iii) where you provide your consent. Other times, your personal information may be collected in order for us (iv) to comply with a legal obligation, (v) to perform a task for the public interest, or (vi) for the protection of your or another’s vital interests.
If we collect and use your personal information in reliance on our legitimate interests or those of any third party, we will make clear to you at the relevant time through this notice or otherwise what those legitimate interests are. Often times, legitimate interests involve our normal day-to-day operations, such as the ability to operate our platform and communicating with you as necessary to provide our services, responding to your inquiries, or marketing. We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our customers.
If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us using the contact details provided at the bottom of this Privacy Notice.
4. Cookies and Similar Technologies
A cookie is a small text file that is stored on a user’s computer to remember your webpage actions or preferences over time. Cookies don’t read or modify data on the user’s computer. A web beacon is a small graphic file that is placed on the web page the user visits and is often used to help deliver cookies and gather usage and performance data.
We and our third-party partners use Local Storage (HTML5) to provide certain features on our Websites and Web Portals, to display advertising based on your web browsing activities, and to store content information and preferences. Various web browsers may offer their own management tools for removing HTML5.
Hotjar – The Websites use Hotjar’s analytics system to help improve usability and the customer experience. Hotjar may record mouse clicks, mouse movements, and scrolling activity. Hotjar’s privacy notice is available at https://www.hotjar.com/legal/policies/privacy. You can choose to disable the Hotjar cookie here: https://www.hotjar.com/legal/compliance/opt-out
MixPanel Analytics – CrowdStrike uses MixPanel to provide analytics about how website visitors and portal users interact with webpages. MixPanel’s privacy notice is available here: https://mixpanel.com/legal/privacy-policy/
Thunderhead Analytics – CrowdStrike uses Thunderhead for analytics to enhance customer experiences on the site. Thunderhead’s privacy notice is available here: https://www.thunderhead.com/privacy-policy/
CKR Analytics – CrowdStrike uses CKR Interactive cookies for analytics. CKR Interactive’s privacy notice is available on its parent company’s site: https://www.tmp.com/privacy/
Most of the information we collect through our Offerings is metadata. Metadata may include how and when a device or network is being used, login times and attempts, registry keys, types and versions of operating systems, browsers, and information about software applications. In some cases, we collect personal information as it may appear within the metadata such as that associated with usernames, filenames, file paths, and machine names. This personal information is used to help our customers and improve our capabilities in the way described in our more specific product or service documentation and agreements. CrowdStrike’s Offerings also include features providing customers the ability to submit files (including the content of those files) and other information related to the files for purposes including security analysis and response, product improvement, enhanced capabilities, or customer support. At the direction of customers, we may also collect or retrieve files as part of our Offerings.
An important type of data we detect, collect, analyze, and use through our Offerings (or provide our customers the ability to provide to us) is information about adversaries, for example, malware and URLs where adversaries try to send your data. We often discover this type of information from analyzing samples customers provide to us or from the data we collect from customers through our Offerings. We use the information we collect about adversaries to help all of our customers and the public – DETECT, RESPOND, REVEAL. However, when we share information that we learn about adversaries, we don’t identify customers or individuals, other than, of course, the adversary, that’s the WHO, WHAT, and WHY of our security mission.
To the extent CrowdStrike collects personal information through its Offerings, CrowdStrike generally collects that information under the authority and direction of its customers, which often are corporate entities. CrowdStrike typically has no direct relationship or contact with an individual whose personal information we may collect or receive from a corporate customer and subsequently analyze and use. Consequently, any inquiries about the specific processing of your personal information via CrowdStrike Offerings should be directed to your organization. Regardless, the use of the information collected through our Offerings is limited to the purpose of providing the service for which our customers have engaged CrowdStrike or as otherwise outlined in our agreements. We do not use any personal information collected through our Offerings to contact or market products or services to these individuals. We also do not provide any personal information obtained through the Offerings to third parties for the purpose of contacting or marketing products or services to these individuals.
If you are a user of one of our Offerings, we obtain the personal information you provide us during the sales and/or fulfillment process. We may use personal information collected such as your name, phone number, mailing address, and email address to contact you and to provide and inform you of Offerings, send you an invoice, determine how our offerings are used and enhance customer success, perform accounting, auditing and collection activities, answer questions, and provide support or other similar services.
