Last Updated: September 25, 2023
At Veracode, Inc. and our global subsidiaries (“Veracode,” “our,” “us,” or “we”), we care about your privacy, and we are committed to protecting Personal Information about you.
This Privacy Statement governs personal information Veracode collects from customers, event attendees, and online visitors (“you” or “your”) in connection with your use of Veracode’s websites, and Veracode’s products, applications and services (including support and education), and corporate meetings and other events (collectively, the “Services”) where we post or link to this Privacy Statement, as well as information we automatically collect from your online visits (e.g. data collected via cookies).
For the purposes of this Privacy Statement, “Personal Information” means any information that, by itself, can identify you or can be combined with other information to identify you and for the purposes of the EU General Data Protection Regulation includes “personal data”.
In General
What Personal Information does Veracode collect about you?
We collect Personal Information when you:
- Purchase products or services;
- Register for webcasts, seminars, conferences, or other events sponsored by us or one of our business partners;
- Request quotes, services, product support, trials, whitepapers, and related downloads, or additional information;
- Join Veracode Communities;
- Register for courses or education;
- Subscribe to newsletters, promotional emails, or other Veracode materials;
- Participate in surveys, sweepstakes, or contests;
- Apply for a job or submit your resume/CV; or
- Contact us.
Personal information we may collect includes:
- Job Applicant: Full name, email address, personal phone number, personal address, title, prior employer(s), education.
- Employee: Full name, email address, personal phone number, personal address, title, prior employer(s), education, bank account number, tax ID, criminal history, photo.
- Customer / Prospective Customer / Partner employee: Full name, business email address, company, title, business phone number, business address, photo.
- Office Visitor: Full name, email address, company, photo.
When we ask you to provide Personal Information, we will advise you at the time of collection whether providing Personal Information is necessary for your access to, or use of, Veracode’s sites, products, programs, applications, and/or services. When we ask for Personal Information through one of our registration pages on our website, you will have the option of not providing the information, in which case you may still be able to access other portions of the website, although you may not be able to access certain programs, products, applications or services.
Personal Information from Other Sources
We may also receive Personal Information about you from other sources such as other websites containing cookies or from third parties including business partners, sub-contractors in technical, payment, and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies, data brokers, or aggregators and combine that with information we collect through our Services. For example, we may combine Personal Information from marketing and digital advertising service providers and data brokers with information that you make publicly available on social media or third-party websites to better market our Services to you.
Personal Information Automatically Collected
When you visit our websites, we automatically collect Personal Information about your visit, including pages you access, links you click, and actions you take in connection with Veracode’s Services. We also collect certain information from your web browser, such as your device’s operating system, application software, browser type and language, Internet Protocol (IP) address, For more information on information that we automatically collect, please see the Veracode Cookie Policy “How does Veracode use cookies and other tracking technologies” section.
How does Veracode use Personal Information?
We use Personal Information to:
- Provide and deliver the requested products and services;
- Send you transaction information, including confirmations and transaction status, product and services information, updates, security alerts, and support and administrative messages;
- Administer your account, including verifying your information;
- Respond to your comments and questions and provide customer support or other services;
- Offer Live Chat assistance to facilitate the delivery of the requested products and services;
- Operate and improve our websites, products, applications, and services;
- Process and deliver sweepstakes and contest entries and rewards;
- Ask you to take part in surveys used to measure our performance and improve our sites, products, applications, services, and customer experience;
- Communicate with you about new promotions and upcoming events; if you have agreed to receive marketing communications from us;
- Provide you with information about products and services offered by Veracode and our selected partners; if you have agreed to receive marketing communications from us.
- Invite you to corporate events, online forums, communities, and social networks;
- Link or combine with other information we get from third parties, to help understand your needs, and customize our offerings and market our Services based on your needs; and
- Perform other functions or serve other purposes, as disclosed to you at the point of collection, or as otherwise required or allowed under applicable laws including tax and financial laws and regulations such as anti-money laundering and fraud prevention; employment laws; court orders, etc.
Retention of Personal Information.
Veracode retains Personal Information as long as is necessary to fulfill the purposes for which it was collected and in accordance with Veracode’s internal retention policies and applicable law. More information about how long Veracode keeps Personal Information is available by contacting [email protected]. Veracode’s Customer Support Policy also includes additional terms related to the collection of Personal Information or confidential data provided as part of Veracode’s provision of customer support.
How does Veracode share Personal Information?
We share Personal Information with third parties for the purposes described below.
- Veracode Subsidiaries. We share Personal Information with our subsidiaries worldwide in order to improve our websites, products, applications, and services, and to manage our customer relationships.
- Third-Party Vendors/Service Providers. We rely on third-party vendors, consultants, and other service providers including marketing and digital advertising service providers and data brokers, to perform functions on our behalf and under our instructions in order to make our websites, products, applications, and services available to you. For example, we engage third parties to provide customer support relating to our products or cloud storage services or assist Veracode in protecting its systems.
