Effective Date: September 29, 2016
This Privacy Notice describes the manner in which CrowdStrike, Inc. and its affiliates (collectively “CrowdStrike”) collect, use, maintain, and disclose information from users of our websites (e.g., https://www.crowdstrike.com and services.crowdstrike.com) (collectively, “Websites”) and from the use of our products and the performance of our services (our “Offerings”). For purposes of this Notice, the terms “user,” “customer”, “you” and “your” are meant to refer to the individuals about whom we may collect data, and at times may be used within the Notice interchangeably.
CrowdStrike’s third party certification applies to CrowdStrike Falcon Sensor, ShellShock Scanner, HeartBleed Scanner, Crowd Response, Tortilla, CrowdDetox and CrowdInspect. If you have questions or complaints regarding a certified application, please contact us by emailing us at email@example.com or by contacting us by postal mail at the contact information listed below.
EU-U.S. Privacy Shield
CrowdStrike, Inc. and its affiliates participate in and have certified their compliance with the EU-U.S. Privacy Shield Framework. CrowdStrike is committed to subjecting personal data received from European Union (EU) member countries, when transferred in reliance on the Privacy Shield Framework, to the Framework’s applicable Principles. To learn more about the Privacy Shield Framework, visit the U.S. Department of Commerce’s Privacy Shield List at https://www.privacyshield.gov/list.
CrowdStrike is responsible for the processing of personal data it receives from the EU, under the Privacy Shield Framework, and subsequently transfers to a third party acting as an agent on its behalf. CrowdStrike complies with the Privacy Shield Principles for all onward transfers of personal data from the EU, including the onward transfer liability provisions.
With respect to personal data received or transferred from the EU pursuant to the Privacy Shield Framework, CrowdStrike is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission. In certain situations, CrowdStrike may be required to disclose personal data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
Under certain conditions, more fully described on the Privacy Shield website here https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.
Swiss Safe Harbor
CrowdStrike abides by consent provided by its customers and continues to comply with the U.S. – Swiss Safe Harbor framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data from Switzerland. CrowdStrike has certified that it adheres to the Safe Harbor Privacy Principles of notice, choice, onward transfer, security, data integrity, access, and enforcement.
DATA COLLECTION AND USE
CrowdStrike Websites and Web Portals
CrowdStrike Websites provide Internet based access for users to learn about CrowdStrike and its Offerings and to communicate with CrowdStrike and with others. CrowdStrike web portals that may exist within our Offerings (“Web Portals”) provide customers with Internet based access to our Offerings. When an individual uses our Websites and Web Portals, CrowdStrike gathers information, some of which is personal information. Information collected and used by CrowdStrike may include, among other things, the Internet Protocol (IP) address, browser information, device ID, the type of computer and technical information about a user’s means of connection to our Websites or Web Portals, such as the operating system and the Internet service providers utilized and other similar information. From users who are required to login to gain access to a particular Website feature or Web Portal, we collect usernames, passwords, and other login credentials that are used for the purpose of verifying user authorization to access the feature or Offering.
We and our third party partners use Local Storage (HTML5) to provide certain features on our Websites and Web Portals, to display advertising based on your web browsing activities, and to store content information and preferences. Various web browsers may offer their own management tools for removing HTML5.
We partner with a third party to display advertising on our Websites or to manage our advertising on other sites. Our third party partner may use technologies such as cookies to gather information about your activities on this site and other sites to provide you advertising based on your browsing activities and interests. If you wish to not have this information used for the purpose of serving you interest-based ads, you may opt out by clicking here. If you are located in the European Union, click here. Please note this does not opt you out of being served ads; you will continue to receive generic ads.
We may use the information, including personal information, that we collect from users of our Websites and Web Portals for a number of reasons, including but not limited to the following purposes:
- Operate, secure, support, personalize, and improve our Websites
- Provide you requested information and Offerings
- Provide blogs and discussion groups
- Run promotions, contests, surveys, or other website features
- Send periodic emails
- Recruit new employees when you respond to career postings
- Analyze trends
- Digital marketing, which may include online advertisements appearing on cookie-based advertising networks
- Direct marketing, which may include postal mail or telemarketing from CrowdStrike or a service vendor
- Provide you our Offerings, including product updates, documentation, and related information
- Operate, secure, support, and improve our Web Portals and Offerings
- Develop new features, products, and services
- Send periodic emails
- Analyze trends
We may transfer or provide access to personal information obtained through our Websites or Web Portals to individuals or companies that help us provide, operate, support, maintain, secure, and improve our Websites and Offerings.
