homepage
Open menu

SANS Privacy Policy

Updated: December 2022

SANS INSTITUTE PRIVACY POLICY

The Escal Institute of Advanced Technologies, Inc. d/b/the SANS Institute (referred throughout as “SANS”) is a US based company specializing in information security and cybersecurity training. SANS also operates its Global Information Assurance Certification (“GIAC”) programs and academic programs offered through the SANS Technical Institute (“STI”).

This Policy addresses how SANS, as a data controller, collects, uses, and otherwise processes personal information relating to individuals who visit our Websites and use our services, as well as personal information that is collected from business partners and via survey responses or competition entries.

When we refer to “Websites” we mean www.sans.org as well as the other websites that we operate and that link to this Policy. Note that GIAC has its own privacy policy at www.giac/privacy, and SANS Technical Institute has its own Privacy Policy at www.sans.edu/privacy. This Policy does not apply to personal information collected and processed by GIAC or the SANS Technical Institute.

We need to process personal information to provide services to you. Sometimes, we provide your personal information to third parties to help us provide our services. If you are not willing to provide your personal information and have it disclosed to third parties in accordance with this Privacy Policy, you may not be able to use our services.

Basis of Processing

On most occasions we process your data based on your consent or because the processing is necessary for us to fulfill our contractual obligations to you. You do not have to provide consent when we request it, however you may be unable to use some of our services if you do not allow us to process your personal data.

Our Websites may contain links to other websites which are not owned by SANS. You should review the privacy statements of all third-party websites you visit to understand how your data will be processed.

Personal Information We Collect

You will be asked to provide personal data when you create a SANS account, make a purchase, or contact us for support. We also collect data recording how you interact with our services. We may also obtain information about you from our business partners or other third parties.

We may receive and collect certain data automatically for example from website analytics, information from your internet browser when you visit our Websites, and information collected by cookies. We may collect Personal Information that can identify you, such as your name and email address, and other information that does not identify you.

Information Provided by You

When You Set Up a SANS Account

We collect your name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region to create a SANS account. We also process and store data associated with training assignments, including scores on assessments you undertake, data associated with your registration for content such as webcasts and Summits, and data associated with your use of content provided by our Websites.

When You Use Our Websites

We use various technologies to collect information from your computer or device and about your activities on our Websites. These are detailed below:

  1. Information automatically collected such as your IP address, your browser type and language, access times, the content of any undeleted cookies that your browser previously accepted from us, referring or exit website address, internet service provider, date/time stamp, operating system, locale and language preferences, and system configuration information.
  2. Cookies. When you visit our Websites we may assign your computer or device one or more cookies to facilitate access to our site and to personalize your online experience. These cookies may relate to tools such as Google Analytics and similar technologies. Through cookies we also may automatically collect information about your online activity on our site, such as the web pages you visit, the links you click, and the searches you conduct on our site. Please see our Cookie Policy for more detail.
  3. Other technologies. We may use standard internet technology, such as web beacons, session replay scripts, and other similar technologies, to track your use of our Websites. We also may include web beacons in promotional email messages or newsletters. Web beacons are tiny graphics with a unique identifier, similar in function to cookies. In contrast to cookies, which are stored on your computer’s hard drive, pixel tags are embedded invisibly on web pages. We may use these, in connection with our Websites to, among other things, track the activities users of our services, improve ads, personalize and manage content, and gather usage information about our Websites. We may also use these in HTML emails to, to help us track email response rates, identify when our emails are viewed, and track whether our emails are forwarded. Session replay software scripts capture information concerning a user’s interaction with the Websites, including keystrokes, mouse movements and clicks, movements within a webpage and through the Websites, interactions with menus, banners, and forms, and form field entries. We may use third-party software embedded in the script of the Websites to monitor your interaction with the Websites and/or for our compliance verification purposes, which may mean that the third-party software provider also collects this information. By using our Websites, you consent to this collection and disclosure of information.

Information Collected from Other Sources

We may also obtain information about you from advertising companies, ad networks business partners, contractors, and other third parties and add it to our account information or other information we have collected. We only do this where there is a lawful basis of processing your information such as your consent.

