Privacy Statement

In General

What Personal Information does Veracode collect about you?

Personal Information from Other Sources

Information Automatically Collected

How does Veracode use Personal Information?

Retention of Personal Information

How does Veracode share Personal Information?

How does Veracode protect Personal Information?

What choices do you have regarding Personal Information?

Email and Marketing

How does Veracode use cookies and other online tracking technologies?

Cookies

Social Media Accounts

Third-Party Websites

How will you be notified about changes to this Privacy Statement?

Who should you contact with inquiries?

Provisions applicable to residents of California

Provisions applicable to individuals in the EU/EEA, Switzerland, UK

EU/EEA/Swiss/UK Definitions

Notice to Individuals Located in the EU/EEA, Switzerland and UK

EU/EEA/Swiss/UK Personal Data Veracode Collects

EU/EEA/Swiss/UK Data Protection Principles

Legal Basis of Processing EU/EEA/Swiss/UK Personal Data

EU/EEA/Swiss/UK Personal Data Transfers to Independent Third Parties

How Long Veracode Keeps EU/EEA/Swiss/UK Personal Data

EU/EEA/Swiss/UK Personal Data Rights including under the GDPR

EU/EEA/Swiss/UK Personal Data Access 

Exercising your EU/EEA/Swiss/UK Personal Data Access Rights 

Other EU/EEA/Swiss/UK Personal Data Rights 

OTHER EU/EEA, Swiss and UK Provisions 

International Transfers of EU/EEA/Swiss/UK Personal Data 

EU-U.S. and Swiss-U.S. Privacy Shield Frameworks 

 

 

 

 

PRIVACY STATEMENT

Last Updated: February 18, 2022

 

At Veracode, Inc. and our global subsidiaries (“Veracode,” “our,” “us,” or “we”), we care about your privacy, and we are committed to protecting Personal Information about you.

This Privacy Statement governs personal information Veracode collects from customers, event attendees, and online visitors (“you” or “your”) in connection with your use of Veracode’s websites, and Veracode’s products, applications and services (including support and education), and corporate meetings and other events (collectively, the “Services”) where we post or link to this Privacy Statement, as well as information we automatically collect from your online visits (e.g. data collected via cookies).

For the purposes of this Privacy Statement, “Personal Information” means any information that, by itself, can identify you or can be combined with other information to identify you and for the purposes of the EU General Data Protection Regulation includes “personal data”.

In General

What Personal Information does Veracode collect?

We collect Personal Information when you:

  • Purchase products or services;
  • Register for webcasts, seminars, conferences, or other events sponsored by us or one of our business partners;
  • Request quotes, services, product support, trials, whitepapers, and related downloads, or additional information;
  • Join Veracode Communities;
  • Register for courses or education;
  • Subscribe to newsletters, promotional emails, or other Veracode materials;
  • Participate in surveys, sweepstakes, or contests;
  • Apply for a job or submit your resume/CV; or
  • Contact us.

Personal information we may collect includes:

  • Job Applicant: Full name, email address, personal phone number, personal address, title, prior employer(s), education.
  • Employee: Full name, email address, personal phone number, personal address, title, prior employer(s), education, bank account number, tax ID, criminal history, photo.
  • Customer / Prospective Customer / Partner employee: Full name, business email address, company, title, business phone number, business address, photo.
  • Office Visitor: Full name, email address, company, photo.

When we ask you to provide Personal Information, we will advise you at the time of collection whether providing Personal Information is necessary for your access to, or use of, Veracode’s sites, products, programs, applications, and/or services. When we ask for Personal Information through one of our registration pages on our website, you will have the option of not providing the information, in which case you may still be able to access other portions of the website, although you may not be able to access certain programs, products, applications or services.

Personal Information from Other Sources

We may also receive Personal Information about you from other sources such as other websites containing cookies or from third parties including business partners, sub-contractors in technical, payment, and delivery services, advertising networks, analytics providers, search information providers, credit reference agencies, data brokers, or aggregators and combine that with information we collect through our Services.  For example, we may combine Personal Information from marketing and digital advertising service providers and data brokers with information that you make publicly available on social media or third-party websites to better market our Services to you.

Personal Information Automatically Collected

When you visit our websites, we automatically collect Personal Information about your visit, including pages you access, links you click, and actions you take in connection with Veracode’s Services. We also collect certain information from your web browser, such as your device’s operating system, application software, browser type and language, Internet Protocol (IP) address, For more information on information that we automatically collect, please see the Veracode Cookie Policy How does Veracode use cookies and other tracking technologies section.

How does Veracode use Personal Information?

We use Personal Information to:

  • Provide and deliver the requested products and services;
  • Send you transaction information, including confirmations and transaction status, product and services information, updates, security alerts, and support and administrative messages;
  • Administer your account, including verifying your information;
  • Respond to your comments and questions and provide customer support or other services;
  • Offer Live Chat assistance to facilitate the delivery of the requested products and services;
  • Operate and improve our websites, products, applications, and services;
  • Process and deliver sweepstakes and contest entries and rewards;
  • Ask you to take part in surveys used to measure our performance and improve our sites, products, applications, services, and customer experience;
  • Communicate with you about new promotions and upcoming events; if you have agreed to receive marketing communications from us;
  • Provide you with information about products and services offered by Veracode and our selected partners; if you have agreed to receive marketing communications from us.
  • Invite you to corporate events, online forums, communities, and social networks;
  • Link or combine with other information we get from third parties, to help understand your needs, and customize our offerings and market our Services based on your needs; and
  • Perform other functions or serve other purposes, as disclosed to you at the point of collection, or as otherwise required or allowed under applicable laws including tax and financial laws and regulations such as anti-money laundering and fraud prevention; employment laws; court orders, etc.

Retention of Personal Information.