- Business Partners. We share Personal Information with third parties with whom we do business, including in connection with your purchase of a Veracode product or services through a business partner or attendance at an event jointly hosted by Veracode and our business partner. Depending on Veracode’s business model and its global regional coverage, Veracode may not be able to provide the products or services directly to you. In those instances, Veracode discloses Personal Information to its business partners for reselling, marketing, and other business purposes related to your demonstrated interest in our products and services. We share Personal Information only with business partners who agree in writing to abide by applicable data protection laws and to protect Personal Information and use it solely for the purposes specified by Veracode.
- Legal Obligations and Rights. We disclose Personal Information: (i) in connection with the establishment, exercise, or defense of legal claims; (ii) to comply with laws or to respond to lawful requests or legal process; (iii) for fraud or security monitoring purposes (e.g., to detect and prevent cyberattacks); (iv) or as otherwise permitted by applicable law.
- Business Reorganization. We may share Personal Information in connection with a sale or business transaction (e.g., merger or acquisition).
Veracode also uses or shares anonymized aggregate data (data from which Personal Information has been removed). Except as described above, Veracode will not disclose Personal Information to third parties for their own marketing purposes without your consent.
How does Veracode protect Personal Information?
Veracode uses organizational, technical, administrative, and physical measures to protect Personal Information from loss, misuse, unauthorized access or disclosure, alteration, or destruction, including through the use of encryption when collecting or transferring Personal Information.
What choices do you have regarding Personal Information?
Email and Marketing
In most instances, Veracode gives you options with regard to the Personal Information you provide, including choices with respect to marketing materials. You may manage your receipt of marketing and non-transactional communications by: (i) clicking on the “unsubscribe” link located at the bottom of every Veracode marketing email; or (ii) checking certain boxes on our communication choices which can also be found on forms we use to collect Personal Information.
How does Veracode use cookies and other online tracking technologies?
Cookies
For information about how Veracode uses cookies, please see our Cookie Policy.
Social Media Accounts
Portions of our websites make chat rooms, forums, blogs, message boards, and/or news groups available to you. Please remember that any information that is disclosed in these areas could be made public so exercise caution when deciding to disclose any Personal Information. Also, please note that use of these portions of our website may be subject to additional terms. Additional information about community and support sites can be found at our Terms for Use on Veracode.com.
In addition, Veracode’s website(s) may include social media features, including the Facebook “Like” button. These features may collect your IP address and identify the web page you are visiting on Veracode’s website and may set a cookie to enable the feature to function properly. You may be given the option by that social media site to post information about your activities on Veracode’s website(s) to your profile page on that social media site. Your interactions with these features are governed by the privacy policy of the company that is providing them.
- Facebook’s Privacy Policy is at https://www.facebook.com/privacy/explanation.
- LinkedIn’s Privacy Policy is at https://www.linkedin.com/legal/privacy-policy.
- Twitter’s Privacy Policy is at https://twitter.com/en/privacy.
Third-Party Websites
Veracode’s websites may contain links to other third-party websites. This Privacy Statement does not apply to, and Veracode is not responsible for, the privacy practices or the content of such third-party websites, including business partner websites, and their use of Personal Information will be governed by their own privacy policies.
How will you be notified about changes to this Privacy Statement?
Veracode may modify or update this Privacy Statement at any time without prior notice. If we make any changes to this Privacy Statement, we will change the “Last Updated” date at the beginning of this Privacy Statement. If we make material changes to this Privacy Statement that may impact individual rights, Veracode will make prominent note of such change on its website and within its products, services, programs, and applications at least one month prior to the change taking place.
Who should you contact with inquiries?
If you have any questions, concerns, or comments about this Privacy Statement or our privacy practices, please contact Veracode via email at [email protected] with the words “PRIVACY STATEMENT” in the subject line.
You may also contact us by regular mail to:
Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attention: Privacy Office
U.S. privacy notices for State residents
U.S. State consumer privacy laws may provide their residents with additional rights regarding our use of Personal Information. To learn more about the privacy rights of California residents, please see Provisions applicable to residents of California below.
Colorado, Connecticut, Virginia, and Utah each provide their state residents with rights to:
- Confirm whether we process Personal Information about them.
- Access and delete certain Personal Information.
- Data portability.
- Opt-out of Personal Information processing for targeted advertising and sales.
Colorado, Connecticut, and Virginia also provide their state residents with rights to:
- Correct inaccuracies in Personal Information about them, taking into account the information’s nature, processing, and purpose.
- Opt-out of profiling in furtherance of decisions that produce legal or similarly significant effects.
Nevada provides its residents with a limited right to opt-out of certain Personal Information sales.
To exercise your rights under any U.S. State laws, please submit a request by either:
- Calling us toll free at 1-844-274-7793
- Emailing us at [email protected]
- Completing a Personal Information Request
- Visiting us at https://info.veracode.com/web-contact-us.html
- By regular mail to:
Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attn: Privacy Office
Only you, or someone legally authorized to act on your behalf, may make a request relating to your Personal Information. To designate an authorized agent please contact [email protected]. You may also make a request on behalf of your child by contacting [email protected]. The Personal Information Request link above is operated on Veracode’s behalf by LogicGate, Inc. (“LogicGate”), a third party vendor who provides services to help Veracode manage Personal Information requests. The information you provide via the Personal Information Request link will be treated by LogicGate as confidential and will only be used to fulfill your request.