Information Collected for Employer-Sponsored Training

If your employer sponsors your training and provides us with your Personal Information, SANS acts as a data controller and your employer is also a data controller. SANS will work with your employer to fulfill any data rights requests. Your information and training records will be shared with your employer and we will process that information in accordance with this Privacy Policy.

How We Use Personal Information

We use the Personal Information we collect for a variety of purposes. The legal basis for our processing of Personal Information will depend on the context in which we collect it.

General Uses

We may use information that we collect about you to:

  • deliver the services that you have requested
  • manage your account and provide you with customer support
  • perform research and analysis about your use of or interest in our services, our content, or products, as well as services or content offered by others
  • communicate with you by email, postal mail, telephone, our websites, our applications, and/or mobile devices about products, services, or resources that may be of interest to you either from us or other third parties
  • enforce our terms and conditions
  • manage our business and perform functions as otherwise described to you at the time of collection
  • for legal compliance purposes
  • occasionally notify you about special sales or services to personalize your experience with SANS (you can opt out if you wish)
  • process payment for any purchases or sales made on our Websites, to protect against or identify possible fraudulent transactions, and otherwise as needed to manage our business

How Long We Retain Your Personal Information

We will retain your Personal Information for as long as is needed to offer you services or comply with our legal obligations. For Personal Information that we process on behalf of a business partner or your employer, we will retain such Personal Information in accordance with the terms of our agreement with them.

Disclosure of Personal Information

We share or disclose your Personal Information where it is necessary to provide the Services, including sharing information with third party service providers, when required by law, to protect rights and safety, and with your consent. These third parties are detailed below.

  • Authorized service providers: These services may include fulfilling orders, processing credit card payments, delivering materials, providing customer service and marketing assistance, performing business and sales analysis, supporting our Websites’ functionality, and supporting contests, promotions, sweepstakes, surveys and other features offered through our Websites. These service providers may have access to Personal Information needed to perform their functions but are not permitted to share or use such information for any other purposes.
  • Co-Sponsoring organizations: Some SANS training events are co-sponsored by other organizations. Examples include SANS private training events, sponsored webcasts, or sponsored whitepapers. When you register for an event, the co-sponsoring organization may have access to your registration data where you agree and provide your explicit consent.
  • GIAC Certification Information: GIAC Certified Professionals are listed on the GIAC website and their identities and certifications are considered public information. Published data includes Analyst Number, Certification Holder’s Name and Certification Expiration Date. No personal contact information is published.
  • Business partners: When you make purchases or engage in promotions offered through our Websites, we may share Personal Information with your consent with the businesses with which we partner to offer you those services, promotions, contests and/or sweepstakes.
  • Business transfers: We may disclose and/or transfer personal information as part of any actual or contemplated merger, sale, transfer of assets, acquisition, financing and/or restructuring of all or part of our business, bankruptcy or similar event, including related to due diligence conducted prior to such event when permitted by law.
  • Protect our rights: We may disclose personal information where we believe it necessary to respond to claims asserted against us, to comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation and/or to protect the rights, property or safety of our company, our customers and/or others.
  • Other situations: We also may disclose your information where required by law, in response to a court order, or to prevent or detect crime.
  • Aggregated and Non-personal Information: We may share aggregated and non-personal information we collect under any of the circumstances set forth in this Policy. When we de-identify personal information, we have implemented reasonable measures as required by law to ensure that the de-identified data cannot be associated with any individual or customer. We will only maintain and use such data in a de-identified manner and do not attempt to re-identify the data, except as permitted by law.

In general, we may disclose the following categories of personal information in support of our business purposes identified above:

  • Name, contact information, and other identifiers
  • Customer records
  • Protected classifications
  • Commercial Information
  • Usage data
  • Audio, video, and other electronic data
  • Education information
  • Profiles and inferences

We have disclosed the categories of personal information listed above to the following categories of third parties in the preceding twelve months: data analytics providers, service providers, and sponsors of SANS events, programs, and papers.

