Obsidian Website Privacy Policy

Last updated: 7 july 2020

Obsidian Website Privacy Policy
Scope of Coverage

The Obsidian Website Privacy Policy describes how Obsidian Security, Inc. (“Obsidian”, “we”, “us”) collects, uses, stores, and discloses information from users (“you”, “your”) of our website at obsidiansecurity.com, job applicants to Obsidian Security, and people who interact with our social media or other public facing web content. The Obsidian Website Privacy Policy does not govern personal data of or about current or past Obsidian Security employees or contractors or current or past corporate customers or individuals covered by our cybersecurity product.

A list of all privacy policies related to Obsidian Security

Obsidian maintains three privacy policies: 

  1. This Obsidian Security Website Privacy Policy that governs use of obsidiansecurity.com, Obsidian’s social media posts,  job applicants to Obsidian Security, and others interacting with Obsidian Security’s public-facing web presence. 
  2. Obsidian Security Employee Privacy Policy that governs Obsidian’s relationship with its employees. The Obsidian Security Employee Privacy Policy is available to Obsidian Security employees. 
  3. Obsidian Security Product Privacy Policy that governs the use of our product and is available to active customers through the Obsidian platform and to legitimate potential customers upon request.

We also wrote a three part blog series (1, 2, 3) on the data guardianship and privacy principles we use to inform our privacy policies.


Summary of the Obsidian Website Privacy Policy

We believe users of our website and people who interact with us on social media should always know what data we collect and store about them and should have a clear line of communication with our privacy team. We believe that users of our website should be afforded reasonable privacy protections by default and should be empowered to have their personal data deleted by request, regardless of where they live. 

While we encourage everyone to read our entire website privacy policy, we summarized key takeaways here:

  • Obsidian Security does not sell users’ personal data to third parties. 
  • In some circumstances, Obsidian Security may share small amounts of data about you. 
    • With our partners:
      If you register to attend an event, webinar, or other activity through our website or links posted to our social media accounts which is run jointly with one or more of our partners, we may share your name, email address, and job title with the partner or partners co-hosting or co-sponsoring that event or activity.
    • With third party platforms:
      Obsidian uses third party platforms like Hubspot and Google Analytics for marketing and LinkedIn and Lever.com for recruiting and hiring. Personal data about you may reside on third party platforms that we use to help us with marketing and recruiting as a result of your interactions with Obsidian Security on obsidiansecurity.com, linkedin.com, twitter.com, and/or lever.com.
  • When you use obsidiansecurity.com, even if you’re just reading our content, we receive some personal information from you like the type of device you’re using, your IP address, and which pages you click on while you’re at obsidiansecurity.com. We also gather information about the link that landed you at obsidiansecurity.com. We use this information to improve the content on obsidiansecurity.com and our overall communication strategy.
  • You may download our whitepapers and reports without manually submitting any additional personal information.
  • You can choose to share additional information with us like your name, email address, employer, job title, and phone number by entering your information into web forms for requesting a demo, attending a webinar, registering for an in-person event, receiving our newsletter, or filling out new web forms we may add in the future. Sharing your name, email address, and other information we request on our web forms is  optional, but some aspects of our web presence may not work without these details (e.g. attending a webinar).  
  • If you choose to follow Obsidian Security accounts on Twitter or LinkedIn or otherwise interact with us on social media, we may retain your social media account information, such as your name, your account handle, your publicly available bio, your stated location, and the dates and content of any interactions, including follows.
  • All of our emails have opt-out links to make it easy for you to unsubscribe.
  • You can also request to opt-out or to delete data you have previously submitted through our web forms by emailing [email protected]. We will validate your identity before fulfilling deletion requests.
  • If you have questions about privacy and data guardianship at Obsidian Security, please email us at [email protected]

The full Obsidian Website Privacy Policy

If you share information with us, including through our web forms, by visiting our website, by applying to work at Obsidian Security, or by interacting with our social media content, you agree to allow us to use the information we have gathered about you in accordance with this Obsidian Website Privacy Policy.

Information you share with us

Through web forms you voluntarily submit to Obsidian Security

The information you share with us on obsidiansecurity.com through web forms may include your full name, employer’s name, job title, phone number, and email address. We request your voluntary consent to collect this information at the time of collection. You may decline to provide this information by refusing to enter it into any web forms. If you decline to provide your information using Obsidian’s web forms, you may be unable to access some Obsidian features available through our web presence and our in-person events.