Provisions applicable to residents of California
Effective Date: January 1, 2022
Last Updated: January 26, 2023
This Privacy Notice for California Residents supplements the information contained in Veracode’s general Privacy Statement above and applies solely to all visitors, users, and others who reside in the State of California ("Consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice.
California Resident Personal Information We Collect
We, our websites, and our platform may collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("Personal Information"). Personal information does not include:
- Publicly available information from government records.
- Deidentified or aggregated consumer information.
- Information excluded from the CCPA's scope, like:
- health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data;
- Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.
In particular, we, our websites, and our platform may have collected the following categories of Personal Information from Consumers within the last twelve (12) months:
Category |
Examples |
Collected |
A. Identifiers. |
A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers. |
YES (Social Security number, driver’s license number, and passport number only applicable to job applicants and employees) |
B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)). |
A name, signature, Social Security number, |
YES (Social security number, passport number, driver’s license or state identification card number, education, employment history, bank account number, other financial information, medical information, and health insurance information only applicable to job applicants and employees) |
C. Protected classification characteristics under California or federal law. |
Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, |
YES (Only applicable to job applicants and employees) |
D. Commercial information. |
Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. |
YES |
E. Biometric information. |
Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data. |
NO |
F. Internet or other similar network activity. |
Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. |
YES |
G. Geolocation data. |
Physical location or movements. |
YES |
H. Sensory data. |
Audio, electronic, visual, thermal, olfactory, or similar information. |
NO |
I. Professional or employment-related information. |
Current or past job history or performance evaluations. |
YES (Only applicable to job applicants and employees) |
J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)). |
Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records. |
NO |
K. Inferences drawn from other Personal Information. |
Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes. |
YES |
We, our websites, and/or our platform obtain the categories of Personal Information listed above from the following categories of sources:
- Directly from you. For example, from forms you complete or products and services you purchase.
- Indirectly from you. For example, from observing your actions on our websites and/or platform.
- Social Media platforms; data brokers/resellers; and on-site security monitoring.
Use of California Personal Information
We may use, sell, share, or disclose the Personal Information we collect for one or more of the following purposes:
- To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that Personal Information to respond to your inquiry. If you provide Personal Information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save Personal Information to facilitate new product orders or process returns.
- To provide, support, personalize, and develop our website, platform, products, and services.
- To create, maintain, customize, and secure your account with us.
- To process your requests, purchases, transactions, and payments and prevent transactional fraud.
- To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
- To personalize your website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our websites, third-party sites, and via email or text message with your consent, where required by law.
- To help maintain the safety, security, and integrity of our websites, products and services, databases and other technology assets, and business.
- For testing, research, analysis, and product development, including to develop and improve our websites, products, and services.
- To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
- As described to you when collecting Personal Information or as otherwise set forth in the CCPA.
- To administer your employment relationship with Veracode.
- To evaluate your eligibility for employment if you apply for a job at Veracode.
- To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our website users/consumers is among the assets transferred.
We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.
Sharing California Resident Personal Information
We may disclose Personal Information to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the Personal Information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, Veracode has disclosed the following categories of Personal Information for a business purpose to the categories of third parties indicated in the chart below.
We may also disclose Personal Information about you by selling/sharing it to/with third parties, subject to your right to opt-out of those sales/shares. In the preceding twelve (12) months, Veracode has sold/shared the following categories of Personal Information to the categories of third parties in the categories indicated in the chart below. Our Personal Information sales/shares does not include information about California residents we know are under the age of 16. For more information on your California Personal Information sale/share rights, see California Personal Information Sales/Shares Opt-Out and Opt-In Rights below.
Personal Information Category |
Category of Third-Party Recipients |
|
Business Purpose Disclosures |
Sales/Shares |
|
A: Identifiers. |
Service providers, Data aggregators, Veracode subsidiaries |
Social media and other digital advertising service providers. |
B: California Customer Records personal information categories.. |
Service providers, Data aggregators, Veracode subsidiaries |
Social media and other digital advertising service providers. |
C: Protected classification characteristics under California or federal law. |
Service providers, Veracode subsidiaries |
None |
D: Commercial information. |
Service providers, Data aggregators, Veracode subsidiaries |
Social media and other digital advertising service providers |
E: Biometric information. |
None |
None |
F: Internet or other similar network activity. |
Service providers, Data aggregators, Veracode subsidiaries |
Social media and other digital advertising service providers. |
G: Geolocation data. |
Service providers, Data aggregators, Veracode subsidiaries |
Social media and other digital advertising service providers. |
H: Sensory data. |
None |
None |
I: Professional or employment-related information. |
Service providers, Data aggregators, Veracode subsidiaries |
Social media and other digital advertising service providers. |
J: Non-public education information. |
None |
None |
K: Inferences drawn from other Personal Information. |
Service providers, Data aggregators, Veracode subsidiaries |
Social media and other digital advertising service providers. |
California Personal Information Retention
By law Veracode may be required to keep basic information about our customers (including Contact, Identity, Financial and Transaction Data) for six years after they cease being customers.
