small align text-align-left refresh
Carbon Black

Privacy Policy

text_image_eight full_width

Date Last Revised: May 24, 2018

 

INTRODUCTION

This Privacy Policy describes the manner in which Carbon Black, Inc. and its affiliates (collectively “Carbon Black”) collect, use, maintain, and disclose information from users of our websites and from customers who use our products and services (“Products and Services”) including related Web portals. This Privacy Policy does not pertain to personal information of Carbon Black employees.

DATA COLLECTION VIA PRODUCTS AND SERVICES

Carbon Black delivers security solutions to help protect organizations from advanced cyberattacks. Carbon Black will collect data on behalf of and under the instructions of our customers (“Customers”) in connection with the Product and Services. In that context, our Customers are the data controllers and Carbon Black is the data processor.

In order to protect our Customers from attackers, Carbon Black collects information from our Customers. Most of the information we collect through our Products and Services is metadata, for example, data about how a device is being used, information about software applications, login times, and what operating systems are being utilized. Depending on local laws, some of the data we collect may be considered personal information. For example, IP addresses and device ID names may be considered personal information in some jurisdictions. Also, we may collect personal information if it appears within usernames, filenames, file paths, and machine names. However, we only use the data that we collect through our Products and Services in accordance with the terms of the agreement between Carbon Black and the Customer, to support the Product and Services, and to improve our capabilities generally.

For example, Carbon Black may use the information, including personal data, collected in connection with our Products and Services in the following manner:

  • To provide, operate, secure, support, personalize, and improve our Products and Services;
  • To adapt Products and Services to respond to new threats and develop new feature, products or services;
  • To participate in threat intelligence networks and conduct research and analysis;
  • To send Customers and other users information regarding our Products and Services or those of our vendors;
  • To provide customer support, manage Customer accounts, respond to requests, questions, and comments, and to work with our vendors;
  • To meet our contractual requirements, to comply with legal or regulatory requirements and our internal policies, to protect against criminal activity, fraud, claims and other liabilities;
  • To perform other activities consistent with this Privacy Policy or as otherwise requested or consented to by our Customers;
  • To take actions necessary to protect and/or to defend Carbon Black’s rights and property (including intellectual property);
  • To protect against misuse or unauthorized use of our Products and Services;
  • For other legitimate purposes.

RETENTION PERIOD

When providing the Products and Services, Carbon Black retains personal data for at least 30 days as long as our Customer’s account is active, as necessary to provide the Products and Services, as permitted in our agreement with Customers, to resolve any billing disputes, as needed for compliance audits and assessments, or as required or permitted under applicable law. We may retain aggregated anonymized or de-identified data for longer periods of time, in accordance with applicable law and any applicable Customer agreement.

RIGHTS REGARDING PERSONAL DATA

Data collected via Products and Services. Carbon Black only processes and discloses the personal data related to our Products and Services as specified in the agreements with our Customers. Customers control how personal data is disclosed to us and processed, and how it can be modified. Accordingly, if you, as an individual, want to request access, or to limit use or disclosure of your personal data, please contact the company to which you submitted your personal data and that uses the Carbon Black Products and Services. If you contact Carbon Black and provide the name of the Customer to which you provided your personal data, we will refer your request to that Customer and support them in responding to your request.

Data collected via Websites/Web portals. We encourage visitors to our websites and web portal to register with Carbon Black. Registration is not required, except for access to our premium content areas. The registration form may require users to give us the following information:

  • The user’s first and last name
  • The user’s company or organization
  • A valid telephone number for the user
  • A valid e-mail address for the user
  • The state or province in which the user is located
  • The country in which the user is located

In the event that you decide to participate in any of our user forums, such as our “Customer eXchange” or our Partner Portal, any personal, private and/or confidential information that you elect to disclose to other users on the forum shall be disclosed at your own risk and we are not responsible for maintaining the security of any information so disclosed. Please see the Terms and Conditions for Customer eXchange and Partner Portal posted on that forum.

DISCLOSURES / ONWARD TRANSFERS OF PERSONAL DATA

Carbon Black may provide personal data to third parties that act as agents, consultants, and service providers to perform tasks on behalf of and under our instructions (“Third Parties”) under appropriate safeguards. For example, Carbon Black may store such personal data in the facilities operated by Third Parties. Such Third Parties may process personal data both inside and outside the United States and must agree use personal data only for the purposes for which they have been engaged by Carbon Black and they must either: (i) comply with the Privacy Shield principles or another mechanism permitted by the applicable EU & Swiss data protection law(s) for transfers and processing of personal data; or (ii) agree to provide adequate protections for the personal data that are no less protective than those set out in this Privacy Policy.