If you voluntarily provide your personal data using our web forms you agree to allow us to use your information for the following purposes: 

  • to send updates and reminders about events, webinars, and demos users have requested to attend; 
  • to provide users with additional content and directions for events, webinars, and demos that users have requested; 
  • to send our newsletter to users who have signed up to receive it; 
  • to verify that form sign-ups are from legitimate, interested parties over age 16, as determined by our sole discretion;
  • to tell you about Obsidian services and features we believe may be of interest to you;
  • to provide updates to our website privacy policy to those legitimate parties who have submitted their email addresses to our web forms.

When an event or webinar is co-hosted or co-sponsored by a partner or partners, Obsidian may share your contact information with the partners of the co-hosted or co-sponsored event, webinar, or activity.

Through interactions on social media

When users follow Obsidian Security’s social media accounts or have interacted with content posted to Obsidian Security’s social media accounts, that activity will be recorded and processed along with the account information associated with the users’ social media account. This may include the users’ name, account handle, account bio, follower count, and location.

As of the effective date of this privacy policy, Obsidian maintains Twitter and LinkedIn accounts and processes information from users who interact with Obsidian’s accounts on Twitter and LinkedIn. Obsidian will update this privacy policy to reflect any new social media data we may process.

Through the Obsidian product

The Obsidian product can only obtain data with the explicit technical authorization of the end users who control the data. The end users can select which third party services Obsidian is authorized to obtain data from and they may independently revoke Obsidian’s authorization to obtain new data at any time, for any reason.

Payment information

Obsidian Security does not collect credit card or other payment information through obsidiansecurity.com or our social media sites.

From recruited candidates and job applicants

Obsidian Security uses online platforms like LinkedIn.com, Lever.com, glassdoor.com, and other public web-based job distribution platforms to advertise job openings broadly, share information about Obsidian, learn about, and communicate with potential job applicants. During the recruitment process, Obsidian Security will store and process comprehensive data about job applicants that the job applicants have made available publicly on sites such as LinkedIn and Twitter, and privately, by receiving resumés, CVs, cover letters and other materials through web-based submission portals, or by communications made by candidates and recruits directly to Obsidian hiring managers and recruiting personnel. Because the data submitted by candidates may vary from job to job and candidate to candidate, it is not possible to provide an exhaustive list of all data categories Obsidian may obtain from any particular candidate. 

The following list is provided to suggest the categories of data Obsidian routinely processes from job candidates:

– Candidates’ Name
– Candidates’ email address
– Candidates’ phone number
– Candidates’ current city, including street address
– Names of candidates’ past and current employers
– Candidates’ tenure and job title in past and current positions
– Candidates’ educational attainment including degrees completed, institutions attended, fellowships, awards, and grants (if any)
– Information posted by candidate on candidates’ LinkedIn page, if available
– Publicly available evidence of candidates’ past relevant work (e.g. publications in scholarly journals, publicly available professional blogs, publicly available news coverage, publicly available video recordings of relevant professional presentations)
– Publicly available evidence of candidates’ service to their professional community
– Candidates’ stated interest in applying for particular positions at Obsidian Security
– If a candidate makes a site visit to Obsidian Security, their photo will be captured and stored as part of our on-site security protocol

For certain jobs, there may be additional personal information gathered. Additionally, candidates may voluntarily provide additional information about themselves, not listed above. 

At Obsidian, we value diversity and freethinkers and are proud to be an equal opportunity employer.

Additional information we receive about you

When you use obsidiansecurity.com, even if you’re just reading our content, we receive some personal information from you like the type of device you’re using, your IP address, the browser you’re using, and which pages you click on while you’re at obsidiansecurity.com. We also gather information about the link that landed you at obsidiansecurity.com. 

We use this information to troubleshoot errors, to investigate security issues, to improve the content on obsidiansecurity.com and improve our overall communication strategy.

Circumstances in which we share or disclose information

With our partners

When Obsidian Security co-hosts, co-sponsors, or co-authors an event, webinar, or publication, we may share information about those who have attended the event or webinar or downloaded the publication with our partners for that publication or event.