Categories of Personal Information Sold or Shared.

The California Consumer Privacy Act (“CCPA”) defines a “sale” as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration, and it defines “share” in pertinent part as disclosing personal information to a third party for cross-context behavioral advertising.

As defined by the CCPA, the categories of personal information that we may “sell” include:

  • Name, contact information and other identifiers

As defined by the CCPA, the categories of personal information that we may “share” include:

  • Name, contact information, and other identifiers

The categories of third parties to whom we sell or share the data, as defined by the CCPA, may include:

  • Data analytics providers
  • Service providers who are assisting us in fulfilling our contracts and carrying out our business
  • Sponsors of SANS events, programs and papers

The business purpose for which we sell or share the data, as defined by the CCPA, may include:

  • Lead generation, business prospecting, and similar activities
  • To gain insights into online activities through analytics
  • To provide leads to sponsors of SANS events, programs and papers

We have “sold” and “shared” the categories of personal information listed above to data analytics providers in the preceding twelve months.

Your Privacy Rights

How You Can Access Your Information

If you have an online account with us, you can review your Personal Information by logging into your account. You can also update your Personal Information by contacting us.

You can ask us to delete, rectify, or port your data by submitting a request through your account or by contacting privacy@sans.org.

We will handle your request as soon as possible; however, we may still need to retain certain information, for example information required for legal purposes.

Opt-Out

We will not share personal data without your permission unless it is necessary for us to provide services to you.

You can opt out of non-essential use of your data at any time by selecting the “Opt-Out” link found in the footer of the communication or on our Websites and following the instructions or contacting us.

If you opt out of receiving promotional communications, you may continue to receive emails and notifications relating to business-related communications.

Additional Information for Residents of Certain Jurisdictions

For Residents of the European Union and the United Kingdom

If you are a resident of the European Union or United Kingdom, the E.U. or U.K. General Data Protection Regulation (collectively, the “GDPR”) is applicable to our use of your data. The lawful basis for processing your personal information will depend on the personal information concerned and the specific context in which we collect it as detailed above. Under the GDPR you have a number of rights. For example, you can request to see a copy of the data we process about you, to delete or rectify your data, or to transfer your data elsewhere. You also have the right to make a complaint to your local supervisory authority and in the first instance to our Data Privacy Department.

If you wish to exert any of your rights, please contact us at via email at privacy@sans.org.

You should be aware that your Personal Information may be transferred to, stored, and processed within the United States and other jurisdictions outside of the U.S.A., the E.U. or the U.K. We will take all appropriate measures to safeguard your information including applying standard contractual clauses.

For Residents of California

  • Right to Know: You have the right to request that a business that collects personal information about you disclose the following: (1) the categories of personal information it has collected about you; (2) the categories of sources from which the personal information is collected; (3) the business or commercial purpose for collecting, selling, or sharing personal information; (4) the categories of third parties to whom the business discloses personal information; and (5) the specific pieces of personal information it has collected about you.
  • Right to Correct: You have the right to request a business that maintains inaccurate personal information about you to correct that information, taking into account the nature of the personal information and the purposes of the processing of the personal information.
  • Right to Delete: You have the right to request that a business delete any personal information about you which the business has collected from you.
  • Right to Opt Out of Selling and Sharing: You have the right to request that a business not sell your personal information to a third party or share your personal information with a third party for purposes of cross-context behavioral advertising. Opt-out rights can be exercised by contacting privacy@sans.org.
  • Right to Non-Discrimination: You have the right to not be discriminated against because you exercised any of your CCPA rights.

California residents may make a Request to Know up to twice every 12 months.

If you are a California resident, you may specifically instruct us not sell your Personal Information. SANS does not sell personal data of its customers. If you are a California resident and would like to make a request to exercise your rights under the CCPA, please contact privacy@sans.org. We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Section below entitled “Contact Us.”