Veracode retains Personal Information as long as is necessary to fulfill the purposes for which it was collected and in accordance with Veracode’s internal retention policies and applicable law. More information about how long Veracode keeps Personal Information is available by contacting [email protected]. Veracode’s Customer Support Policy also includes additional terms related to the collection of Personal Information or confidential data provided as part of Veracode’s provision of customer support.

How does Veracode share Personal Information?

We share Personal Information with third parties for the purposes described below.

  • Veracode Subsidiaries. We share Personal Information with our subsidiaries worldwide in order to improve our websites, products, applications, and services, and to manage our customer relationships.
  • Third-Party Vendors/Service ProvidersWe rely on third-party vendors, consultants, and other service providers including marketing and digital advertising service providers and data brokers, to perform functions on our behalf and under our instructions in order to make our websites, products, applications, and services available to you. For example, we engage third parties to provide customer support relating to our products or cloud storage services or assist Veracode in protecting its systems.
  • Business Partners. We share Personal Information with third parties with whom we do business, including in connection with your purchase of a Veracode product or services through a business partner or attendance at an event jointly hosted by Veracode and our business partner. Depending on Veracode’s business model and its global regional coverage, Veracode may not be able to provide the products or services directly to you. In those instances, Veracode discloses Personal Information to its business partners for reselling, marketing, and other business purposes related to your demonstrated interest in our products and services. We share Personal Information only with business partners who agree in writing to abide by applicable data protection laws and to protect Personal Information and use it solely for the purposes specified by Veracode.
  • Legal Obligations and Rights. We disclose Personal Information: (i) in connection with the establishment, exercise, or defense of legal claims; (ii) to comply with laws or to respond to lawful requests or legal process; (iii) for fraud or security monitoring purposes (e.g., to detect and prevent cyberattacks); (iv) or as otherwise permitted by applicable law.
  • Business Reorganization. We may share Personal Information in connection with a sale or business transaction (e.g., merger or acquisition).

Veracode also uses or shares anonymized aggregate data (data from which Personal Information has been removed). Except as described above, Veracode will not disclose Personal Information to third parties for their own marketing purposes without your consent.

How does Veracode protect Personal Information?

Veracode uses organizational, technical, administrative, and physical measures to protect Personal Information from loss, misuse, unauthorized access or disclosure, alteration, or destruction, including through the use of encryption when collecting or transferring Personal Information.

What choices do you have regarding Personal Information?

Email and Marketing

In most instances, Veracode gives you options with regard to the Personal Information you provide, including choices with respect to marketing materials. You may manage your receipt of marketing and non-transactional communications by: (i) clicking on the “unsubscribe” link located at the bottom of every Veracode marketing email; or (ii) checking certain boxes on our communication choices which can also be found on forms we use to collect Personal Information.

How does Veracode use cookies and other online tracking technologies?

Cookies

For information about how Veracode uses cookies, please see our Cookie Policy.

Social Media Accounts

Portions of our websites make chat rooms, forums, blogs, message boards, and/or news groups available to you. Please remember that any information that is disclosed in these areas could be made public so exercise caution when deciding to disclose any Personal Information. Also, please note that use of these portions of our website may be subject to additional terms. Additional information about community and support sites can be found at our Terms for Use on Veracode.com.

In addition, Veracode’s website(s) may include social media features, including the Facebook “Like” button. These features may collect your IP address and identify the web page you are visiting on Veracode’s website and may set a cookie to enable the feature to function properly. You may be given the option by that social media site to post information about your activities on Veracode’s website(s) to your profile page on that social media site. Your interactions with these features are governed by the privacy policy of the company that is providing them.

Third-Party Websites

Veracode’s websites may contain links to other third-party websites. This Privacy Statement does not apply to, and Veracode is not responsible for, the privacy practices or the content of such third-party websites, including business partner websites, and their use of Personal Information will be governed by their own privacy policies.

How will you be notified about changes to this Privacy Statement?

Veracode may modify or update this Privacy Statement at any time without prior notice. If we make any changes to this Privacy Statement, we will change the “Last Updated” date at the beginning of this Privacy Statement. If we make material changes to this Privacy Statement that may impact individual rights, Veracode will make prominent note of such change on its website and within its products, services, programs, and applications at least one month prior to the change taking place.

Who should you contact with inquiries?

If you have any questions, concerns, or comments about this Privacy Statement or our privacy practices, please contact Veracode via email at [email protected] with the words “PRIVACY STATEMENT” in the subject line.

You may also contact us by regular mail to:

Veracode, Inc.

65 Network Drive

Burlington, MA 01803

Attention: Privacy Office

Provisions applicable to residents of California

Effective Date: January 1, 2022

Last Updated: February 18, 2022

This Privacy Notice for California Residents supplements the information contained in Veracode’s general Privacy Statement above and applies solely to all visitors, users, and others who reside in the State of California ("Consumers" or "you"). We adopt this notice to comply with the California Consumer Privacy Act of 2018 (“CCPA”) and any terms defined in the CCPA have the same meaning when used in this Notice.

Where noted in this Privacy Statement, the CCPA temporarily exempts Personal Information reflecting a written or verbal business-to-business communication ("B2B personal information") from some of its requirements.

California Resident Personal Information We Collect

We, our websites, and our platform may collect information that identifies, relates to, describes, references, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer, household, or device ("Personal Information"). Personal information does not include:

  • Publicly available information from government records.
  • Deidentified or aggregated consumer information.
  • Information excluded from the CCPA's scope, like:
    • health or medical information covered by the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the California Confidentiality of Medical Information Act (CMIA), clinical trial data, or other qualifying research data;
    • Personal Information covered by certain sector-specific privacy laws, including the Fair Credit Reporting Act (FCRA), the Gramm-Leach-Bliley Act (GLBA) or California Financial Information Privacy Act (FIPA), and the Driver's Privacy Protection Act of 1994.

In particular, we, our websites, and our platform may have collected the following categories of Personal Information from Consumers within the last twelve (12) months:

Category

Examples

Collected

A. Identifiers.

A real name, alias, postal address, unique personal identifier, online identifier, Internet Protocol address, email address, account name, Social Security number, driver's license number, passport number, or other similar identifiers.