For legal purposes

Obsidian may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Obsidian, (iii) act in urgent circumstances to protect the personal safety of users of obsidiansecurity.com or the public, or (iv) protect against legal liability.

With third party services

Obsidian Security holds contracts with third party vendors to carry out sales, marketing, recruiting, and other business functions. The following third parties may store data from visitors to our public facing website, social media accounts, and recruiting accounts:

Hubspot – for marketing and sales purposes
Salesforce – for marketing and sales purposes
Glassdoor – for marketing, recruiting and HR purposes
Twitter – for marketing purposes
LinkedIn (owned by Microsoft) – for marketing and recruiting purposes
Lever – for recruiting and hiring purposes
Google – for marketing purposes
Mailchimp – for marketing, sales, recruiting, and media relations purposes
Qualtrics (owned by SAP) – survey tool for obtaining anonymous employee and customer feedback

The Obsidian Security cookie policy includes additional information on the kind of personal data stored and the purposes for which the data are stored by third parties.

In the event of a merger, acquisition, or change of ownership

In the event that Obsidian Security is involved in a bankruptcy, merger, acquisition, reorganization, or sale of assets, your personal data may be sold or transferred as part of that transaction. This Obsidian Website Privacy Policy will apply to your personal data as transferred to the new entity. 

Data Retention

How long will Obsidian hold your data?

This data retention policy applies to the personally identifiable data held by Obsidian. Obsidian will only retain your data for as long as is necessary to make our goods and services available to you through obsidiansecurity.com, at in-person events, through our Obsidian product, and/or via third-party partnerships, including third-party app stores.

Data obtained with your consent

Obsidian retains personally identifiable information gathered with your consent until you revoke your consent. For customers on our platform, as a courtesy, Obsidian will retain data for a short grace period of no more than 90 days upon contract termination unless otherwise directed.

Data Obsidian processes via the Obsidian product

When you authorize the Obsidian platform to process your data, the contract we hold with you will establish the terms of our data retention. In the absence of a contract superseding this policy, Obsidian’s standard data retention policy for data obtained with the Obsidian product is 90 days maximum.

Exceptions to Standard Data Retention policies

  • Data processed or controlled by Obsidian may be retained for longer than the standard retention period to fulfill legal obligations, including to respond to subpoenas or otherwise cooperate with active legal cases.
  • Data controlled by Obsidian may be retained for shorter periods of time if the individuals identified in the data make legitimate requests to Obsidian to delete the data.
  • Customers may request non-standard data retention periods for the data Obsidian processes during contract negotiation.
  • Data collected about Obsidian contractors and employees is covered in the Obsidian Employee Privacy Policy. The Employee Privacy Policy establishes data retention policies for employment-related data.

Obsidian Cookie policy

Obsidian Security uses cookies. We feel it is important that you understand how and why we use cookies, and want to explain some basics about what cookies are and how they work so that you can be more informed.

What are cookies?

Web cookies are small digital files, usually no bigger than 4kb, placed on your computer at the direction of websites you visit or emails you open that help identify your computer and behavior. They can last just for a single browsing session – a session cookie – or persist for longer than a session to help identify return visitors to the same site –  a persistent cookie.

Several additional types of cookies

Like edible cookies, web cookies come in different types. In addition to web cookies, Obsidian Security also uses third party sites that create the following types of cookies.

  • Web Beacons: Web beacons (also known as “clear gifs”) are itty bitty graphics with a unique identifier, similar in function to cookies. They are the size of the period at the end of this sentence. Instead of being stored on your device like cookies, web beacons are embedded invisibly on web pages. We use web beacons to help us better understand which pieces of content are resonating with our readers, similar to the way we use other types of cookies.
  • Pixels: A “pixel” or “tag” can be placed on a website or within an email for the purposes of tracking your interactions with our Services or when emails Obsidian sends are opened or accessed by email recipients. Pixels are often used in combination with cookies.
  • Flash cookies:  A flash cookie, also known as a local shared object (LSO), is a small data file stored on a user’s computer as a result of the user visiting a website that runs a Flash application. Flash cookies can be up to 100kb.

How does Obsidian use cookies?

