SANS TECHNOLOGY INSTITUTE PRIVACY POLICY
The SANS Institute, LLC d/b/a SANS Technology Institute ("STI") is a subsidiary of The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute (STI and SANS Institute are collectively referred throughout as "STI"). STI is a US based college that provides academic programs specializing in information security and cybersecurity training. SANS Institute also operates its Global Information Assurance Certification ("GIAC") programs through GIAC, LLC.
This Policy addresses how STI, as a data controller, collects, uses, and otherwise processes personal information relating to individuals who participate in the programs offered through STI and who visit the STI websites that link to this Policy (collectively, the "Websites"), as well as personal information that is collected from business partners and via survey responses or competition entries. "Personal information" is information that relates to an identified or identifiable living individual.
Note that the SANS Institute has its own privacy policy at www.sans.org/privacy and GIAC has its own privacy policy at www.giac/privacy. This Policy does not apply to personal information that is addressed by those privacy policies.
We need to process personal information to provide services to you. Sometimes, we provide your personal information to third parties, including STI affiliate organizations such as GIAC and SANS, to help us provide our services. If you are not willing to provide your personal information and have it disclosed to third parties in accordance with this Privacy Policy, you may not be able to use our services.
Basis of Processing
On most occasions we process your data based on your consent or the data is necessary for us to fulfill our contractual obligations to you. You don't have to provide consent however you may be unable to use some of our services if you do not allow us to process your personal information.
Our Websites may contain links to other websites which are not owned by STI. You should review the privacy statements of all third-party websites you visit to understand how your data will be processed.
Personal Information We Collect
You will be asked to provide personal information when you create an account, make a purchase, or contact us for support. We also collect data recording how you interact with our services. We may also obtain information about you from our business partners or other third parties.
We may receive and collect certain data automatically, for example from website analytics, information from your internet browser when you visit our Websites, and information collected by cookies. We may collect personal information that can identify you, such as your name and email address, and other information that does not identify you.
Information Provided by You
When You Set Up a STI Account
We collect your name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region to create a STI account. We also process and store data associated with training assignments, including scores on assessments you undertake, data associated with your registration for content such as webcasts and Summits, and data associated with your use of content provided by our Websites.
When You Use Our Websites
We use various technologies to collect information from your computer or device and about your activities on our Websites. These are detailed below:
- Information automatically collected. Information such as your IP address, your browser type and language, access times, the content of any undeleted cookies that your browser previously accepted from us, referring or exit website address, internet service provider, date/time stamp, operating system, locale and language preferences, and system configuration information.
- Cookies. When you visit our Websites, we may assign your computer or device one or more cookies to facilitate access to our site and to personalize your online experience. These cookies may relate to tools such as Google Analytics and similar technologies. Through cookies we also may automatically collect information about your online activity on our site, such as the web pages you visit, the links you click, and the searches you conduct on our site. Please see our Cookie Policy for more detail.
- Other technologies. We may use standard internet technology, such as web beacons, session replay scripts, and other similar technologies, to track your use of our Websites. We also may include web beacons in promotional email messages or newsletters. Web beacons are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer's hard drive, pixel tags are embedded invisibly on web pages. We may use these, in connection with our Websites to, among other things, track the activities of users of our services, improve ads, personalize and manage content, and gather usage information about our Websites. We may also use these in HTML emails to, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded. Session replay software scripts capture information concerning a user's interaction with the Websites, including keystrokes, mouse movements and clicks, movements within a webpage and through the Websites, interactions with menus, banners, and forms, and form field entries. We may use third-party software embedded in the script of the Websites to monitor your interaction with the Websites and/or for our compliance verification purposes, which may mean that the third-party software provider also collects this information. By using our Websites, you consent to this collection and disclosure of information.
Information Collected from Other Sources
We may also obtain information about you from advertising companies, ad networks business partners, contractors, and other third parties and add it to our account information or other information we have collected. We only do this where there is a lawful basis of processing your information such as your consent.
How We Use Personal Information
We use the personal information we collect for a variety of purposes. The legal basis for our processing of personal information will depend on the context in which we collect it.
General Uses
We may use information that we collect about you to:
- deliver the services that you have requested
- manage your account and provide you with customer support
- perform research and analysis about your use of or interest in our services, our content, or products, as well as services or content offered by others
- communicate with you by email, postal mail, telephone, our Websites, our applications, and/or mobile devices about products, services, or resources that may be of interest to you either from us or other third parties
- enforce our terms and conditions
- manage our business and perform functions as otherwise described to you at the time of collection
- for legal compliance purposes, including lawful requests by public authorities, including to meet national security or law enforcement requirements
- occasionally notify you about special sales or services to personalize your experience with STI (you can opt out if you wish)
- process payment for any purchases or sales made on our Websites, to protect against or identify possible fraudulent transactions, and otherwise as needed to manage our business
How Long We Retain Your Personal Information
We will retain your personal information for as long as is needed to offer you services or comply with our legal obligations. For personal information that we process on behalf of a business partner or your employer, we will retain such personal information in accordance with the terms of our agreement with them.
Disclosure of Personal Information
We share or disclose your personal information where it is necessary to provide the services, including sharing information with third party service providers; when required by law; to protect rights and safety, and with your consent. These third parties are detailed below.