YES

B. Personal information categories listed in the California Customer Records statute (Cal. Civ. Code § 1798.80(e)).

A name, signature, Social Security number, physical characteristics or description, address, telephone number, passport number, driver's license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.

Some Personal Information included in this category may overlap with other categories.

YES

C. Protected classification characteristics under California or federal law.

Age (40 years or older), race, color, ancestry, national origin, citizenship, religion or creed, marital status, medical condition, physical or mental disability, sex (including gender, gender identity, gender expression, pregnancy or childbirth and related medical conditions), sexual orientation, veteran or military status, genetic information (including familial genetic information).

 

YES

D. Commercial information.

Records of personal property, products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies.

YES

E. Biometric information.

Genetic, physiological, behavioral, and biological characteristics, or activity patterns used to extract a template or other identifier or identifying information, such as, fingerprints, faceprints, and voiceprints, iris or retina scans, keystroke, gait, or other physical patterns, and sleep, health, or exercise data.

NO

F. Internet or other similar network activity.

Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement.

YES

G. Geolocation data.

Physical location or movements.

YES

H. Sensory data.

Audio, electronic, visual, thermal, olfactory, or similar information.

NO

I. Professional or employment-related information.

Current or past job history or performance evaluations.

YES

J. Non-public education information (per the Family Educational Rights and Privacy Act (20 U.S.C. Section 1232g, 34 C.F.R. Part 99)).

Education records directly related to a student maintained by an educational institution or party acting on its behalf, such as grades, transcripts, class lists, student schedules, student identification codes, student financial information, or student disciplinary records.

NO

K. Inferences drawn from other Personal Information.

Profile reflecting a person's preferences, characteristics, psychological trends, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.

YES

 

We, our websites, and/or our platform obtain the categories of Personal Information listed above from the following categories of sources:

Use of California Personal Information

We may use, sell, or disclose the Personal Information we collect for one or more of the following purposes:

  • To fulfill or meet the reason you provided the information. For example, if you share your name and contact information to request a price quote or ask a question about our products or services, we will use that Personal Information to respond to your inquiry. If you provide Personal Information to purchase a product or service, we will use that information to process your payment and facilitate delivery. We may also save Personal Information to facilitate new product orders or process returns.
  • To provide, support, personalize, and develop our website, platform, products, and services.
  • To create, maintain, customize, and secure your account with us.
  • To process your requests, purchases, transactions, and payments and prevent transactional fraud.
  • To provide you with support and to respond to your inquiries, including to investigate and address your concerns and monitor and improve our responses.
  • To personalize your website experience and to deliver content and product and service offerings relevant to your interests, including targeted offers and ads through our websites, third-party sites, and via email or text message with your consent, where required by law.
  • To help maintain the safety, security, and integrity of our websites, products and services, databases and other technology assets, and business.
  • For testing, research, analysis, and product development, including to develop and improve our websites, products, and services.
  • To respond to law enforcement requests and as required by applicable law, court order, or governmental regulations.
  • As described to you when collecting Personal Information or as otherwise set forth in the CCPA.
  • To evaluate or conduct a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of our assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which Personal Information held by us about our website users/consumers is among the assets transferred.

We will not collect additional categories of Personal Information or use the Personal Information we collected for materially different, unrelated, or incompatible purposes without providing you notice.

Sharing California Resident Personal Information

We may share Personal Information by disclosing it to a third party for a business purpose. We only make these business purpose disclosures under written contracts that describe the purposes, require the recipient to keep the Personal Information confidential, and prohibit using the disclosed information for any purpose except performing the contract. In the preceding twelve (12) months, Veracode has disclosed the following categories of Personal Information for a business purpose to the categories of third parties indicated in the chart below.

We do not sell Personal Information, but we do use third-party social media and digital advertising service providers and share Personal Information with them which may constitute sales under the CCPA. In the preceding twelve (12) months, Veracode has shared Personal Information in the categories indicated in the chart below with social media and digital advertising service providers which may constitute sales under the CCPA, subject to your right to opt-out. Our Personal Information sharing with social media and/or digital advertising service providers does not include information about California residents we know are under the age of 16. For more on your Personal Information rights, see Personal Information Sales Opt-Out and Opt-In Rights.

Personal Information Category

Category of Third-Party Recipients

Business Purpose Disclosures

Sales, Social Media, and Digital Advertising Sharing

A: Identifiers.

Service providers, Data aggregators, Veracode subsidiaries

Social media and other digital advertising service providers.

B: California Customer Records personal information categories.

Service providers, Data aggregators, Veracode subsidiaries

Social media and other digital advertising service providers.

C: Protected classification characteristics under California or federal law.

Service providers, Veracode subsidiaries

None

D: Commercial information.

Service providers, Data aggregators, Veracode subsidiaries

Social media and other digital advertising service providers.

E: Biometric information.

None

None

F: Internet or other similar network activity.

Service providers, Data aggregators, Veracode subsidiaries

Social media and other digital advertising service providers.

G: Geolocation data.

Service providers, Data aggregators, Veracode subsidiaries

Social media and other digital advertising service providers.

H: Sensory data.

None

None

I: Professional or employment-related information.

Service providers, Data aggregators, Veracode subsidiaries

Social media and other digital advertising service providers.

J: Non-public education information.

None

None

K: Inferences drawn from other Personal Information.

Service providers, Data aggregators, Veracode subsidiaries

Social media and other digital advertising service providers.

Reselling California Personal Information

The CCPA prohibits a third party from reselling Personal Information unless you have received explicit notice and an opportunity to opt-out of further sales.

CCPA Rights and Choices

The CCPA provides consumers (California residents) with specific rights regarding Personal Information. This section describes your CCPA rights and explains how to exercise those rights.

