Last updated: 7 july 2020
Scope of Coverage
A list of all privacy policies related to Obsidian Security
Obsidian maintains three privacy policies:
We also wrote a three part blog series (1, 2, 3) on the data guardianship and privacy principles we use to inform our privacy policies.
We believe users of our website and people who interact with us on social media should always know what data we collect and store about them and should have a clear line of communication with our privacy team. We believe that users of our website should be afforded reasonable privacy protections by default and should be empowered to have their personal data deleted by request, regardless of where they live.
- Obsidian Security does not sell users’ personal data to third parties.
- In some circumstances, Obsidian Security may share small amounts of data about you.
- With our partners:
If you register to attend an event, webinar, or other activity through our website or links posted to our social media accounts which is run jointly with one or more of our partners, we may share your name, email address, and job title with the partner or partners co-hosting or co-sponsoring that event or activity.
- With third party platforms:
Obsidian uses third party platforms like Hubspot and Google Analytics for marketing and LinkedIn and Lever.com for recruiting and hiring. Personal data about you may reside on third party platforms that we use to help us with marketing and recruiting as a result of your interactions with Obsidian Security on obsidiansecurity.com, linkedin.com, twitter.com, and/or lever.com.
- With our partners:
- When you use obsidiansecurity.com, even if you’re just reading our content, we receive some personal information from you like the type of device you’re using, your IP address, and which pages you click on while you’re at obsidiansecurity.com. We also gather information about the link that landed you at obsidiansecurity.com. We use this information to improve the content on obsidiansecurity.com and our overall communication strategy.
- You may download our whitepapers and reports without manually submitting any additional personal information.
- You can choose to share additional information with us like your name, email address, employer, job title, and phone number by entering your information into web forms for requesting a demo, attending a webinar, registering for an in-person event, receiving our newsletter, or filling out new web forms we may add in the future. Sharing your name, email address, and other information we request on our web forms is optional, but some aspects of our web presence may not work without these details (e.g. attending a webinar).
- If you choose to follow Obsidian Security accounts on Twitter or LinkedIn or otherwise interact with us on social media, we may retain your social media account information, such as your name, your account handle, your publicly available bio, your stated location, and the dates and content of any interactions, including follows.
- All of our emails have opt-out links to make it easy for you to unsubscribe.
- You can also request to opt-out or to delete data you have previously submitted through our web forms by emailing firstname.lastname@example.org. We will validate your identity before fulfilling deletion requests.
- If you have questions about privacy and data guardianship at Obsidian Security, please email us at email@example.com.
Information you share with us
Through web forms you voluntarily submit to Obsidian Security
The information you share with us on obsidiansecurity.com through web forms may include your full name, employer’s name, job title, phone number, and email address. We request your voluntary consent to collect this information at the time of collection. You may decline to provide this information by refusing to enter it into any web forms. If you decline to provide your information using Obsidian’s web forms, you may be unable to access some Obsidian features available through our web presence and our in-person events.
If you voluntarily provide your personal data using our web forms you agree to allow us to use your information for the following purposes:
- to send updates and reminders about events, webinars, and demos users have requested to attend;
- to provide users with additional content and directions for events, webinars, and demos that users have requested;
- to send our newsletter to users who have signed up to receive it;
- to verify that form sign-ups are from legitimate, interested parties over age 16, as determined by our sole discretion;
- to tell you about Obsidian services and features we believe may be of interest to you;
When an event or webinar is co-hosted or co-sponsored by a partner or partners, Obsidian may share your contact information with the partners of the co-hosted or co-sponsored event, webinar, or activity.
Through interactions on social media
When users follow Obsidian Security’s social media accounts or have interacted with content posted to Obsidian Security’s social media accounts, that activity will be recorded and processed along with the account information associated with the users’ social media account. This may include the users’ name, account handle, account bio, follower count, and location.
Through the Obsidian product
The Obsidian product can only obtain data with the explicit technical authorization of the end users who control the data. The end users can select which third party services Obsidian is authorized to obtain data from and they may independently revoke Obsidian’s authorization to obtain new data at any time, for any reason.
Obsidian Security does not collect credit card or other payment information through obsidiansecurity.com or our social media sites.