AUTOMATED DECISIONS

To the extent permitted by applicable law, we may collect data in an automated manner and make automated decisions, including using machine learning algorithms, in order to provide or optimize the Products and Services, for security or analytics purposes, to prevent fraud, to ensure network and information security, to prevent unauthorized access to electronic communications networks and to stop damage to computer and electronic communication systems, or to report possible criminal acts or threats to public security to a competent authority (if requested by our customers), and to display advertisements and offers based on the preferences of our customers or potential customers.

COOKIES, OTHER TRACKING TECHNOLOGIES AND CONTACT INFORMATION

As you interact with our websites, we may use automatic data collection technologies to collect certain information about your equipment, browsing actions and patterns, including: Cookies, user data for sales tools, tracking codes in coordination with offers made on social media sites, and visitor IP addresses and domain names for reporting and website usage analysis.

For more information regarding our use of cookies and other tacking technologies please visit www.carbonblack.com/cookie-policy.

User information provided to or gathered through the websites will not be sold or provided to third-parties for the purposes of solicitation or direct marketing.

We may, however, disclose aggregated, anonymized information about our users, and information that does not identify any individual, without restriction. We may disclose user information that we collect or you provide as described in this Privacy Policy to contractors, service providers and other third party service providers that we use to manage customer information and support our business and who are bound by contractual obligations to keep personal information confidential and use it only for the purposes for which we disclose it to them.

User information will only be shared with a third party with assurances from such third party that it (1) will not use or disclose User Information for purposes of solicitation or direct marketing, and (2) will keep the information secure using methods comparable to, or more secure than, the security methods used by Carbon Black. To the extent that you provide user information to us concerning third parties, including information regarding your company, that information will be subject to the same conditions as set forth above.

Our website may contains links to other websites, including our partners and media web sites. Please be aware that our privacy policy does not apply to these other third party sites.

User Information may be compiled into user profiles that are maintained by Carbon Black (or by third party services used by Carbon Black to manage customer information), and may be used for the following purposes:

  • To send you information about Carbon Black, product updates, special offers, and newsletters
  • To provide customer support for Carbon Black Products and Services
  • To initiate or to respond to a subpoena, investigative demand, or other discovery request that is properly served pursuant to state or federal law
  • To take actions necessary to protect and/or to defend Carbon Black’s rights and property (including intellectual property)
  • To protect against misuse or unauthorized use of our websites

EU-U.S. AND SWISS-U.S. PRIVACY SHIELD

Carbon Black complies with the US-EU and US-Swiss Privacy Shield Framework regarding the collection, use, and retention of personal information from users in the European Union member countries and Switzerland. Carbon Black has certified that it adheres to the Privacy Shield Privacy Principles of notice, choice, accountability for onward transfer, security, data integrity and purpose limitation, access, recourse, enforcement and liability. If there is any conflict between this Policy and the Privacy Shield Privacy Principles, the Privacy Shield Privacy Principles shall govern. To learn more about the Privacy Shield program, and to view our certification page, please visit https://www.privacyshield.gov.

With respect to personal data received or transferred from the EU and Switzerland pursuant to each of the Privacy Shield Frameworks, Carbon Black is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Under certain conditions, more fully described on the Privacy Shield website here https://www.privacyshield.gov/article?id=How-to-Submit-a-Complaint, you may be entitled to invoke binding arbitration when other dispute resolution procedures have been exhausted.

Carbon Black will renew its Privacy Shield certifications annually, unless it subsequently determines that it no longer needs such certification or if it employs a different adequacy mechanism.

Prior to the re-certification, Carbon Black will conduct an in-house verification to ensure that its attestations and assertions with regard to its treatment of personal data is accurate and that the company has appropriately implemented these practices.

CALIFORNIA NOTICE

California Civil Code Section 1798.83 permits California residents to request a notice from us describing which categories of personal information we have shared with third parties or corporate affiliates for those third parties or corporate affiliates’ direct marketing purposes within the last calendar year, and the name and address of such parties. If you are a California resident and would like a copy of this notice, please send an email to contact@carbonblack.com with “California Privacy Rights Request” in the subject line.