CCPA Right to Know and Data Portability

You have the right to request that we disclose certain information to you about our collection and use of Personal Information about you over the past 12 months (the "right to know"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete below), we will disclose to you:

  • The categories of Personal Information we collected about you.
  • The categories of sources for the Personal Information we collected about you.
  • Our business or commercial purpose for collecting or selling that Personal Information.
  • The categories of third parties with whom we share that Personal Information.
  • If we sold or disclosed Personal Information about you for a business purpose, two separate lists disclosing:
    • sales, identifying the Personal Information categories that each category of recipient purchased; and
    • disclosures for a business purpose, identifying the Personal Information categories that each category of recipient obtained.
  • The specific pieces of Personal Information we collected about you (also called a data portability request).

We do not provide a right to know or data portability disclosure for B2B Personal Information.

CCPA Right to Delete

You have the right to request that we delete any Personal Information about you that we collected from you and retained, subject to certain exceptions (the "right to delete"). Once we receive your request and confirm your identity (see Exercising Your Rights to Know or Delete), we will review your request to see if an exception allowing us to retain the information applies.

We may deny your deletion request if retaining the information is necessary for us or our service provider(s) to:

  • Complete the transaction for which we collected the Personal Information, provide a good or service that you requested, take actions reasonably anticipated within the context of our ongoing business relationship with you, fulfill the terms of a written warranty or product recall conducted in accordance with federal law, or otherwise perform our contract with you.
  • Detect security incidents, protect against malicious, deceptive, fraudulent, or illegal activity, or prosecute those responsible for such activities.
  • Debug products to identify and repair errors that impair existing intended functionality.
  • Exercise free speech, ensure the right of another Consumer to exercise their free speech rights, or exercise another right provided for by law.
  • Comply with the California Electronic Communications Privacy Act (Cal. Penal Code § 1546 et. seq.).
  • Engage in public or peer-reviewed scientific, historical, or statistical research in the public interest that adheres to all other applicable ethics and privacy laws, when the information's deletion may likely render impossible or seriously impair the research's achievement, if you previously provided informed consent.
  • Enable solely internal uses that are reasonably aligned with Consumer expectations based on your relationship with us.
  • Comply with a legal obligation.
  • Make other internal and lawful uses of that information that are compatible with the context in which you provided it.

We will delete or deidentify Personal Information not subject to one of these exceptions from our records and will direct our service providers to take similar action.

We do not provide these deletion rights for B2B personal information.

Exercising CCPA Rights to Know or Delete

To exercise CCPA rights to know or delete described above, please submit a request by either:

Veracode, Inc.

65 Network Drive

Burlington, MA 01803

Attention: Privacy Office

Only you, or someone legally authorized to act on your behalf, may make a request to know or delete related to Personal Information. To designate an authorized agent please contact [email protected]. You may also make a request to know or delete on behalf of your child by contacting [email protected].

You may only submit a request to know twice within a 12-month period. Your request to know or delete must:

  • Provide sufficient information that allows us to reasonably verify you are the person about whom we collected Personal Information or an authorized representative, which may include the applicable e-mail address, username, and account name.
  • Describe your request with sufficient detail that allows us to properly understand, evaluate, and respond to it.

We cannot respond to your request or provide you with Personal Information if we cannot verify your identity or authority to make the request and confirm the Personal Information relates to you.

You do not need to create an account with us to submit a request to know or delete. However, we do consider requests made through your password protected account sufficiently verified when the request relates to Personal Information associated with that specific account. We will only use Personal Information provided in the request to verify the requestor's identity or authority to make it.

For instructions on exercising your sale opt-out or opt-in rights, see Personal Information Sales Opt-Out and Opt-In Rights below.

CCPA Response Timing and Format

We will confirm receipt of your request within ten (10) business days. If you do not receive confirmation within the 10-day timeframe, please contact [email protected]. We endeavor to substantively respond to a verifiable Consumer request within forty-five (45) days of its receipt. If we require more time (up to another 45 days), we will inform you of the reason and extension period in writing.

If you have an account with us, we will deliver our written response to that account. If you do not have an account with us, we will deliver our written response by mail or electronically, at your option. Any disclosures we provide will only cover the 12-month period preceding our receipt of your request. The response we provide will also explain the reasons we cannot comply with a request, if applicable. For data portability requests, we will select a format to provide the Personal Information that is readily useable and should allow you to transmit the information from one entity to another entity without hindrance, XML or Word.

We do not charge a fee to process or respond to your verifiable consumer request unless it is excessive, repetitive, or manifestly unfounded. If we determine that the request warrants a fee, we will tell you why we made that decision and provide you with a cost estimate before completing your request.

CCPA Personal Information Sales Opt-Out and Opt-In Rights

If you are age 16 or older, you have the right to direct us to not sell Personal Information about you at any time (the "right to opt-out"). We do not sell Personal Information about California residents we actually know are less than 16 years old, unless we receive affirmative authorization (the "right to opt-in") from either the Consumer who is between 13 and 15 years old, or the parent or guardian of a Consumer less than 13 years old. Consumers who opt-in to Personal Information sales may opt-out of future sales at any time.

To exercise the right to opt-out, you (or your authorized representative) may submit a request to us:

Veracode, Inc.

65 Network Drive

Burlington, MA 01803

Attention: Privacy Office

If exercising your right to opt-out via regular mail or email, please note in the communication “Right to Opt-out of Personal Information Sales – California Consumer”.

Once you make an opt-out request, we will wait at least twelve (12) months before asking you to reauthorize Personal Information sales. However, you may change your mind and opt back in to Personal Information sales at any time by emailing [email protected].

You do not need to create an account with us to exercise your opt-out rights. We will only use Personal Information provided in an opt-out request to review and comply with the request.

CCPA Non-Discrimination

We will not discriminate against you for exercising any of your CCPA rights. Unless permitted by the CCPA, we will not:

  • Deny you goods or services.
  • Charge you different prices or rates for goods or services, including through granting discounts or other benefits, or imposing penalties.
  • Provide you a different level or quality of goods or services.
  • Suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services.