From recruited candidates and job applicants
Obsidian Security uses online platforms like LinkedIn.com, Lever.com, glassdoor.com, and other public web-based job distribution platforms to advertise job openings broadly, share information about Obsidian, learn about, and communicate with potential job applicants. During the recruitment process, Obsidian Security will store and process comprehensive data about job applicants that the job applicants have made available publicly on sites such as LinkedIn and Twitter, and privately, by receiving resumés, CVs, cover letters and other materials through web-based submission portals, or by communications made by candidates and recruits directly to Obsidian hiring managers and recruiting personnel. Because the data submitted by candidates may vary from job to job and candidate to candidate, it is not possible to provide an exhaustive list of all data categories Obsidian may obtain from any particular candidate.
The following list is provided to suggest the categories of data Obsidian routinely processes from job candidates:
– Candidates’ Name
– Candidates’ email address
– Candidates’ phone number
– Candidates’ current city, including street address
– Names of candidates’ past and current employers
– Candidates’ tenure and job title in past and current positions
– Candidates’ educational attainment including degrees completed, institutions attended, fellowships, awards, and grants (if any)
– Information posted by candidate on candidates’ LinkedIn page, if available
– Publicly available evidence of candidates’ past relevant work (e.g. publications in scholarly journals, publicly available professional blogs, publicly available news coverage, publicly available video recordings of relevant professional presentations)
– Publicly available evidence of candidates’ service to their professional community
– Candidates’ stated interest in applying for particular positions at Obsidian Security
– If a candidate makes a site visit to Obsidian Security, their photo will be captured and stored as part of our on-site security protocol
For certain jobs, there may be additional personal information gathered. Additionally, candidates may voluntarily provide additional information about themselves, not listed above.
At Obsidian, we value diversity and freethinkers and are proud to be an equal opportunity employer.
Additional information we receive about you
When you use obsidiansecurity.com, even if you’re just reading our content, we receive some personal information from you like the type of device you’re using, your IP address, the browser you’re using, and which pages you click on while you’re at obsidiansecurity.com. We also gather information about the link that landed you at obsidiansecurity.com.
We use this information to troubleshoot errors, to investigate security issues, to improve the content on obsidiansecurity.com and improve our overall communication strategy.
Circumstances in which we share or disclose information
With our partners
When Obsidian Security co-hosts, co-sponsors, or co-authors an event, webinar, or publication, we may share information about those who have attended the event or webinar or downloaded the publication with our partners for that publication or event.
For legal purposes
Obsidian may disclose your Personal Data if required to do so by law or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Obsidian, (iii) act in urgent circumstances to protect the personal safety of users of obsidiansecurity.com or the public, or (iv) protect against legal liability.
With third party services
Obsidian Security holds contracts with third party vendors to carry out sales, marketing, recruiting, and other business functions. The following third parties may store data from visitors to our public facing website, social media accounts, and recruiting accounts:
Hubspot – for marketing and sales purposes
Salesforce – for marketing and sales purposes
Glassdoor – for marketing, recruiting and HR purposes
Twitter – for marketing purposes
LinkedIn (owned by Microsoft) – for marketing and recruiting purposes
Lever – for recruiting and hiring purposes
Google – for marketing purposes
Mailchimp – for marketing, sales, recruiting, and media relations purposes
Qualtrics (owned by SAP) – survey tool for obtaining anonymous employee and customer feedback
In the event of a merger, acquisition, or change of ownership
How long will Obsidian hold your data?
This data retention policy applies to the personally identifiable data held by Obsidian. Obsidian will only retain your data for as long as is necessary to make our goods and services available to you through obsidiansecurity.com, at in-person events, through our Obsidian product, and/or via third-party partnerships, including third-party app stores.
Data obtained with your consent
Obsidian retains personally identifiable information gathered with your consent until you revoke your consent. For customers on our platform, as a courtesy, Obsidian will retain data for a short grace period of no more than 90 days upon contract termination unless otherwise directed.
Data Obsidian processes via the Obsidian product
When you authorize the Obsidian platform to process your data, the contract we hold with you will establish the terms of our data retention. In the absence of a contract superseding this policy, Obsidian’s standard data retention policy for data obtained with the Obsidian product is 90 days maximum.
Exceptions to Standard Data Retention policies
- Data processed or controlled by Obsidian may be retained for longer than the standard retention period to fulfill legal obligations, including to respond to subpoenas or otherwise cooperate with active legal cases.