If you opt-in to our mailing list online or in person, you will receive emails that may include company news, updates, related product or service information, and other CrowdStrike related information. We may also associate any personal information you submit to us, including email addresses, with information collected about you through other means such as cookies, web beacons, or social media plugins. This will help us better tailor content delivered to you through a variety of ways, including online advertisements. We include unsubscribe instructions at the bottom of each email if at any time you would like to unsubscribe from receiving future emails.
Accessing our blog will load social media cookies that are necessary for displaying content and enabling user interaction. If you make posts to our blogs, your words and identity are made available to other people using the blog. We are under no obligation to publish, maintain, or retain any of your posts. If you provide us with feedback about our company, Offerings, or Websites, we consider this to be freely given and we may use your feedback without compensation or attribution to you.
If we have a referral service that you choose to use to share information with a point of contact about us, we will ask you for the contact’s name and email address. We will automatically send your contact a one-time email inviting him or her to visit our Website. CrowdStrike will store this information for the sole purpose of sending the one-time email and for tracking the success of our referral program. An individual whose name has been provided to us may contact us at firstname.lastname@example.org to request that we remove their information from our database.
The Websites use the Lucky Orange analytics system to help improve usability and the customer experience. Lucky Orange may record mouse clicks, mouse movements and scrolling activity. Lucky Orange does not track this activity on any site that does not use the Lucky Orange system. You can choose to disable the Lucky Orange Service at http://www.luckyorange.com/disable.php.
CrowdStrike has numerous Offerings, including but not limited to platform and cloud based security and intelligence subscription services, professional services, free community security tools, and more. All of our Offerings are centered on our mission to provide cutting-edge security solutions to our customers.
In order to accomplish our mission, CrowdStrike is leading the industry in Big Data Security, taking advantage of high volume, high velocity, and high variety information to reveal relationships, dependencies, and perform predictions of outcomes and behaviors in order to detect, contain, and mitigate network intrusions and identify the attackers. Most of the information CrowdStrike collects through its Offerings is metadata, for example, data about how and when a device or network is being used, login times and attempts, registry keys, types and versions of operating systems, browsers, and information about software applications. Some of the data we collect may be considered personal information depending on the laws of the location where it is collected, such as IP addresses. In some cases, we collect personal information as it may appear within usernames, filenames, file paths, and machine names. However, we only use the data that we collect through our Offerings to help our customers and improve our capabilities in the way described in our more specific product or service documentation and agreements. CrowdStrike also offers customers the ability to directly provide to CrowdStrike, or for customers to have CrowdStrike Offerings configured to collect files (including the content of those files) and other information related to the files for security analysis and response, or when submitting crash reports, to make the product more reliable. At your direction, we may also collect or retrieve files as part of our Offerings. The files and related information may contain personal information.
An important type of data we detect and collect, analyze, and use through our Offerings (or provide our customers the ability to provide to us) is information about adversaries, for example, malware and URLs where adversaries try to send your data. We often discover this type of information from analyzing samples customers provide to us or from the data we collect from customers through our Offerings. We use the information we collect about adversaries to help all of our customers and the public – DETECT, RESPOND, REVEAL. However, when we share information that we learn about adversaries, we don’t identify customers or individuals, other than, of course, the adversary, that’s the WHO, WHAT and WHY of our security mission.
To the extent CrowdStrike collects personal information through its Offerings, CrowdStrike collects that information under the authority and direction of its customers, which often are corporate entities. CrowdStrike typically has no direct relationship or contact with an individual whose personal information we may collect or receive from a corporate customer and subsequently analyze and use. Regardless, the use of information collected through our Offerings shall be limited to the purpose of providing the service for which our customers have engaged CrowdStrike. We do not use any personal information collected through our Offerings to contact or market products or services to these individuals. We also do not provide any personal information obtained through the Offerings to third parties for the purpose of contacting or marketing products or services to these individuals.
If you are a user of one of our Offerings, we will obtain the personal information you provide us during the sales and/or fulfillment process. We may use personal information collected such as name, phone number, mailing address, and email address to contact you and to provide you with Offerings, send you an invoice, perform accounting, auditing and collection activities, answer questions, provide support and tell you about other Offerings.