However, we may offer you certain financial incentives permitted by the CCPA that can result in different prices, rates, or quality levels. Any CCPA-permitted financial incentive we offer will reasonably relate to the value of the Personal Information about you and contain written terms that describe the program's material aspects. Participation in a financial incentive program requires your prior opt-in consent, which you may revoke at any time. We currently provide the following financial incentives:

From time to time we offer modest financial incentives/thank you gifts to Consumers who sign up for our newsletters. These incentives/thank you gifts include Veracode branded merchandise such as coffee mugs and/or complimentary admission to Veracode sponsored events.

Other California Privacy Rights

California's "Shine the Light" law (Civil Code Section § 1798.83) permits users of our website that are California residents to request certain information regarding our disclosure of Personal Information to third parties for their direct marketing purposes. To make such a request, please send an email to [email protected] or write us at:

Veracode, Inc.

65 Network Drive

Burlington, MA 01803

Attention: Privacy Office

Changes to Our California Privacy Notice

We reserve the right to amend this California Privacy Notice at our discretion and at any time. When we make changes to this Privacy Notice, we will post the updated notice on our website and update the notice's effective date. Your continued use of our website, platform, products, applications, or services following the posting of changes constitutes your acceptance of such changes.

Contact Information

If you have any questions or comments about this notice, the ways in which Veracode collects and uses Personal Information described here and in Veracode’s general Privacy Statement above, your choices and rights regarding such use, or wish to exercise your rights under California law, please do not hesitate to contact us at:

Toll Free Phone:          1-844-274-7793

Website:                      https://info.veracode.com/web-contact-us.html

Email:                          [email protected]

Postal Address:            Veracode, Inc.

65 Network Drive

Burlington, MA 01803

Attention: Privacy Office

 

If you need to access this Notice in an alternative format due to having a disability, please contact us by email at [email protected] and/or phone toll free at 1-844-274-7793.

 

Provisions applicable to individuals in the EU/EEA, Switzerland, and the UK

The provisions of this Privacy Statement below are applicable between Veracode, and individuals located in the EU/EEA, Switzerland and/or UK.

EU/EEA/Swiss/UK Definitions

'Consent’ or ‘Agree’ means your freely given, specific, informed, and unambiguous expression of your wishes through a statement or other clear affirmative action such as checking a box or signing a consent form which indicates your agreement to Veracode’s Processing of Personal Data relating to you.

'Personal Data' means any information relating to you from which you can be identified, directly or indirectly, including name, identification number, location, online identifier such as your IP address or device ID, or one or more factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity. It includes any information whether it is held in paper, electronic or any other format.

Process or Processing’ means any use of Personal Data including collecting, recording, organizing, structuring, storing, adapting, or altering, amending, retrieving, consulting, sharing, disclosing, making available, aligning or combining, restricting, transferring outside the EU/EEA, or erasing or destroying it.

‘Special Categories of Personal Data’ means Personal Data about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, ideological views or activities, information on social security measures, trade union membership, health, sex life, sexual orientation, and biometric data, or any past administrative or criminal proceedings and sanctions.

'Third Party' includes our business partners and service providers who Veracode authorizes to process Personal Data or other information to help Veracode with the activities described in this Privacy Statement. It may include government bodies and public agencies and authorities.

Notice to Individuals Located in the EU/EEA, Switzerland, and UK

Veracode maintains a Privacy Office, comprised of individuals responsible for Veracode’s EU/EEA, Swiss, and UK data protection compliance. Veracode’s Privacy Office can be contacted by email at [email protected]. Questions about this Privacy Statement, or requests for further information, should be directed to Veracode’s Privacy Office.

If you are located in the EU/EEA, Switzerland, or UK and Veracode’s business customer (the data “controller” under applicable laws) is using the Veracode Services to Process Personal Data about you, you may contact Veracode’s business customer to object, restrict, access, correct, transfer (data portability) or delete Personal Data relating to you. If you need help finding contact information for a Veracode business customer’s privacy office, please contact Veracode at [email protected].

EU/EEA/Swiss/UK Personal Data Veracode Collects

In addition to the Personal Data listed above, if you apply for a job with Veracode, Veracode collects your current and past employment information. This includes information in paper, electronic, or any other format, and may include:

  • Identification data such as name, home address, personal telephone number, personal e-mail address, date of birth, social security number, national insurance number, photograph, marital /dependent status, and emergency contact information;
  • Information concerning employment such as salary, work and compensation history, planned salary, earnings, paid time off, salary grade, performance information (including performance appraisal, performance and attendance records), decisions to offer employment, CVs/Resumes, employment applications, employment references and background verification information;
  • Financial information such as credit reports, bank account numbers, tax-related information, and salary-related information;
  • Past administrative or criminal proceedings and sanctions if permitted under applicable law;
  • If disclosed to Veracode by the individual or discoverable by Veracode in open-source media: Special Categories of Personal Data including ethnic origin; political opinions; religion or religious or philosophical beliefs; trade union membership; heath related data; sexual orientation and/or sex life.
  • Other Personal Data necessary for Veracode’s business purposes which may be voluntarily disclosed by you to Veracode.

For more information about Personal Data Veracode collects when you apply for a job, please contact [email protected] or [email protected].

EU/EEA/Swiss/UK Data Protection Principles

Veracode Processes EU/EEA/ Swiss/UK Personal Data in accordance with the following data protection principles:

  • Veracode Processes Personal Data lawfully, fairly and in a transparent manner consistent with applicable law;
  • Veracode collects Personal Data only for specified, explicit, and legitimate purposes consistent with applicable law;
  • Veracode Processes Personal Data only where it is adequate, relevant, and limited to what is necessary for the purposes of Processing consistent with applicable law;
  • Veracode keeps accurate Personal Data and takes all reasonable steps to ensure that inaccurate Personal Data is rectified or deleted without delay consistent with applicable law;
  • Veracode keeps Personal Data only for the period necessary for Processing consistent with applicable law;
  • Veracode adopts appropriate measures to make sure that Personal Data is secure, and protected against unauthorized or unlawful processing, and accidental loss, destruction, or damage.