- Data controlled by Obsidian may be retained for shorter periods of time if the individuals identified in the data make legitimate requests to Obsidian to delete the data.
- Customers may request non-standard data retention periods for the data Obsidian processes during contract negotiation.
What are cookies?
Web cookies are small digital files, usually no bigger than 4kb, placed on your computer at the direction of websites you visit or emails you open that help identify your computer and behavior. They can last just for a single browsing session – a session cookie – or persist for longer than a session to help identify return visitors to the same site – a persistent cookie.
Several additional types of cookies
Like edible cookies, web cookies come in different types. In addition to web cookies, Obsidian Security also uses third party sites that create the following types of cookies.
- Web Beacons: Web beacons (also known as “clear gifs”) are itty bitty graphics with a unique identifier, similar in function to cookies. They are the size of the period at the end of this sentence. Instead of being stored on your device like cookies, web beacons are embedded invisibly on web pages. We use web beacons to help us better understand which pieces of content are resonating with our readers, similar to the way we use other types of cookies.
- Pixels: A “pixel” or “tag” can be placed on a website or within an email for the purposes of tracking your interactions with our Services or when emails Obsidian sends are opened or accessed by email recipients. Pixels are often used in combination with cookies.
- Flash cookies: A flash cookie, also known as a local shared object (LSO), is a small data file stored on a user’s computer as a result of the user visiting a website that runs a Flash application. Flash cookies can be up to 100kb.
Which third parties create cookies that users of Obsidian Security’s website, emails, social media accounts, and job posts may have stored on their devices?
The web cookies that are active when you use obsidiansecurity.com, read emails from Obsidian, register for our events, apply for jobs at Obsidian, click on or like our social media posts/accounts, and otherwise interact with Obsidian’s web presence are generated and managed by third parties.
The following table includes the names, locations, types of cookies, purpose of cookies, and the locations where users may expect to find cookies that may be shared with Obsidian Security. Please refer to the links below for additional information on the types of cookies created by each third party.
|Purpose of Cookies||Which Obsidian Security media use these cookies?|
|Google Analytics||Mountain View, CA||Web cookies||Gives Obsidian aggregate understanding of number of page views per page, |
referring sites, time spent on site, whether content is read to completion and
helps us improve our
|Hubspot||Cambridge, MA||Web cookies||Gives Obsidian granular |
understanding of which
visitors spend time on
each of our web pages and links visits from the same visitors together. Allows
Obsidian to link static information about a visitor –
such as name and email
address – with a visitor’s
viewing behavior while
Obsidian’s accounts on LinkedIn and Twitter
|Mailchimp||Atlanta, GA||Tracking pixels and/or |
web beacons embedded in emails
|Gives Obsidian metrics |
regarding how many of
the emails we send are
being opened and how
many links within the
email are being clicked.
Obsidian can link
behavior to individual
|Emails sent by Obsidian|
|Lever||San Francisco, CA||Web cookies||Helps Obsidian recruit |
appropriate candidates by understanding on which websites and by whom
Obsidian job posts are
|Obsidian Lever page and |
\job posts hosted by Lever.com
|Glassdoor||Mill Valley, CA||Web cookies, web |
beacons, flash cookies
|Helps Obsidian improve |
our employee recruiting
and retention by
understanding how much interaction from whom
our Glassdoor account is
|Obsidian’s Glassdoor page and related posts, |
including job posts
(Owned by Microsoft)
|Sunnyvale, CA||Web cookies||Helps Obsidian recruit |
and improve our web
content by understanding who is interacting with
our social media and job
|Obsidian’s LinkedIn |
profile, posts on
profile, and any posts that mention Obsidian Security on LinkedIn
|San Francisco, CA||Web cookies and pixels||Helps Obsidian |
understand how much
interaction users have
with Obsidian’s Twitter
account and with specific Tweets Obsidian posts
|Obsidian’s Twitter profile @obsidiansec ; tweets that include Obsidian’s Twitter handle|
Opting out of cookies placed as a result of visiting Obsidiansecurity.com
The first time you use Obsidiansecurity.com, you will be given a chance to accept or decline cookies placed during your visits to obsidiansecurity.com in conjunction with Hubspot. If you wish to avoid cookies placed on Obsidian Security’s behalf by Hubspot, simply check “I decline”. If you initially select “I accept” and later decide you don’t want cookies, you may review the cookies that exist on your browser, delete those you wish to discard, and select “I decline” if you arrive at obsidiansecurity.com on future visits. Selecting “I decline” will prevent the placement of new cookies for that visit. Please continue to select “I decline” if you do not want to have cookies placed on your device as a result of visiting obsidiansecurity.com.