NOTICE REGARDING CHILDREN’S DATA

Our website and our Products and Services are not intended for children under 13 years of age. No one under age 13 may provide any information to or on our websites or our Products and Services. We do not knowingly collect personal information from children under 13. If you are under 13, do not use or provide any information on our websites, or our Products and Services, or on or through any of the features, including registration features, use any of the interactive or public comment features of the website or provide any information about yourself to us, including your name, address, telephone number, e-mail address or any screen name or user name you may use. If we learn we have collected or received personal information from a child under 13 without verification of parental consent, we will delete that information. If you believe we might have any information from or about a child under 13, please contact us at privacy@carbonblack.com.

RESPONSIBILITIES AND MANAGEMENT

Carbon Black has designated Laura Ratautaite-Zulkarnain, Chief Privacy Counsel (“Chief Privacy Counsel”) to oversee its information security program, including its compliance with the US-EU and US-Swiss Privacy Shield Framework. The Chief Privacy Counsel shall review and approve any material changes to this program as necessary. Any questions, concerns, or comments regarding this Privacy Policy also may be directed to privacy@carbonblack.com.

Carbon Black will maintain, monitor, test, and upgrade information security policies, practices, and systems to assist in protecting the personal data that it collects. Carbon Black personnel will receive training, as applicable, to effectively implement this Policy.

DATA INTEGRITY AND SECURITY

Carbon Black uses reasonable efforts to maintain the accuracy and integrity of personal data and to update it as appropriate. Carbon Black has implemented physical and technical safeguards to protect personal data from loss, misuse, and unauthorized access, disclosure, alternation, or destruction. Carbon Black also employs access restrictions, limiting the scope of employees and service providers who have access to personal data. Further, Carbon Black uses secure encryption technology to protect certain categories of personal data. Despite these precautions, no data security safeguards guarantee 100% security all of the time.

LEGAL BASES OF PROCESSING

Carbon Black generally does not have a direct relationship with our Customer’s employees or contractors. Therefore, Customer’s must comply with all applicable legal requirements when providing personal data to Carbon Black or in allowing the collection of personal data through the Customer’s use of the Products and Services, including, without limitation, if applicable, the obligation to obtain consent from their employees, contractors and other data subjects prior to using the Carbon Black Products and Services, or, if applicable, rely on another legitimate basis, such as ensuring network and information security, including preventing unauthorized access to electronic communications networks and stopping damage to computer and electronic communication systems.

DATA SUBJECT RIGHTS

Individuals may have one or more of the following additional rights regarding their personal data, depending on their country of residence and, if their data is collected by or on behalf of a Carbon Black customer, depending on such customer’s policies and agreements with Carbon Black: Access, Rectification and Erasure, Objection.

Carbon Black will endeavor to respond in a timely manner to all reasonable written requests to exercise any of the rights listed above. Such requests must be made by contacting us as set forth below, and including sufficient details so that we are able to understand the request and respond. If the request relates to data collected by or on behalf of a Customer, we will first refer the individual to such Customer and our ability to take any action requested is subject to our underlying agreement with such Customer and applicable laws.

CHANGES TO THIS POLICY

This Policy may be amended from time to time, consistent with the Privacy Shield Principles and applicable data protection and privacy laws and principles. If we make material changes in how we use personal information, we will provide notification by email if feasible or by means of a notice on this website. We encourage Customers and users to periodically review this page for the latest information on our privacy practices.

ENFORCEMENT AND DISPUTE RESOLUTION

In compliance with the Privacy Shield Principles, Carbon Black commits to endeavor to promptly resolve complaints about privacy and our collection or use of personal information. Individuals with questions or concerns about the use of their personal data should contact us at: privacy@CarbonBlack.com and identify the Company or other organization with whom they are affiliated or for whom their data was collected, if collection was for a Customer.

If a Customer’s question or concern cannot be satisfied through this process Carbon Black has further committed to refer unresolved privacy complaints under Privacy Shield to an independent dispute resolution mechanism operated by TRUSTe.

If you do not receive timely acknowledgement of your complaint, or if your complaint is not satisfactorily addressed by Carbon Black, individuals may bring a complaint before the TRUSTe Online Privacy Shield dispute mechanism. Information about how to file a complaint before TRUSTe Privacy Shield program can be found at: https://feedback-form.truste.com/watchdog/request. Finally, as a last resort and in limited situations, individuals who are residents of the European Union or Switzerland may seek redress from the Privacy Shield Panel, a binding arbitration mechanism.

Contacting Us

If you have any questions about this Privacy Policy or our privacy practices, please contact us at:

Laura Ratautaite-Zulkarnain
Chief Privacy Counsel
Carbon Black
1100 Winter Street, Waltham MA, 02451
privacy@carbonblack.com