Veracode and/or its customer tells individuals located in the EU/EEA, Switzerland, and UK the reasons for Processing Personal Data, how it uses Personal Data, and the legal basis for Processing by providing them this Privacy Statement and related notices, disclosures, and consent forms consistent with applicable law. Veracode will not process Personal Data for other reasons.

Veracode takes appropriate steps to ensure that Personal Data in its possession is accurate, complete, and current consistent with applicable law. However, all individuals in the EU/EEA, Switzerland or UK are asked to inform Veracode’s relevant customer immediately about any changes to Personal Data relating to them.

Veracode will not Process EU/EEA/Swiss/UK Personal Data that qualifies as Special Categories of Personal Data for purposes incompatible with those described in this Privacy Statement unless the Processing is:

  • permitted by applicable EU/EEA, Swiss, or UK law;
  • necessary for administering justice or for exercising statutory, governmental, or other public functions;
  • necessary for the establishment of legal claims or defenses;
  • in the vital interests of an individual in the EU/EEA, Switzerland, or UK, or another person;
  • required to provide medical care or diagnosis; or
  • necessary to carry out Veracode’s legal obligations under applicable law.

Legal Basis of Processing EU/EEA/Swiss/UK Personal Data

In order to collect, use and otherwise process Personal Data, Veracode relies on the following legal bases:

  • To fulfill any contractual obligations, such as where you have purchased a product or service from Veracode. For example, we may require your contact details in order to deliver your order if you have purchased a product from us.
  • Veracode’s legitimate interest in providing its websites and making its sites, products, applications, and services available to you, provided our interest is not outweighed by the risk of harm to your rights and freedoms.
  • Your consent, where Veracode has obtained your consent to process Personal Data relating to you for certain activities. You may withdraw your consent at any time by contacting [email protected]. However, please note that your withdrawal of consent will not affect the lawfulness of any use of Personal Data relating to you by Veracode based on your consent prior to withdrawal.
  • For compliance with Veracode’s legal obligations where applicable laws require Veracode to process Personal Data.

If you have any questions or would like more information regarding the legal basis on which Veracode collects Personal Data, please contact us at [email protected].

EU/EEA/Swiss/UK Personal Data Transfers to Independent Third Parties

Veracode will disclose Personal Data to Third Parties other than those identified above only if:

  • required by law or legal process (e.g., lawful requests by public authorities, including disclosures to law enforcement authorities in connection with their duties or to meet national security requirements);
  • to investigate, prevent or take actions against illegal activities, suspected fraud, situations involving potential threats to the physical safety of any person, violations of our terms of use, or as otherwise required by law.
  • to protect and defend the legal rights, property/or and legitimate interests of Veracode and/or members of its workforce, customers, business partners, Sub-contractors and/or Third Parties; or
  • where necessary for Veracode to perform a contractual obligation owed to a customer, member of its workforce, or for other lawful purposes.

How Long Veracode Keeps EU/EEA/Swiss/UK Personal Data

Veracode will hold Personal Data

  • for the duration legally required or permitted by applicable law; and
  • as long as it is necessary to comply with Veracode’s legal obligations or to resolve disputes and/or enforce our agreements.

Veracode's record retention schedule for GDPR can be obtained upon request by contacting [email protected].

EU/EEA/Swiss/UK Personal Data Rights including under the GDPR

Individuals in the EU/EEA, Switzerland, and UK have a number of rights in relation to Personal Data. Veracode will maintain a program to ensure compliance with this Privacy Statement. All Veracode workforce members whose responsibilities include the Processing of EU/EEA/Swiss/UK Personal Data are required to adhere to this Privacy Statement and any implementing policies. Failure to do so is deemed a serious offence, for which disciplinary action may be taken, potentially resulting in termination of employment. Equally, the misuse of Personal Data by an individual or organization acting as a Sub-contractor, or service provider to Veracode is deemed a serious issue for which action may be taken, potentially resulting in the termination of any agreement. Veracode will assist individuals in the EU/EEA, Switzerland, and UK in protecting their privacy and will provide them opportunities to raise concerns about the Processing of Personal Data that relates to them.

EU/EEA/Swiss/UK Personal Data Access

Individuals in the EU/EEA, Switzerland, and UK have the right to make Personal Data access requests. If an individual makes such a request, Veracode will provide the information requested which may contain some or all of the following information, along with other information as required by applicable law:

  • Whether or not his/her Personal Data about them is Processed and if so why, the categories of Personal Data Processed and the source of the data if it is not collected from the individual consistent with applicable law, Veracode’s obligations to its customer’s and;
  • To whom the Personal Data is or may be disclosed consistent with applicable law, Veracode’s obligations to its customers, including to recipients located outside the EU/EEA, Switzerland, or UK and the safeguards that apply to such data transfers; and
  • For how long the Personal Data is stored (or how that period is decided).

Disclosures by Veracode will normally be in electronic form if the requester has made a request electronically unless he/she agrees otherwise.

If the requestor wants additional copies, Veracode charges a reasonable fee, which will be based on the administrative cost to Veracode of providing the additional copies.

Exercising your EU/EEA/Swiss/UK Personal Data Access Rights

To make a Personal Data access request, individuals in the EU/EEA, Switzerland, or UK should send their request to Veracode’s Privacy Office by email at [email protected] with the words “Data Subject Access Request” in the subject line.

You may also contact Veracode by regular mail to:

Veracode, Inc.