Obsidiansecurity.com uses cookies to help identify you when you visit our website at obsidiansecurity.com, click on links for jobs, open emails Obsidian Security sends, and otherwise interact with online content created by or affiliated with Obsidian Security.

Which third parties create cookies that users of Obsidian Security’s website, emails, social media accounts, and job posts may have stored on their devices?

The web cookies that are active when you use obsidiansecurity.com, read emails from Obsidian, register for our events, apply for jobs at Obsidian, click on or like our social media posts/accounts, and otherwise interact with Obsidian’s web presence are generated and managed by third parties.

The following table includes the names, locations, types of cookies, purpose of cookies, and the locations where users may expect to find cookies that may be shared with Obsidian Security. Please refer to the links below for additional information on the types of cookies created by each third party.

Name and link to cookie policy Company’s Location Types of
Cookies
Purpose of Cookies Which Obsidian Security media use these cookies?
Google Analytics Mountain View, CA Web cookies Gives Obsidian aggregate understanding of number of page views per page,
referring sites, time spent on site, whether content is read to completion and
helps us improve our
content
obsidiansecurity.com
Hubspot Cambridge, MA Web cookies Gives Obsidian granular
understanding of which
visitors spend time on
each of our web pages and links visits from the same visitors together. Allows
Obsidian to link static information about a visitor –
such as name and email
address – with a visitor’s
viewing behavior while
on obsidiansecurity.com 
Obsidiansecurity.com,
Obsidian’s accounts on LinkedIn and Twitter
Mailchimp Atlanta, GA Tracking pixels and/or
web beacons embedded in emails
Gives Obsidian metrics
regarding how many of
the emails we send are
being opened and how
many links within the
email are being clicked.
Obsidian can link
behavior to individual
email recipients.
Emails sent by Obsidian
Lever San Francisco, CA Web cookies  Helps Obsidian recruit
appropriate candidates by understanding on which websites and by whom
Obsidian job posts are
being viewed
Obsidian Lever page and
\job posts hosted by Lever.com 
Glassdoor Mill Valley, CA Web cookies, web
beacons, flash cookies
Helps Obsidian improve
our employee recruiting
and retention by
understanding how much interaction from whom
our Glassdoor account is
receiving
Obsidian’s Glassdoor page and related posts,
including job posts
LinkedIn
(Owned by Microsoft)
Sunnyvale, CA Web cookies Helps Obsidian recruit
and improve our web
content by understanding who is interacting with
our social media and job
posts
Obsidian’s LinkedIn
profile, posts on
Obsidian’s LinkedIn
profile, and any posts that mention Obsidian Security on LinkedIn
Twitter San Francisco, CA Web cookies and pixels Helps Obsidian
understand how much
interaction users have
with Obsidian’s Twitter
account and with specific Tweets Obsidian posts
Obsidian’s Twitter profile @obsidiansec ; tweets that include Obsidian’s Twitter handle

Opting out of cookies placed as a result of visiting Obsidiansecurity.com

The first time you use Obsidiansecurity.com, you will be given a chance to accept or decline cookies placed during your visits to obsidiansecurity.com in conjunction with Hubspot. If you wish to avoid cookies placed on Obsidian Security’s behalf by Hubspot, simply check “I decline”. If you initially select “I accept” and later decide you don’t want cookies, you may review the cookies that exist on your browser, delete those you wish to discard, and select “I decline” if you arrive at obsidiansecurity.com on future visits. Selecting “I decline” will prevent the placement of new cookies for that visit. Please continue to select “I decline” if you do not want to have cookies placed on your device as a result of visiting obsidiansecurity.com.

If you wish to delete your entire record of visits on obsidiansecurity.com, please email [email protected] to initiate a deletion process. We will respond within no more than 10 business days to confirm receipt of a deletion request.

Instructions for managing cookies on five typical browsers are included here for your convenience:
– Manage cookies in Google Chrome
– Manage cookies in Firefox
– Manage cookies on Safari
– Manage Cookies on Microsoft Edge
– Manage cookies on Microsoft Internet Explorer

Browser-set Do Not Track commands 

Some browsers and browser plug-ins make digital requests to websites to avoid tracking during web sessions. Obsidian Security is not able to comply with electronic Do Not Track requests.