If you wish to delete your entire record of visits on obsidiansecurity.com, please email firstname.lastname@example.org to initiate a deletion process. We will respond within no more than 10 business days to confirm receipt of a deletion request.
Instructions for managing cookies on five typical browsers are included here for your convenience:
– Manage cookies in Google Chrome
– Manage cookies in Firefox
– Manage cookies on Safari
– Manage Cookies on Microsoft Edge
– Manage cookies on Microsoft Internet Explorer
Browser-set Do Not Track commands
Some browsers and browser plug-ins make digital requests to websites to avoid tracking during web sessions. Obsidian Security is not able to comply with electronic Do Not Track requests.
Managing your personal information at Obsidian
People who believe Obsidian Security controls data about them for marketing or recruiting purposes who no longer wish to have their data accessible by Obsidian Security can request deletion of the personal information about them by emailing email@example.com. Obsidian reserves the right to require validation of a users’ identity commensurate with the sensitivity of the data and subject to all applicable laws.
California residents and European Union residents have additional rights listed below.
California and EU Residents
Starting 1 January 2020, companies that do business in California, including Obsidian Security, are subject to the California Consumer Privacy Act (CCPA) which offers certain privacy rights that are substantially similar to the EU GDPR. Obsidian is committed to complying with CCPA and the GDPR by offering the following rights to residents of California and to residents of the European Union.
Requests to opt-out of data sales: Obsidian does not sell data
Obsidian Security believes that capable, protective data guardianship is key to our relationship with customers, potential customers, employees, job candidates, and visitors to our website. Obsidian does not and will not sell your personal data individually or in aggregate.
Right to Know Requests
California and EU residents have a right to request information about our collection, use, and disclosure of their personal information (California residents are restricted to information gathered over the prior 12 months), and ask that we provide them with the following information:
- Categories of and specific pieces of personal information we have collected about you.
- Categories of sources from which we collect personal information (e.g. social media sites, forms you submit to obsidiansecurity.com, etc).
- Purposes for collecting, using, or selling personal information.
- Categories of third parties with which we share personal information.
- Categories of personal information disclosed about you for a business purpose.
- If applicable, categories of personal information sold about you and the categories of third parties to which the personal information was sold, by category or categories of personal information for each third party to which the personal information was sold.
To make a verifiable request for information about the personal information we have collected about you, please email us at firstname.lastname@example.org. We may require further identity verification before completing your request.
Right to Delete Requests
California and EU residents also have a right to request that we delete personal information, subject to certain exceptions. You may exercise your right to delete by emailing us at email@example.com.
California and EU residents may make a verifiable consumer request related to their personal information twice per 12-month period. We will not discriminate against people for exercising their rights under the CCPA, the GDPR, or other applicable state laws.
Requests Made Through Agents
California residents may designate, in writing or through a power of attorney, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require the agent to provide proof you have authorized it to act on your behalf, and we may need you to verify your identity directly with us to prevent fraudulent requests.
Obsidiansecurity.com is designed to be used by people who are at least 16 years old. If you are not 16 years old, please do not use obsidiansecurity.com. Do not submit your name, email address, or other personal information using our web forms.
If, during routine review, Obsidian Security believes people under the age of 16 have submitted their personal information into our web forms, we will, in our sole discretion, delete the information believed to belong to those under 16 years old.
Feedback and Contact Information
Obsidian is on a continual quest for improvement. We invite most kinds of feedback from customers, interested third parties, and visitors to obsidiansecurity.com and will confirm receipt within 10 business days.
Constructive, humorous, scathing, brilliant, crushing, typographical, grammatical, award-winning, nit-picky, and/or limerick-style feedback can be delivered anonymously, via email, or via snail mail.
Anonymous feedback — Submit here.
Email — firstname.lastname@example.org
Physical mail –
c/o Privacy Team
680 Newport Center Drive #200
Newport Beach, CA 92660