We will use the following process to verify Requests to Know, Requests to Delete, and Requests to Correct: We will acknowledge receipt of your Consumer Request, verify it using processes required by law, then process and respond to your request as required by law. To verify such requests, we may ask you to provide the following information:

  • For a Request to Know categories of personal information which we collect, we will verify your identity to a reasonable degree of certainty by matching at least two data points provided by you against information in our systems which are considered reasonably reliable for the purposes of verifying a consumer’s identity.
  • For a Request to Know specific pieces of personal information, Requests to Delete, Requests to Correct, we will verify your identity to a high degree of certainty by matching at least three pieces of personal information provided by you to personal information maintained in our systems and also by obtaining a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request.

An authorized agent can make a request on a California resident’s behalf by providing a power of attorney valid under California law, or providing: (1) proof that the consumer authorized the agent to do so; (2) verification of their own identity with respect to a right to know categories, right to know specific pieces of personal information, or requests to delete which are outlined above; and (3) direct confirmation that the consumer provided the authorized agent permission to submit the request.

For Residents of Virginia

If you are a Virginia resident, the Virginia Consumer Data Protection Act (VCDPA) may grant you the following rights:

  • Right to Access: You have the right to request whether a business is processing your personal information and to access such personal information.
  • Right to Correction: You have the right to request that a business correct inaccuracy in your personal information, taking into account the nature of the personal information and our purpose for processing the personal information.
  • Right to Delete: You have the right to request that a business delete your personal information that was collected about you.
  • Right to Opt Out of Certain Types of Processing. You have the right to opt out of the processing of the personal data for purposes of (i) targeted advertising, (ii) the sale of personal data, or (iii) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer.
  • Right to Data Portability: You have the right to obtain a copy of your personal information previously provided to a business in a portable and, if feasible, readily usable format.
  • Right to Non-Discrimination: You have the right not to be discriminated against by a business for exercising your rights listed above.

Submitting Requests:Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests may be submitted by contacting us at privacy@sans.org.

We will use the following process to verify Right to Access Requests, Right to Correction Requests, Right to Delete Requests, Right to Opt Out of Processing, and Right to Data Portability Requests:We will acknowledge receipt of your request, authenticate it using processes required by law, then process and respond to your request as required by law.To authenticate such requests, we may ask you to provide additional information as reasonably necessary.

For Residents of Nevada

If you are a Nevada resident, the Nevada Privacy of Information Collected on the Internet from Consumers Act (NPICICA) may grant you the right to request that a business not sell certain kinds of personal information that the business has collected or will collect about you.A “sale” under the NPICICA is the exchange of personal information for monetary consideration by the business to a third party to license or sell the personal information to third parties, with certain exceptions.If you are a Nevada resident and wish to obtain information about SANS’ compliance with Nevada law, please contact us at privacy@sans.org.

Federal Education Rights and Privacy Act (FERPA)

Where applicable, SANS adheres to a U.S. federal law called the Family Educational Rights and Privacy Act (FERPA) that protects student educational records. The Act serves two primary purposes: It gives eligible students more control over their educational records, and it prohibits educational institutions from disclosing “personally identifiable information” in education records without the written consent of an eligible student or in certain other circumstances. To review our full FERPA policy, please visit the Federal Education Rights Privacy Act Policy.

Children’s Personal Information

When SANS collects personal information from or about children under the age of 17, we seek appropriate parental consent to process their information.

SANS products and services are not directed to children under the age of 13.SANS does not knowingly collect any personal information from children under the age of 13, nor does SANS knowingly distribute such information to third parties.If SANS becomes aware that it has received personal information from someone under the age of 13, SANS will take steps to delete such information from its records.If you believe SANS has personal information from individuals under the age of 13, please contact SANS at privacy@sans.org.

Other Important Information

Security

The security of your Personal Information is important to us. Be aware that the internet is a global communications vehicle open to threats, viruses, and intrusions from others, so we cannot promise - and you should not expect - that we will be able to protect your personal information at all times and in all circumstances.

Contact Us

To make a request or exercise your data privacy rights, if you have a complaint, or if you have any questions or suggestions regarding this Policy or our processing of your personal information, please contact us at privacy@sans.orgor at +1 301-654-7267 and request to speak to the Data Privacy Department.