65 Network Drive

Burlington, MA 01803
Attention: Privacy Office

Veracode may need to ask for proof of identification before a request can be processed. Veracode will inform the requestor if it needs to verify his/her identity and the documents it requires. Veracode will normally respond to a request within a period of 30 days from the date a request is received. In some cases, such as where Veracode processes large amounts of Personal Data, it may respond within 90 days of the date the request is received. Veracode will write to the requestor within 30 days of receiving the original request to tell him/her if more time is needed to complete the response to their request.

If an EU/EEA/Swiss/UK individual submits a request which is manifestly unfounded or excessive, Veracode is not required to comply with it. Alternatively, Veracode can agree to respond but will charge a fee, which will be based on the administrative cost of responding to the request.

Other EU/EEA/Swiss/UK Personal Data Rights

Individuals in the EU/EEA, Switzerland, and UK also have a number of other rights in relation to Personal Data that relates to them. They can request Veracode to:

  • Correct inaccurate Personal Data to the extent consistent with applicable law and Veracode’s obligations to its customers;
  • Stop Processing or erase Personal Data that is no longer necessary for Veracode’s purposes of Processing to the extent consistent with applicable law and Veracode’s obligations to its customers;
  • Stop Processing or erase Personal Data if the individual's interests override Veracode’s legitimate grounds for processing the Personal Data including to the extent consistent with applicable law and Veracode’s obligations to its customers;
  • Stop processing or erase Personal Data if the processing is unlawful; and/or
  • Stop processing Personal Data for a period if the requestor asserts the Personal Data is inaccurate or if there is a dispute about whether or not the requestor's interests override Veracode's legitimate grounds for processing the Personal Data.

Where Veracode determines that the Personal Data relating to the requestor is accurate to the extent consistent with applicable law, Veracode will include in Veracode’s Personal Data file the alternative text that the requestor believes to be appropriate alongside Veracode’s original information. If it is determined that the Personal Data needs to be updated or corrected by Veracode, Veracode will use reasonable efforts to inform the relevant Veracode customer and third-parties which were provided with the information previously.

To ask Veracode to take any of these steps, individuals in the EU/EEA, Switzerland, or UK should contact Veracode by email at [email protected] with the words “DATA SUBJECT REQUEST” in the subject line.

You may also contact Veracode by regular mail to:

Veracode, Inc.

65 Network Drive

Burlington, MA 01803
Attention: Privacy Office

Individuals in the EU/EEA, Switzerland, and UK may also make data privacy and/or data use complaints about Veracode to the UK Information Commissioner’s Office (ICO) Here; or by calling the UK ICO helpline at 0303-123-1113. Individuals in Switzerland can also make a complaint to the Swiss Federal Data Protection and Information Commissioner Here. Individuals in the EU/EEA can also make a complaint to the Data Protection Authority in the EU/EEA Member State where they live or work or where an alleged infringement of applicable data protection law occurred listed here: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.

OTHER EU/EEA/SWISS/UK PROVISIONS

International Transfers of Personal Data

Veracode’s website is provided from within the United States and is subject to the state and federal laws of the United States. If you are located outside of the United States, Personal Data that relates to you is being transferred to, stored, used, and shared in the United States. 

If you are located in the EU, EEA, Switzerland, or UK, Veracode transfers Personal Data relating to you to other Veracode entities located in many different countries around the world if required for the purposes described in this Privacy Statement. This may include the transfer of Personal Data to countries outside your home country, including outside the European Economic Area (EEA), which may not have the same level of protection as your home country. For example, since Veracode is headquartered in the United States (US), Veracode entities in the EEA or UK may need to send Personal Data to our servers located in the US for legitimate business purposes. In order to provide adequate protection for the transfer of Personal Data, we rely on various legal mechanisms, including our Privacy Shield certifications, EU Standard Contractual Clauses, and/or a legally justified need to process Personal Data in order to provide the requested products or services.

Personal Data is also transferred by Veracode to countries outside the EU/EEA/Switzerland/UK for Veracode’s legitimate interests in processing Personal Data where necessary to perform its obligations to its customers and to exercise its rights and fulfill its duties under law.

EU-US and Swiss-US Privacy Shield Frameworks

The Personal Data and other information that Veracode collects relating to you will be transferred to and stored in the United States. It also may be processed by staff operating outside the EU/EEA who work for Veracode or other entities acting as data processors processing data on our behalf. This includes staff and providers engaged in, among other things, the fulfillment of your request or order and the provision of support services. More information on to whom your data is disclosed can be found above in this Privacy Statement

Your Consent to International Transfer of Personal Data

If you are located in the EU/EEA or Switzerland we may also process, store, and/or transfer Personal Data we collect about you, in and to a country outside the EU/EEA or Switzerland including the United States. Those other countries may have different privacy laws that may or may not be as comprehensive as your own.

By submitting Personal Data or engaging with our sites, applications, products, and/or services, you consent to this transfer, storing, and/or processing.

Notice Regarding EU-U.S. and Swiss-U.S. Privacy Shield Status and CJEU Schrems II Ruling

On July 16, 2020, the European Court of Justice determined that the EU-U.S. Privacy Shield framework is no longer valid for the transfer of Personal Data from the European Economic Area (EEA) to the U.S. (known as the Schrems II decision). The Schrems II decision also placed additional compliance requirements on the use of EU Standard Contract Clauses (SCC) for transfer of EU/EEA Personal Data to the U.S. by companies subject to Section 702 of the U.S. Foreign Intelligence Surveillance Act (FISA) and/or Executive Order 12333 (E.O. 12333).

At Veracode, we know our customers, users, event attendees, workforce members, website visitors, and business partners care about privacy and data security; and we optimize our work to get these issues right. We’d like to confirm that you can continue to use our sites, products, applications, and services regarding EU/EEA and Swiss Personal Data in compliance with EU and Swiss law.