If you are an individual who would no longer like to be contacted by one of our customers, please contact the customer that you interact with directly. An individual who seeks access, or who seeks to correct or delete personal information, should direct his/her query to the CrowdStrike’s customer, the data controller. If our customers request CrowdStrike to correct or delete the personal information, we will respond within a reasonable timeframe.
We will retain the personal information we process on behalf of our customers for as long as needed to provide services to our customers, to comply with our legal obligations, resolve disputes, and enforce our agreements.
We may transfer personal information to companies that help us provide our service. Transfers to subsequent third parties are covered by the service agreements with our customers.
How We Protect Your Information
The security of customer data and your personal information is not only important to us, it is our mission. We adopt data collection, storage and processing practices and security measures to protect against unauthorized access, alteration, disclosure or destruction of customer data and your personal information. We follow generally accepted practices to protect customer data and the personal information collected and submitted to us, both during transmission and once we receive it. If you have questions about the security of your personal information collected through our Offerings or Websites, you can contact us at email@example.com.
Retention of Personal Information
We will retain your personal information for as long as needed to fulfill the purpose for which we collected it and for a reasonable period thereafter in order to comply with audit, contractual, or legal requirements. We will retain and use your information as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. We may retain aggregated or de-identified data indefinitely or to the extent allowed by applicable law. We may retain personal information preserved in automatically generated computer back up or archival copies generated in the ordinary course of our information technology systems procedures.
User Access and Choice
You may request CrowdStrike provide you with information about whether we hold any of your personal information received or transferred from the EU in reliance on the Privacy Shield. You may also request us to correct, update, amend, or remove your personal information that you know or have reason to believe is in our possession by emailing us at firstname.lastname@example.org or by contacting us by postal mail at the contact information listed below. When contacting us, please provide us with detailed information about the personal information you are requesting we correct, update, amend, or remove, and the timeframe and manner in which you believe we came to collect it. We will respond to your request within a reasonable timeframe. If we obtained your personal information from a customer or third party acting on your behalf, you should contact the company or person you provided your information to. In certain circumstances, we may be required by law, our auditors, or other legitimate business purposes to keep information about you.
Sharing Your Personal Information
We do not sell, trade, or rent the personal information we collect from our Websites to others. We may share aggregated demographic information regarding visitors and users of our Websites with our affiliates, business partners, and advertisers for the purposes outlined above. When we collect personal information through our Offerings, it is made available to the CrowdStrike customer who was the source of the information and we use it as described in the Privacy Notice. We may use third party service providers to help us operate our business; provide, support, maintain, or secure our Offerings and our Websites; or administer activities on our behalf, such as marketing campaigns. It may be necessary to provide or allow access to your personal information to these third party service providers for those purposes. In addition, we provide information regarding our business to our auditors and legal counsel and, in some cases, that information may contain personal information, but they may only use it for the purpose of providing their professional services.
We may also disclose your personal information as required by law, such as to comply with a subpoena or similar legal process; or when we believe that disclosure is necessary or appropriate to protect our rights, protect your safety or the safety of others, investigate fraud, or respond to a government request. We may transfer any information we have about you in the event we sell or transfer all or a portion of our business or assets.
Our Websites include links to other websites whose privacy practices may differ from those of CrowdStrike. If you submit personal information to any of those sites or services, your information is governed by their privacy notices. We encourage you to carefully read the privacy notice of any website service you visit.
CrowdStrike’s mission is worldwide, and therefore, we may store information in the United States and other locations worldwide where we, or our service providers, have facilities.
This Privacy Notice does not pertain to personal information of CrowdStrike employees.
Changes to this Privacy Notice
CrowdStrike may update this Privacy Notice at any time to reflect changes to our information practices. If we make significant changes in how we use your personal information, we will notify you by email if feasible or by means of a notice on this Website. We encourage you to periodically review this page for the latest information on our privacy practices.
Your Agreement to this Privacy Notice
By using our Offerings and Websites, you are agreeing to our practices described in this Notice, which includes the collection and use of your personal information worldwide.
Your continued use of our Offerings and Websites following the posting of changes to this Privacy Notice will be deemed your acceptance of those changes.
If you have any questions about this Privacy Notice or our privacy practices, please contact us at:
15440 Laguna Canyon Road, Suite 250, Irvine, CA 92618
If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at https://feedback-form.truste.com/watchdog/request.