- Authorized service providers: These services may include fulfilling orders, processing credit card payments, delivering materials, providing customer service and marketing assistance, performing business and sales analysis, supporting our Websites' functionality, and supporting contests, promotions, sweepstakes, surveys and other features offered through our Websites. These service providers may have access to personal information needed to perform their functions but are not permitted to share or use such information for any other purposes.
- GIAC Certification Information: GIAC Certified Professionals are listed on the GIAC website and their identities and certifications are considered public information. Published data includes Analyst Number, Certification Holder's Name and Certification Expiration Date. No personal contact information is published.
- Business partners: When you make purchases or engage in promotions offered through our Websites, we may share personal information with your consent with the businesses with which we partner to offer you our services, promotions, contests and/or sweepstakes.
- Business transfers: We may disclose and/or transfer personal information as part of any actual or contemplated merger, sale, transfer of assets, acquisition, financing and/or restructuring of all or part of our business, bankruptcy or similar event, including related to due diligence conducted prior to such event when permitted by law.
- Protect our rights: We may disclose personal information where we believe it necessary to respond to claims asserted against us, to comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation and/or to protect the rights, property or safety of our company, our customers and/or others.
- Other situations: We also may disclose your information where required by law or in response to a court order or to prevent or detect crime
- Aggregated and Non-personal Information: We may share aggregated and non-personal information we collect under any of the circumstances set forth in this Policy. When we de-identify personal information, we have implemented reasonable measures as required by law to ensure that the de-identified data cannot be associated with any individual or customer. We will only maintain and use such data in a de-identified manner and do not attempt to re-identify the data, except as permitted by law.
In general, we may disclose the following categories of personal information in support of our business purposes identified above:
- Name, contact information, and other identifiers
- Customer records
- Protected classifications
- Commercial Information
- Usage data
- Audio, video, and other electronic data
- Education information
- Profiles and inferences
We have disclosed the categories of personal information listed above to the following categories of third parties in the preceding twelve months: data analytics providers, and service providers.
Categories of Personal Information Sold or Shared.
The California Consumer Privacy Act ("CCPA") defines a "sale" as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration, and it defines "share" in pertinent part as disclosing personal information to a third party for cross-context behavioral advertising.
As defined by the CCPA, the categories of personal information that we may "sell" include:
- Name, contact information, and other identifiers
As defined by the CCPA, the categories of personal information that we may "share" include:
- Name, contact information, and other identifiers
The categories of third parties to whom we sell or share the data, as defined by the CCPA, may include:
- Data analytics providers
- Service providers who are assisting us in fulfilling our contracts and carrying out our business
The business purpose for which we sell or share the data, as defined by the CCPA, may include:
- Lead generation, business prospecting, and similar activities
- To gain insights into online activities through analytics
We have "sold" and "shared" the categories of personal information listed above to data analytics providers in the preceding twelve months.
Your Privacy Rights
How You Can Access Your Information
If you have an online account with us, you can review your personal information by logging into your account. You can also update your personal information by contacting us.
You can ask us to delete, rectify, or port your data by submitting a request through your account or by contacting privacy@sans.org.
We will handle your request as soon as possible; however, we may still need to retain certain information for example for legal purposes.
Opt-Out
We will not share personal information without your permission, unless it is necessary for us to provide services to you.
You can opt out of non-essential use of your data at any time by selecting the "Opt-Out" link found here, or in the footer of the communication or on our Websites and following the instructions or contacting us. You may also choose to enable in your Internet browser, where available, a universal signal from your browser that will automatically send an opt-out signal to participating websites, like ours, which will honor your preference.
If you opt out of receiving promotional communications, you may continue to receive emails and notifications relating to business-related communications.
Additional Information for Residents of Certain Jurisdictions
You may have additional data protection rights afforded to you by the state or country where you reside, including but not limited to, in the United States, European Union member state, the United Kingdom or other jurisdictions. Please click here for additional information regarding data protection rights that may be afforded to you by your state or country of residence.
Federal Education Rights and Privacy Act (FERPA)
Where applicable, STI adheres to a federal law called the Family Educational Rights and Privacy Act (FERPA) that sets privacy standards for student educational records. The Act serves two primary purposes: It gives eligible students more control over their educational records, and it prohibits educational institutions from disclosing "personally identifiable information" in education records without the written consent of an eligible student. To review our full FERPA policy, please visit the Federal Education Rights Privacy Act Policy.
Children's Personal Information
STI does not knowingly collect or retain personal information about persons under the age of 16. Any person who provides their personal information to STI represents they are 16 or older. When a person is under the age of 16 and desires to provide personal information to STI, STI strives to seek appropriate parental consent to process their information. If STI learns that it has collected personal information from an individual under the age of 16 without parental consent, STI will take reasonable measures to delete such information (except where required to protect the individual or others or as required or allowed by law). If you believe STI has personal information from individuals under the age of 16, please contact STI at privacy@sans.org.
Other Important Information
Security
The security of your personal information is important to us. Be aware that the internet is a global communications vehicle open to threats, viruses, and intrusions from others, so we cannot promise - and you should not expect - that we will be able to protect your personal information at all times and in all circumstances.
Contact Us
To make a request or exercise your data privacy rights, if you have a complaint, or if you have any questions or suggestions regarding this Policy or our processing of your personal information, please contact us at privacy@sans.org or at +1 301-654-7267 and request to speak to the Data Privacy Department.