In some circumstances you can ask us to delete Personal Information about you. See California Privacy Right to Delete below.
In some circumstances we will anonymize Personal Information (so that it can no longer be associated with you) for research or statistical purposes, in which case we may use this information indefinitely without further notice to you.
CCPA Rights and Choices
The CCPA provides consumers (California residents) with specific rights regarding Personal Information. This section describes your CCPA rights and explains how to exercise those rights.
CCPA Right to Know and Data Portability
You have the right to request that we disclose certain information to you about our collection and use of Personal Information about you over the past 12 months (the "right to know"). Once we receive your request and confirm your identity (see Exercising Your California Privacy Rights below), we will disclose to you:
- The categories of Personal Information we collected about you.
- The categories of sources for the Personal Information we collected about you.
- Our business or commercial purpose for collecting, selling or sharing that Personal Information.
- The categories of third parties with whom we disclose that Personal Information.
- If we sold, shared or disclosed Personal Information about you for a business purpose, two separate lists:
- Where Personal Information has been sold or shared, identifying the Personal Information categories that each category of recipient purchased; and
- Where Personal Information has been disclosed for a business purpose, identifying the Personal Information categories that each category of recipient obtained.
- The specific pieces of Personal Information we collected about you (also called a data portability request).
California Privacy Right to Delete
You have the right to request that we delete any Personal Information about you that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity (see Exercising Your California Privacy Rights below), we will review your request to see if an exception allowing us to retain the information applies.
We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:
- Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
- Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
- Debug products to identify and repair errors that impair existing intended functionality.
- Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by law.
- Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
- Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
- Enable solely internal uses that are reasonably aligned with Consumer expectations based on your relationship with us.
- Comply with a legal obligation.
- Make other internal and lawful uses of that information that are compatible with the context in which you provided it.
We will delete or deidentify Personal Information not subject to one of these exceptions from our records and will direct our service providers to take similar action.
California Privacy Right to Correct
You have the right to request that we correct any inaccurate Personal Information that we hold about you, taking into account the nature of the Personal Information and the purposes of the processing. Once we receive your request and confirm your identity (see Exercising Your California Privacy Rights below), we will review your request and correct in accordance with applicable laws.
Exercising Your California Privacy Rights
To exercise your California privacy rights, please submit a request by either:
- Emailing us at [email protected]
- Completing a Personal Information Request
- Visiting us at https://info.veracode.com/web-contact-us.html
- By regular mail to:
Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attention: Privacy Office
Only you, or someone legally authorized to act on your behalf, may make a request related to Personal Information. To designate an authorized agent please contact [email protected]. You may also make a request to know or delete on behalf of your child by contacting [email protected]. The Personal Information Request link above is operated on Veracode’s behalf by LogicGate, Inc. (“LogicGate”), a third party vendor who provides services to help Veracode manage Personal Information requests. The information you provide via the Personal Information Request link will be treated by LogicGate as confidential and will only be used to fulfill your request.
You may only submit a request to know twice within a 12-month period. Your request to know or delete must:
- Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which may include the applicable e-mail address, username, and account name.
- Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.
We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.
You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account. We will only use Personal Information provided in the request to verify the requestor's identity or authority to make it.
For instructions on exercising your sale/share opt-out or opt-in rights, see California Personal Information Sales/Shares Opt-Out and Opt-In Rights below.
Response Timing and Format
We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact [email protected]. We endeavor to substantively respond to a verifiable Consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.
If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide the Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, specifically XML or Word. We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.
California Personal Information Sales/Shares Opt-Out and Opt-In Rights
If you are age 16 or older, you have the right to direct us to not sell/share Personal Information about you at any time (the "right to opt-out"). We do not sell/share Personal Information about California residents we actually know are less than 16 years old, unless we receive affirmative authorization (the "right to opt-in") from either the Consumer who is between 13 and 15 years old, or the parent or guardian of a Consumer less than 13 years old. Consumers who opt-in to Personal Information sales/shares may opt-out of future sales/shares at any time.
To exercise the right to opt-out, please click the “Do Not Sell or Share My Personal Information” link in the footer of our website, and submit a request via [email protected]. Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize personal information sales/shares. However, you may change your mind and opt back in to personal information sales/shares at any time by clicking the “Do Not Sell or Share My Personal Information” link in the footer of our website and adjusting your settings.
California Privacy California Privacy Non-Discrimination
We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:
- Deny you goods or services.
- Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
- Provide you a different level or quality of goods or services.
- Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.
However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to the value of the Personal Information about you and contain written terms that describe the program's material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. We currently provide the following financial incentives:
- From time to time we offer modest financial incentives/thank you gifts to Consumers who sign up for our newsletters. These incentives/thank you gifts include Veracode branded merchandise such as coffee mugs and/or complimentary admission to Veracode sponsored events.
