The Synopsys Software Integrity Group is now Black Duck®. Learn More

Privacy Governance Statement

Last Updated: November 20, 2024

This privacy governance statement covers Black Duck Software, Inc. and its affiliated companies (“Black Duck”).

At Black Duck, privacy is a top priority. Our comprehensive privacy framework and governance model makes privacy a foundational element of our solutions and services. Our privacy governance model includes, but is not limited to, the following: 

1.                      Privacy by Design

Our ‘Privacy by Design’ philosophy emphasizes privacy as a fundamental component of our solutions and services. Privacy is not merely a function of our privacy office. Rather, privacy considerations are embedded in our operations as a fundamental element, central to the global delivery of our solutions and services. 

2.                      Privacy Principles

We believe that the appropriate incorporation of robust and recognized privacy principles are essential to any privacy program. Some principles we consider to be important include the following:  

A.      Transparency. Transparency means being open about how your personal data is collected, shared, and processed.

B.      Purpose Limitation. Purpose limitation means processing personal data for specific purposes and not processing them for unrelated purposes.

C.     Data Minimization. Data minimization means collecting and processing personal data only as is reasonably needed to fulfill the purpose for which it is processed.

D.     Education. Mandatory privacy training for all team members that is updated and refreshed regularly.  

E.     Security. Robust security measures commensurate with the risk are essential to any processing of personal data. Such principles areat the very core of our organization’s identity. See the Technical and Organizational Measures section for more information.     

3.                      Privacy Impact Assessments

In providing services across the globe in multiple industries, we often conduct privacy impact assessments tailored to the specific services, solutions, and applicable jurisdictional regulations. Some of the aspects we may assess include the following:

A.      Data Localization Requirements

B.      Legal Basis for Processing

C.     Notification Obligations

Where certain regulations require specific assessments, such as a data protection impact assessment, we meet or exceed such required analyses.  

4.                      Cross-Border Transfers

Ensuring that personal data protection and handling principles follow the personal data across borders is a top priority. We perform specific transfer impact assessments to ensure the personal data remains protected and that it is processed in compliance with all applicable localization requirements.

Some of the data transfer mechanisms we may initiate include EU Standard Contractual Clauses, the UK International Data Transfer Addendum, and more.

5.                          Rights

Subject to applicable regulations, individuals have certain rights regarding their personal data. This may include such rights as access, portability, deletion, rectification, objection, and more. We respect these applicable rights and analyze all steps of the process to ensure that we can meet them within the specified timelines.

6.                          Suppliers and Other parties

Like all businesses, we sometimes rely on other suppliers to help us deliver the most compelling products and solutions to you. In context of the relationship and the processing, we execute appropriate contractual obligations for the purposes of protecting personal data throughout its lifecycle. For instance, if a supplier is processing personal data on our behalf, we require a data processing addendum with specific handling and notification requirements.

7.                              Controller/Business and Processor/Service Provider Classifications

For the solutions we provide you, if we do collect or otherwise process personal data, it is normally limited to minimal personal business contact information and login credentials. We process the business contact information for the purposes of managing the contractual relationship, communicating with you about the contract, billing, and related administrative purposes. With regards to login credentials, passwords are often hashed and a user can use any name or email address they choose. If you choose to use a Single Sign On support, we do not store passwords.

Where we do process login credentials, we do so for the purpose of enhancing the security of our hosted systems.  Since we are determining the means and purposes of the processing of such limited personal data as described iherein, we are, in nearly all cases, an independent data controller.

8.                      Technical and Operational Measures

Our unwavering commitment to security solutions is not just a policy but is the very heart of who we are and what we do at Black Duck. We employ a wide range of robust technical and organizational measures designed to protect the confidentiality and integrity of data across all stages of the data lifecycle incorporating security at the very conception through storage and deletion. For each situation, we meticulously and expertly consider the appropriation incorporation of robust frameworks, measures, and standards including NIST, ISO, SAE, Encryption, Role Based Access Controls, SDLC methodologies, and more. Our efforts are tailored not just to meet the GDPR, CCPA, PIPL, HIPAA, NYC and other regulations that apply to data processing, but to consider evolving threats and changes in the environment.

9.       Storage limitation

We retain personal data only as long as necessary for the purposes for which it is processed, which may include compliance with legal, regulatory and contractual obligations. We review our retention policies regularly to ensure alignment with regulatory requirements, contractual obligations, and the principles of storage limitation.

10.  Data Incidents

Having an incident response plan to mitigate any security incident is an important part of any data protection plan. Black Duck has a company-wide incident response plan designed to allow us to quickly take the steps needed to minimize harm and secure customer data in the case of an incident. This plan includes notifying affected data subjects promptly after becoming aware of an incident involving a data breach.

11.  Privacy Office

Our commitment to privacy includes a dedicated privacy office to answer your questions or discuss your concerns. We aim to provide you peace of mind. Please feel free to contact us at  privacy@blackduck.com.