First, please know that it is our good faith belief that the types of EU/EEA/Swiss/UK Personal Data we receive, collect, process, use and/or share in the U.S. are not of the types of Personal Data that would generally be subject to requests from U.S. government authorities pursuant to FISA Section 702 and/or E.O. 12333. In fact, Veracode has never received a request for EU/EEA Personal Data from the U.S. Government pursuant to FISA Section 702 and/or E.O. 12333.

Second, please note that as part of our good faith efforts to comply with applicable data security laws that we strive to store and process EU, EEA, Swiss, and UK Personal Data on servers located in the EU. In compliance with the GDPR and other applicable laws, we also implement data encryption in transit and at rest, data minimization, data pseudonymization, and need to know access to Personal Data.

Third, while EU and U.S officials are working to resolve the issues which were the basis for the Schrems II decision invalidating the EU-U.S. Privacy Shield framework, Veracode is continuing to comply with the EU Privacy Shield Principles required by Veracode’s Privacy Shield Certification(s) regarding Personal Data processed by us under those Certifications. More information about Veracode’s collection, use, and/or sharing of EU/EEA Personal Data and our compliance with applicable laws is located in this Privacy Statement above.

Fourth, when applicable we require our service providers and business partners to enter into EU Standard Contractual Clauses (SCC), for compliance with EU/EEA/Swiss/UK data protection laws. If an international transfer of Personal Data cannot be based on SCC, our transfer to a third country may also be necessary in order to perform a contract with you or in individual cases for the purposes of our compelling legitimate business interests and in order to comply with our internal policy, contractual and legal obligations. If you represent one of our service providers or business partners and your business entity or organization is a party to an EU data processing/protection agreement with Veracode that includes EU Standard Contract Clauses (SCC) for compliance with EU/EEA data protection laws, please contact us at [email protected] or through your Veracode account registered in our online portal to discuss whether any updates to our agreement are needed resulting from the Schrems II decision.

At Veracode, trust is a top priority, and we will continue to work vigilantly to ensure that our customers, users, event attendees, workforce members, website visitors, and business partners are able to continue to enjoy the benefits of Veracode’s sites, products, applications, and services securely, compliantly, and without disruption.

As always if you have questions or concerns about Veracode’s collection and/or use of Personal Data, please contact us at [email protected] or through your Veracode account registered in our online portal.  

Here is more information about how Veracode continues to comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from EU and EEA member countries and Switzerland transferred to the United States pursuant to Privacy Shield. Veracode has certified that it adheres to the Privacy Shield Principles with respect to such Personal Data. If there is any conflict between the policies in this Privacy Statement and data subject rights under the Privacy Shield Principles, the Privacy Shield Principles shall govern. To learn more about the Privacy Shield program, and to view Veracode’s certification page, please visit https://www.privacyshield.gov.

With respect to Personal Data received or transferred pursuant to the Privacy Shield Frameworks, Veracode is subject to the regulatory enforcement powers of the U.S. Federal Trade Commission.

Pursuant to the Privacy Shield Frameworks, EU and Swiss individuals have the right to obtain Veracode’s confirmation of whether we maintain Personal Data relating to you in the United States. Upon your request, we will provide you with access to the Personal Data that we hold about you. You may also correct, amend, or delete the Personal Data we hold about you. An individual who seeks access, or who seeks to correct, amend, or delete inaccurate data transferred to the United States under Privacy Shield, should direct their query to [email protected]. If requested to remove data, we will respond within a reasonable timeframe.

We will provide an individual opt-out or opt-in choice before we share Personal Data relating to you with third parties other than our agents, or before we use it for a purpose other than which it was originally collected or subsequently authorized. To request to limit the use and disclosure of Personal Data relating to you, please submit a written request to [email protected].

Veracode’s accountability for Personal Data that it receives in the United States under the Privacy Shield frameworks and subsequently transfers to a third party is described in the Privacy Shield Principles. In particular, Veracode remains responsible and liable under the Privacy Shield Principles if third-party agents that it engages to process the Personal Data on its behalf do so in a manner inconsistent with the principles, unless Veracode proves that it is not responsible for the event giving rise to the damage.

Veracode may be required, in certain circumstances, to disclose Personal Data in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

In compliance with the Privacy Shield Principles, Veracode commits to resolve complaints about your privacy and our collection or use of Personal Data transferred to the United States pursuant to Privacy Shield. European Union and Swiss individuals with Privacy Shield inquiries or complaints should first contact Veracode by email at [email protected] with the words “PRIVACY STATEMENT” in the subject line.

You may also contact Veracode by regular mail to:

Veracode, Inc.

65 Network Drive

Burlington, MA 01803
Attention: Privacy Office

Veracode has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism. If you have an unresolved privacy or data use concern that we have not addressed satisfactorily, please contact our U.S.-based third party dispute resolution provider (free of charge) at ICDR/AAA operated by the International Centre for Dispute Resolution, the international division of the American Arbitration Association (ICDR/AAA). If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit http://go.adr.org/privacyshield.html for more information and to file a complaint. This service is provided free of charge to you.

If your complaint involves employment or human resources personal data transferred to the United States from the EU, EEA and/or, Switzerland in the context of your employment relationship with Veracode, and Veracode does not address it satisfactorily, Veracode commits to cooperate with the panel established by the EU data protection authorities (DPA Panel) and/or the Swiss Federal Data Protection and Information Commissioner, as applicable and to comply with the advice given by the DPA panel and/or Commissioner, as applicable with regard to such employment or human resources Personal Data. To pursue an unresolved employment or human resources Personal Data complaint, you should contact the state or national data protection or labor authority where you live or work. Complaints related to employment or human resources Personal Data should not be addressed to the ICDR/AAA operated by the International Centre for Dispute Resolution.

Contact details for the EU data protection authorities can be found at http://ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

If your Privacy Shield complaint cannot be resolved through the above channels, under certain conditions, you may invoke binding arbitration for some residual claims not resolved by other redress mechanisms. See Privacy Shield Annex 1 at https://www.privacyshield.gov/article?id=ANNEX-I-introduction.