Other California Privacy Rights
California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected] or write us at:
- Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attention: Privacy Office
Changes to Our California Privacy Notice
We reserve the right to amend this California Privacy Notice at our discretion and at any time. When we make changes to this Privacy Notice, we will post the updated notice on our website and update the notice's effective date. Your continued use of our website, platform, products, applications, or services following the posting of changes constitutes your acceptance of such changes.
Contact Information
If you have any questions or comments about this notice, the ways in which Veracode collects and uses Personal Information described here and in Veracode’s general Privacy Statement above, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:
- Website: https://info.veracode.com/web-contact-us.html
- Email: [email protected]
- Postal Address:
- Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attention: Privacy Office
- Veracode, Inc.
If you need to access this Notice in an alternative format due to having a disability, please contact us by email at [email protected] and/or phone toll free at 1-844-274-7793.
Provisions applicable to individuals in the EU/EEA, Switzerland, and the UK
The provisions of this Privacy Statement below are applicable between Veracode, and individuals located in the EU/EEA, Switzerland and/or UK.
EU/EEA/Swiss/UK Definitions
'Consent’ or ‘Agree’ means your freely given, specific, informed, and unambiguous expression of your wishes through a statement or other clear affirmative action such as checking a box or signing a consent form which indicates your agreement to Veracode’s Processing of Personal Data relating to you.
'Personal Data' means any information relating to you from which you can be identified, directly or indirectly, including name, identification number, location, online identifier such as your IP address or device ID, or one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity. It includes any information whether it is held in paper, electronic or any other format.
‘Process or Processing’ means any use of Personal Data including collecting, recording, organizing, structuring, storing, adapting, or altering, amending, retrieving, consulting, sharing, disclosing, making available, aligning or combining, restricting, transferring outside the EU/EEA, or erasing or destroying it.
‘Special Categories of Personal Data’ means Personal Data about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, ideological views or activities, information on social security measures, trade union membership, health, sex life, sexual orientation, and biometric data, or any past administrative or criminal proceedings and sanctions.
'Third Party' includes our business partners and service providers who Veracode authorizes to process Personal Data or other information to help Veracode with the activities described in this Privacy Statement. It may include government bodies and public agencies and authorities.
Notice to Individuals Located in the EU/EEA, Switzerland, and UK
Veracode maintains a Privacy Office, comprised of individuals responsible for Veracode’s EU/EEA, Swiss, and UK data protection compliance. Veracode’s Privacy Office can be contacted by email at [email protected]. Questions about this Privacy Statement, or requests for further information, should be directed to Veracode’s Privacy Office.
If you are located in the EU/EEA, Switzerland, or UK and Veracode’s business customer (the data “controller” under applicable laws) is using the Veracode Services to Process Personal Data about you, you may contact Veracode’s business customer to object, restrict, access, correct, transfer (data portability) or delete Personal Data relating to you. If you need help finding contact information for a Veracode business customer’s privacy office, please contact Veracode at [email protected].
EU/EEA/Swiss/UK Personal Data Veracode Collects
In addition to the Personal Data listed above, if you apply for a job with Veracode, Veracode collects your current and past employment information. This includes information in paper, electronic, or any other format, and may include:
- Identification data such as name, home address, personal telephone number, personal e-mail address, date of birth, social security number, national insurance number, photograph, marital /dependent status, and emergency contact information;
- Information concerning employment such as salary, work and compensation history, planned salary, earnings, paid time off, salary grade, performance information (including performance appraisal, performance and attendance records), decisions to offer employment, CVs/Resumes, employment applications, employment references and background verification information;
- Financial information such as credit reports, bank account numbers, tax-related information, and salary-related information;
- Past administrative or criminal proceedings and sanctions if permitted under applicable law;
- If disclosed to Veracode by the individual or discoverable by Veracode in open-source media: Special Categories of Personal Data including ethnic origin; political opinions; religion or religious or philosophical beliefs; trade union membership; heath related data; sexual orientation and/or sex life.
- Other Personal Data necessary for Veracode’s business purposes which may be voluntarily disclosed by you to Veracode.
For more information about Personal Data Veracode collects when you apply for a job, please contact [email protected] or [email protected].
EU/EEA/Swiss/UK Data Protection Principles
Veracode Processes EU/EEA/ Swiss/UK Personal Data in accordance with the following data protection principles:
- Veracode Processes Personal Data lawfully, fairly and in a transparent manner consistent with applicable law;
- Veracode collects Personal Data only for specified, explicit, and legitimate purposes consistent with applicable law;
- Veracode Processes Personal Data only where it is adequate, relevant, and limited to what is necessary for the purposes of Processing consistent with applicable law;
- Veracode keeps accurate Personal Data and takes all reasonable steps to ensure that inaccurate Personal Data is rectified or deleted without delay consistent with applicable law;
- Veracode keeps Personal Data only for the period necessary for Processing consistent with applicable law;
- Veracode adopts appropriate measures to make sure that Personal Data is secure, and protected against unauthorized or unlawful processing, and accidental loss, destruction, or damage.
Veracode and/or its customer tells individuals located in the EU/EEA, Switzerland, and UK the reasons for Processing Personal Data, how it uses Personal Data, and the legal basis for Processing by providing them this Privacy Statement and related notices, disclosures, and consent forms consistent with applicable law. Veracode will not process Personal Data for other reasons.