6. How We Protect Your Information
The security of customer data and your personal information is not only important to us, it is our mission. We adopt data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of customer data and your personal information. We follow generally accepted practices to protect customer data and the personal information collected and submitted to us, both during transmission and once we receive it. If you have questions about the security of your personal information collected through our Offerings or Websites, you can contact us at email@example.com.
7. International Data Transfers
CrowdStrike’s mission is global, and therefore, we may store information in the United States and other locations worldwide where we or our service providers have facilities.
CrowdStrike, Inc., CrowdStrike Services, Inc., and CrowdStrike Holdings, Inc. participate in and have certified compliance with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework. CrowdStrike is committed to subjecting personal information received from the European Economic Area (EEA), the United Kingdom, and Switzerland, in reliance on each Privacy Shield Framework to the Framework’s applicable Principles. To learn more about the Privacy Shield Frameworks, and to view our certification, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.
CrowdStrike is responsible for the processing of personal information it receives under each Privacy Shield Framework, and subsequently transfers personal information to a third party acting as an agent on our behalf. CrowdStrike complies with the Privacy Shield Principles for all onward transfers of personal information from the EEA, the United Kingdom, and Switzerland, including the onward transfer liability provisions. With respect to all such transfers, CrowdStrike is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, CrowdStrike may be required to disclose personal information in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Under certain conditions, more fully described on the Privacy Shield website here, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted. If you have any have any questions or complaints please contact us using the contact details provided at the bottom of this Privacy Notice.
8. Retention of Personal Information
We will retain your personal information for as long as needed to fulfill the purpose for which we collected it and for a reasonable period thereafter in order to comply with audit, contractual, or legal requirements, or where we have a legitimate interest in doing so. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may retain aggregated or de-identified data indefinitely or to the extent allowed by applicable law. We may retain personal information preserved in automatically generated computer back up or archival copies generated in the ordinary course of our information technology systems procedures.
9. Your Data Protection Rights
9.1 European Economic Area, United Kingdom, and Switzerland
If you are a resident of the European Economic Area, United Kingdom, or Switzerland, your data protection rights are as follows:
- If you wish to access, correct, update or request deletion of your personal information, you can do so at any time by contacting CrowdStrike using the contact details provided below or by email at firstname.lastname@example.org.
- You can object to processing of your personal information, ask us to restrict processing of your personal data or request portability of your personal information. You can exercise these rights by contacting CrowdStrike using the contact details provided below or by email at email@example.com
- You have the right to opt-out of marketing communications we send to you at any time. You can exercise this right by clicking on the “unsubscribe” or “opt-out” link in the marketing e-mails we send you. To opt-out of other forms of marketing, such as telemarketing, then please contact CrowdStrike using the contact details provided below or by email at firstname.lastname@example.org
- If CrowdStrike has collected and currently processes your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect the processing of your personal information conducted in reliance on lawful processing grounds other than consent.
- You have the right to complain to a data protection authority about CrowdStrike’s collection and use of your personal information
9.2 California Consumer Protection Act
The California Consumer Protection Act (CCPA) provides consumers (California residents) with specific rights regarding the processing of their personal information. Section 2 of this Notice includes the categories of consumer personal information CrowdStrike has processed during the past 12 months. Subject to exceptions, you may request disclosure or request deletion of your personal information at any time by contacting CrowdStrike using the contact details provided below or by email at email@example.com.
CrowdStrike responds to verifiable requests received from individuals who wish to exercise their data protection rights in accordance with applicable data protection laws. When contacting us, please provide us with detailed information about the personal information you are requesting we correct, update, amend, or remove, and the timeframe and manner in which you believe we came to collect your personal information. If we obtained your personal information from a customer or third party acting on your behalf, you should contact the company or person you provided your information to. If you would no longer like to be contacted by one of our customers or would like to have your personal information corrected, updated, amended, or removed, please contact the customer (“data controller”) that you interact with directly.
10. Changes to this Privacy Notice
CrowdStrike may update this Privacy Notice at any time to reflect changes to our information practices. If we make significant changes in how we use your personal information, we will notify you by email if feasible or by means of a notice on this Website. We encourage you to periodically review this page for the latest information on our privacy practices.
11. Contacting Us
If you have any questions about this Privacy Notice or our privacy practices, please contact us at:
Vice President, Privacy
150 Mathilda Place
Sunnyvale, CA 94068
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third-party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.