Managing your personal information at Obsidian

As described in our Cookie Policy, users may opt-out of cookies set by Hubspot by declining to have their information stored when they make their first visit to obsidiansecurity.com. People who do not wish to have enter their personal data in web forms can simply avoid filling out web forms, though this may make it impossible for them to register for webinars or in-person events, receive our newsletter, or otherwise access our full content. Users may download our white papers without submitting form data.

People who believe Obsidian Security controls data about them for marketing or recruiting purposes who no longer wish to have their data accessible by Obsidian Security can request deletion of the personal information about them by emailing [email protected]. Obsidian reserves the right to require validation of a users’ identity commensurate with the sensitivity of the data and subject to all applicable laws.

California residents and European Union residents have additional rights listed below.

California and EU Residents

Starting 1 January 2020, companies that do business in California, including Obsidian Security, are subject to the California Consumer Privacy Act (CCPA) which offers certain privacy rights that are substantially similar to the EU GDPR. Obsidian is committed to complying with CCPA and the GDPR by offering the following rights to residents of California and to residents of the European Union.

Requests to opt-out of data sales: Obsidian does not sell data

Obsidian Security believes that capable, protective data guardianship is key to our relationship with customers, potential customers, employees, job candidates, and visitors to our website. Obsidian does not and will not sell your personal data individually or in aggregate.

Right to Know Requests

California and EU residents have a right to request information about our collection, use, and disclosure of their personal information (California residents are restricted to information gathered over the prior 12 months), and ask that we provide them with the following information:

  • Categories of and specific pieces of personal information we have collected about you.
  • Categories of sources from which we collect personal information (e.g. social media sites, forms you submit to obsidiansecurity.com, etc).
  • Purposes for collecting, using, or selling personal information.
  • Categories of third parties with which we share personal information.
  • Categories of personal information disclosed about you for a business purpose.
  • If applicable, categories of personal information sold about you and the categories of third parties to which the personal information was sold, by category or categories of personal information for each third party to which the personal information was sold.

To make a verifiable request for information about the personal information we have collected about you, please email us at [email protected]. We may require further identity verification before completing your request.

Right to Delete Requests

California and EU residents also have a right to request that we delete personal information, subject to certain exceptions. You may exercise your right to delete by emailing us at [email protected]

Requests, Generally

California and EU residents may make a verifiable consumer request related to their personal information twice per 12-month period. We will not discriminate against people for exercising their rights under the CCPA, the GDPR, or other applicable state laws.

Requests Made Through Agents

California residents may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us to prevent fraudulent requests.

Age Limitations 

Obsidiansecurity.com is designed to be used by people who are at least 16 years old. If you are not 16 years old, please do not use obsidiansecurity.com. Do not submit your name, email address, or other personal information using our web forms.

If, during routine review, Obsidian Security believes people under the age of 16 have submitted their personal information into our web forms, we will, in our sole discretion, delete the information believed to belong to those under 16 years old.

Privacy policy limitations – Links to third parties

Our website at obsidiansecurity.com contain links to other websites, including links to our partners and to media web sites. Please be aware that our privacy policy does not apply to websites controlled by third parties, including cookies placed by third parties.

Changes to the Obsidian Website Privacy Policy

We may revise the Obsidian website privacy policy from time to time. The most current version of the policy will always be at obsidiansecurity.com/privacy-policy.

If we make a change to our website privacy policy that, in our sole discretion, is material, we will notify those users of our website who have voluntarily provided their email addresses to us. We are unable to provide notification of our updated privacy policy to those users who have not provided email addresses. By continuing to access or use obsidiansecurity.com or interact with social media content posted by Obsidian Security after changes to the Obsidian website privacy policy become effective, you agree to be bound by the revised Obsidian Website Privacy Policy.

Feedback and Contact Information

Obsidian is on a continual quest for improvement. We invite most kinds of feedback from customers, interested third parties, and visitors to obsidiansecurity.com and will confirm receipt within 10 business days. 

Constructive, humorous, scathing, brilliant, crushing, typographical, grammatical, award-winning, nit-picky, and/or limerick-style feedback can be delivered anonymously, via email, or via snail mail.

Anonymous feedback —  Submit here.

Email — [email protected]

Physical mail –
Obsidian Security
c/o Privacy Team
680 Newport Center Drive #200
Newport Beach, CA 92660