Veracode takes appropriate steps to ensure that Personal Data in its possession is accurate, complete, and current consistent with applicable law. However, all individuals in the EU/EEA, Switzerland or UK are asked to inform Veracode’s relevant customer immediately about any changes to Personal Data relating to them.
Veracode will not Process EU/EEA/Swiss/UK Personal Data that qualifies as Special Categories of Personal Data for purposes incompatible with those described in this Privacy Statement unless the Processing is:
- permitted by applicable EU/EEA, Swiss, or UK law;
- necessary for administering justice or for exercising statutory, governmental, or other public functions;
- necessary for the establishment of legal claims or defenses;
- in the vital interests of an individual in the EU/EEA, Switzerland, or UK, or another person;
- required to provide medical care or diagnosis; or
- necessary to carry out Veracode’s legal obligations under applicable law.
Legal Basis of Processing EU/EEA/Swiss/UK Personal Data
In order to collect, use and otherwise process Personal Data, Veracode relies on the following legal bases:
- To fulfill any contractual obligations, such as where you have purchased a product or service from Veracode. For example, we may require your contact details in order to deliver your order if you have purchased a product from us.
- Veracode’s legitimate interest in providing its websites and making its sites, products, applications, and services available to you, provided our interest is not outweighed by the risk of harm to your rights and freedoms.
- Your consent, where Veracode has obtained your consent to process Personal Data relating to you for certain activities. You may withdraw your consent at any time by contacting [email protected]. However, please note that your withdrawal of consent will not affect the lawfulness of any use of Personal Data relating to you by Veracode based on your consent prior to withdrawal.
- For compliance with Veracode’s legal obligations where applicable laws require Veracode to process Personal Data.
The chart below provides more details as to the legal bases that Veracode relies on when processing Personal Data.
Data Subject |
Categories of Personal Data |
Purpose/Activity |
Legal Basis for Processing |
Job applicants. |
Full name, email address, personal phone number, personal address, title, prior employment and education history, including salary and compensation information, date of birth, social security number, national insurance number, photograph, marital /dependent status, emergency contact information, performance information, decisions to offer employment, CVs/Resumes, employment applications, employment references and background verification information, financial information, past administrative or criminal proceedings and sanctions if permitted under applicable law, certain categories of Special Categories of Personal Data (if disclosed to Veracode by the applicant or discoverable by Veracode in open-source media, other Personal Data voluntarily disclosed by the applicant. |
Processing applications, evaluating applicant’s potential employment with Veracode |
Consent Compliance with legal obligations |
Employees |
Full name, email address, personal phone number, personal address, title, prior employer(s), education, bank account number, tax ID, criminal history, photo. |
Administering employment relationship with Veracode |
Consent Performance of a contract Compliance with legal obligations |
Customers and Partners |
Full name, business email address, company, title, business phone number, business address, photo. |
Provide and deliver requested products and services |
Performance of contract |
Administration of customer relationship |
Performance of contract |
||
Operate and improve our websites, products, applications and services |
Legitimate interest |
||
Sending marketing communications |
Consent Legitimate interest |
||
Prospective Customers and Partners |
Full name, business email address, company, title business phone number, business address, photo. |
Operate and improve our websites, products, applications and services |
Legitimate interest |
Sending marketing communications |
Consent Legitimate interest |
||
Office Visitors |
Full name, email address, company, photo. |
Registering visitors prior to entry |
Legitimate interest |
If you have any questions or would like more information regarding the legal basis on which Veracode collects Personal Data, please contact us at [email protected].
EU/EEA/Swiss/UK Personal Data Transfers to Independent Third Parties
Veracode will disclose Personal Data to Third Parties other than those identified above only if:
- required by law or legal process (e.g., lawful requests by public authorities, including disclosures to law enforcement authorities in connection with their duties or to meet national security requirements);
- to investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of use, or as otherwise required by law.
- to protect and defend the legal rights, property/or and legitimate interests of Veracode and/or members of its workforce, customers, business partners, Sub-contractors and/or Third Parties; or
- where necessary for Veracode to perform a contractual obligation owed to a customer, member of its workforce, or for other lawful purposes.
How Long Veracode Keeps EU/EEA/Swiss/UK Personal Data
Veracode will hold Personal Data
- for the duration legally required or permitted by applicable law; and
- as long as it is necessary to comply with Veracode’s legal obligations or to resolve disputes and/or enforce our agreements.
Veracode's record retention schedule for GDPR can be obtained upon request by contacting [email protected].
EU/EEA/Swiss/UK Personal Data Rights including under the GDPR
Individuals in the EU/EEA, Switzerland, and UK have a number of rights in relation to Personal Data. Veracode will maintain a program to ensure compliance with this Privacy Statement. All Veracode workforce members whose responsibilities include the Processing of EU/EEA/Swiss/UK Personal Data are required to adhere to this Privacy Statement and any implementing policies. Failure to do so is deemed a serious offence, for which disciplinary action may be taken, potentially resulting in termination of employment. Equally, the misuse of Personal Data by an individual or organization acting as a Sub-contractor, or service provider to Veracode is deemed a serious issue for which action may be taken, potentially resulting in the termination of any agreement. Veracode will assist individuals in the EU/EEA, Switzerland, and UK in protecting their privacy and will provide them opportunities to raise concerns about the Processing of Personal Data that relates to them.
