Data Guardianship



At Obsidian, we believe that a cybersecurity platform is most successful when it is designed to protect corporate and individual privacy. At Obsidian, we collect only the data we need to protect our customers by integrating a privacy first approach throughout our engineering and data science teams. We curate and design data flows to maximize detection and privacy protection before collection.

Obsidian provides an identity-centric cybersecurity approach by gathering and analyzing information about the accounts people have and what they do with those accounts. We only gather information with fully transparent authorization from our customers. That authorization can be revoked at any time. As long as the authorization is active, Obsidian collects information about individuals, including first and last names, email addresses, IP addresses, and phone numbers. Obsidian also collects information about the types of accounts companies and individuals have, such as the names of the platforms on which they have accounts, the permissions that accompany each account, and the actions taken on those accounts including logins, creations or deletions of work groups, folders, and additional actions specific to the type of account.

It is of utmost importance that we are able to trust the provenance of our data. Obsidian only uses the Obsidian platform, our website,, and a small number of third party providers to collect data to help us serve and secure our customers. Obsidian does not systematically collect data about individuals from social media nor does Obsidian buy data about individuals from data brokers or any other data reseller.

Obsidian does not systematically collect nor do we make any attempt to impute information about religious, ethnic, racial or gender backgrounds of individual users. We also don’t systematically collect or try to algorithmically impute information about political party affiliation, union membership, sexual activity, or sexual orientation of individuals.

Obsidian does not collect the content of email or Slack messages.

In the Obsidian product:

Obsidian is an enterprise software that helps businesses protect their employees. Employment laws prohibit those under the age of 14 from holding paid positions. We trust our customers to abide by child labor laws. Obsidian does not gather data from children under 13 years of age.

On the Obsidian Security website: is designed to be used by people age 14 or older.  Obsidian’s website at only collects data voluntarily entered into our forms (names, email addresses, company names) from guests who are employed. Our forms technically prohibit collection from those who are not employed, including those who are 13 years old or younger.

Data retention is negotiated with our customers to suit their specific needs.

Obsidian Security utilizes analytical modeling and algorithms to generate insights. We test our models and algorithms for accuracy and objectionable bias before implementing them in our live environment.


Obsidian Security employees with a legitimate need to access and analyze customer data are allowed to view and analyze customer data. Personnel within each of our customer’s enterprises are able to see, and with the Obsidian API, import data drawn from their organization.

Obsidian Security does not share identifiable customer data with other companies, with individuals who are unaffiliated with Obsidian, or with Obsidian employees who do not have a legitimate need to access customer data.

Obsidian may occasionally utilize insights generated by working with one customer to assist a different customer. For instance, if a particular IP address or email address is found to be malicious during an engagement with one customer, that IP address or email address may be blacklisted across all customer environments to protect all of Obsidian’s customers.

Yes. The list of Obsidian’s third party vendors is available to potential customers who have signed a non-disclosure agreement. Please email for more information.

At times, Obsidian conducts research in conjunction with universities, government agencies, or think tanks. Where ethically and legally permissible, Obsidian may share research data with the scientific community. To date, Obsidian’s research does not involve Obsidian customers or data generated by Obsidian customers.

Obsidian follows standard processes for research with human subjects, including submitting proposals to institutional review boards and preparing data management plans. Depending on the sensitivity of the research data, there may be ethical limitations on Obsidian’s ability to share research data.

Obsidian Security operates a security-first, continuous improvement corporate culture. We follow best practices such as forcing multi-factor authentication and intelligent password hygiene for all accounts, we cycle credentials, and we engage penetration testers to help discover and remediate vulnerabilities. To make sure we never slide into security malaise, we have a full-time security team dedicated to raising the bar for cybersecurity protection, detection, and response at Obsidian.

Obsidian Security has obtained the AICPA SOC 2 Type 1 certification.

Obsidian has implemented rigorous physical protections at our corporate headquarters in Newport Beach. Additionally, we ensure that any third party vendors, including cloud security providers, have implemented rigorous physical security protocols.

We know that employees are our first line of defense on the ground and in the cloud. All Obsidian employees are subject to background checks and must complete ongoing monthly security training. Developers are required to complete additional one-time and ongoing security training. Regular penetration testing, including phishing attempts, keeps us on our toes.

Our onboarding process forces full disk encryption and endpoint monitoring on all employee laptops.

We run a security-first, privacy respectful culture with tangible rewards available to employees who exceed our expectations for protecting customers’ data, including protecting customers’ data from ourselves! If we don’t need to see it to protect you, we don’t want to see it.

More information about our security protocols is available to customers and potential customers who have signed a non-disclosure agreement. Please email to get in touch with us.

We are serious about communicating clearly and quickly with our customers as soon as we have detected malignant data breaches and risky but benign data exposures.

Within our platform, Obsidian provides ongoing alerts to let our customers know that Obsidian has detected threats in the customer’s environments. Obsidian also provides security information to help customers improve their security posture and tidy their security hygiene to help prevent problems before they occur.

If Obsidian is directly responsible for a data breach, we will follow our incident response plan to diagnose, triage, and remediate the problem. We will inform our customers about the breach within 72 hours of discovering any data breaches.

At Obsidian, our goal is to fiercely protect customer data. If there is an instance in which Obsidian is asked to share data with a law enforcement agency in possession of a warrant, we will comply with the warrant.

At Obsidian, our business model is built on protecting customer data and customer environments.  We never sell, lend, or swap customer or employee data.

Obsidian does not allow third party advertisements on our website or in our product.

With customer consent, Obsidian collects, stores, and uses data from people who visit our website and sign up for our newsletter or a demo. We ask for names, email addresses, company names, and use them for marketing purposes. Customers can remove their contact information for any reason by requesting to be removed from our records by emailing

At Obsidian, we recognize that protecting our customers’ and employees’ privacy is everyone’s responsibility. Employees receive training in how to spot personally identifying data and are rewarded for collecting, modeling, and designing with privacy in mind. If you’re a broad-minded critical thinker who enjoys stretching your ethical imagination, you’ll find a stimulating environment here.

Employees are expected to undergo a background check prior to employment. Our onboarding process forces full disk encryption and endpoint monitoring on all employee laptops to help secure our environment. This means employees do not have full privacy while they use their work laptops.

Employees are expected to prioritize the protection of customer environments and customer data, will be trained to do so, and will be rewarded for continuing to advance our security and privacy practices.

Providing excellent security requires vigilance around the clock. Engineering and data science employees will be assigned periodic on-call shifts during which they must be available during and after hours to triage issues as they arise.

Our privacy respecting culture starts with the way we treat our employees. We believe it is important to arrive at decisions that impact our employees carefully and openly. We have practices in place that formally support a culture of transparency and open discourse. In general, we use appropriate techniques to protect our environment from cyber crime and to detect accidents waiting to happen with a least-invasive privacy posture.

Rest assured: Obsidian never sells employee data.

More information on the way Obsidian’s operations impact employees is available during the interview process.