EU/EEA/Swiss/UK Personal Data Access
Individuals in the EU/EEA, Switzerland, and UK have the right to make Personal Data access requests. If an individual makes such a request, Veracode will provide the information requested which may contain some or all of the following information, along with other information as required by applicable law:
- Whether or not his/her Personal Data about them is Processed and if so why, the categories of Personal Data Processed and the source of the data if it is not collected from the individual consistent with applicable law, Veracode’s obligations to its customer’s and;
- To whom the Personal Data is or may be disclosed consistent with applicable law, Veracode’s obligations to its customers, including to recipients located outside the EU/EEA, Switzerland, or UK and the safeguards that apply to such data transfers; and
- For how long the Personal Data is stored (or how that period is decided).
Disclosures by Veracode will normally be in electronic form if the requester has made a request electronically unless he/she agrees otherwise.
If the requestor wants additional copies, Veracode charges a reasonable fee, which will be based on the administrative cost to Veracode of providing the additional copies.
Exercising your EU/EEA/Swiss/UK Personal Data Access Rights
To make a Personal Data access request, individuals in the EU/EEA, Switzerland, or UK should send their request to Veracode’s Privacy Office by email at [email protected] with the words “Data Subject Access Request” in the subject line.
You may also contact Veracode by regular mail to:
- Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attention: Privacy Office
You may also submit a Personal Data Request.
The Personal Data Request link above is operated on Veracode’s behalf by LogicGate, Inc. (“LogicGate”), a third party vendor who provides services to help Veracode manage Personal Data requests. The information you provide via the Personal Data Request link will be treated by LogicGate as confidential and will only be used to fulfill your request.
Veracode may need to ask for proof of identification before a request can be processed. Veracode will inform the requestor if it needs to verify his/her identity and the documents it requires. Veracode will normally respond to a request within a period of 30 days from the date a request is received. In some cases, such as where Veracode processes large amounts of Personal Data, it may respond within 90 days of the date the request is received. Veracode will write to the requestor within 30 days of receiving the original request to tell him/her if more time is needed to complete the response to their request.
If an EU/EEA/Swiss/UK individual submits a request which is manifestly unfounded or excessive, Veracode is not required to comply with it. Alternatively, Veracode can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request.
Other EU/EEA/Swiss/UK Personal Data Rights
Individuals in the EU/EEA, Switzerland, and UK also have a number of other rights in relation to Personal Data that relates to them. They can request Veracode to:
- Correct inaccurate Personal Data to the extent consistent with applicable law and Veracode’s obligations to its customers;
- Stop Processing or erase Personal Data that is no longer necessary for Veracode’s purposes of Processing to the extent consistent with applicable law and Veracode’s obligations to its customers;
- Stop Processing or erase Personal Data if the individual's interests override Veracode’s legitimate grounds for processing the Personal Data including to the extent consistent with applicable law and Veracode’s obligations to its customers;
- Stop processing or erase Personal Data if the processing is unlawful; and/or
- Stop processing Personal Data for a period if the requestor asserts the Personal Data is inaccurate or if there is a dispute about whether or not the requestor's interests override Veracode's legitimate grounds for processing the Personal Data.
Where Veracode determines that the Personal Data relating to the requestor is accurate to the extent consistent with applicable law, Veracode will include in Veracode’s Personal Data file the alternative text that the requestor believes to be appropriate alongside Veracode’s original information. If it is determined that the Personal Data needs to be updated or corrected by Veracode, Veracode will use reasonable efforts to inform the relevant Veracode customer and third-parties which were provided with the information previously.
To ask Veracode to take any of these steps, individuals in the EU/EEA, Switzerland, or UK should contact Veracode by email at [email protected] with the words “DATA SUBJECT REQUEST” in the subject line.
You may also contact Veracode by regular mail to:
- Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attention: Privacy Office
Individuals in the EU/EEA, Switzerland, and UK may also make data privacy and/or data use complaints about Veracode to the UK Information Commissioner’s Office (ICO) Here; or by calling the UK ICO helpline at 0303-123-1113. Individuals in Switzerland can also make a complaint to the Swiss Federal Data Protection and Information Commissioner Here. Individuals in the EU/EEA can also make a complaint to the Data Protection Authority in the EU/EEA Member State where they live or work or where an alleged infringement of applicable data protection law occurred listed here: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
OTHER EU/EEA/SWISS/UK PROVISIONS
International Transfers of Personal Data
Veracode’s website is provided from within the United States and is subject to the state and federal laws of the United States. If you are located outside of the United States, Personal Data that relates to you is being transferred to, stored, used, and shared in the United States.
If you are located in the EU, EEA, Switzerland, or UK, Veracode transfers Personal Data relating to you to other Veracode entities located in many different countries around the world if required for the purposes described in this Privacy Statement. This may include the transfer of Personal Data to countries outside your home country, including outside the European Economic Area (EEA), which may not have the same level of protection as your home country. For example, since Veracode is headquartered in the United States (US), Veracode entities in the EEA or UK may need to send Personal Data to our servers located in the US for legitimate business purposes. In order to provide adequate protection for the transfer of Personal Data, we rely on various legal mechanisms, including our Data Privacy Framework certifications, EU Standard Contractual Clauses, and/or a legally justified need to process Personal Data in order to provide the requested products or services.
Personal Data is also transferred by Veracode to countries outside the EU/EEA/Switzerland/UK for Veracode’s legitimate interests in processing Personal Data where necessary to perform its obligations to its customers and to exercise its rights and fulfill its duties under law.
The Personal Data and other information that Veracode collects relating to you will be transferred to and stored in the United States. It also may be processed by staff operating outside the EU/EEA/Switzerland/UK who work for Veracode or other entities acting as data processors processing data on our behalf. This includes staff and providers engaged in, among other things, the fulfillment of your request or order and the provision of support services. More information on to whom your data is disclosed can be found above in this Privacy Statement.
Your Consent to International Transfer of Personal Data
If you are located in the EU/EEA, Switzerland or UK we may also process, store, and/or transfer Personal Data we collect about you, in and to a country outside the EU/EEA, Switzerland or UK including the United States. Those other countries may have different privacy laws that may or may not be as comprehensive as your own.
By submitting Personal Data or engaging with our sites, applications, products, and/or services, you consent to this transfer, storing, and/or processing.
Notice Regarding the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework
Veracode, Inc. complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Veracode, Inc. has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Veracode, Inc. has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this Privacy Statement and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, please visit https://www.dataprivacyframework.gov/. To view Veracode’s certification, please visit the Data Privacy Framework List available at https://www.dataprivacyframework.gov/s/participant-search.
With respect to Personal Data received or transferred pursuant to the Data Privacy Framework, Veracode is subject to the investigatory and regulatory enforcement powers of the U.S. Federal Trade Commission, the U.S. Department of Transportation or any other U.S. authorized statutory body.
Pursuant to the Data Privacy Frameworks, EU/EEA, Swiss and UK individuals have the right to obtain Veracode’s confirmation of whether we maintain Personal Data relating to you in the United States. Upon your request, we will provide you with access to the Personal Data that we hold about you. You may also correct, amend, or delete the Personal Data we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Data Privacy Framework, should direct their query to [email protected]. If requested to remove data, we will respond within a reasonable timeframe.
We will provide an individual opt-out or opt-in choice before we share Personal Data relating to you with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of Personal Data relating to you, please submit a written request to [email protected].
Veracode’s accountability for Personal Data that it receives in the United States under the Data Privacy Framework and subsequently transfers to a third party is described in the Data Privacy Framework Principles. In particular, Veracode remains responsible and liable under the Data Privacy Framework Principles if third-party agents that it engages to process the Personal Data on its behalf do so in a manner inconsistent with the principles, unless Veracode proves that it is not responsible for the event giving rise to the damage.
Veracode may be required, in certain circumstances, to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.
In compliance with the Data Privacy Framework Principles, Veracode commits to resolve complaints about your privacy and our collection or use of Personal Data transferred to the United States pursuant to Data Privacy Framework. EU/EEA, Swiss and UK individuals with Data Privacy Framework inquiries or complaints should first contact Veracode by email at [email protected] with the words “PRIVACY STATEMENT” in the subject line.
You may also contact Veracode by regular mail to:
- Veracode, Inc.
65 Blue Sky Drive
Burlington, MA 01803
Attention: Privacy Office
Veracode has further committed to refer unresolved privacy complaints under the Data Privacy Framework Principles to an independent dispute resolution mechanism. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at ICDR/AAA operated by the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR/AAA). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://www.icdr.org/dpf for more information and to file a complaint. This service is provided free of charge to you.
If your complaint involves employment or human resources personal data transferred to the United States from the EU, EEA, UK and/or, Switzerland in the context of your employment relationship with Veracode, and Veracode does not address it satisfactorily, Veracode commits to cooperate with the panel established by the EU data protection authorities (DPA Panel), UK Information Commissioner’s Office and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such employment or human resources Personal Data. To pursue an unresolved employment or human resources Personal Data complaint, you should contact the state or national data protection or labor authority where you live or work. Complaints related to employment or human resources Personal Data should not be addressed to the ICDR/AAA operated by the International Centre for Dispute Resolution.
Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.
Contact details for the UK Information Commissioner’s Office can be found at https://ico.org.uk/global/contact-us/.
Contact details for the Swiss Federal Data Protection and Information Commissioner can be found at https://www.edoeb.admin.ch/edoeb/en/home/deredoeb/kontakt.html
If your Data Privacy Framework complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Data Privacy Framework Annex 1 at https://www.dataprivacyframework.gov/s/article/ANNEX-I-introduction-dpf?tabset-35584=2