Privacy Policy (Draft WIP)

[ Reviewers - Please review the draft © notice below detailing the provenance of this privacy policy. Please point out any issues with our fork, including any issues relating to programs OWASP does not have (such as certification) or software OWASP does not use. ]

OWASP’s core purpose is to advance the state of application security, through fostering an ecosystem that supports the collaborative and public development of free and open-source software projects (each, a “Project”). This privacy policy (“Privacy Policy”) describes our policies and procedures about the collection, use, disclosure and sharing, or other processing of your personal information when you use our websites (e.g., owasp.org), our events platforms (e.g., Meetup, Eventbrite, Whova, StreamYards, etc), or participate in or use our Github Project sites (collectively, the “Sites”), as well as when you interact with or participate in our events, programs, training, and our other services and offerings, including services accessible through OWASP (collectively, the “Services”). This Privacy Policy applies to activities by OWASP and its affiliates, subsidiaries, and related entities (collectively “OWASP,” “we” or “us”), including activities that we perform for other entities through management services agreements. The Privacy Policy does not apply to information collected about OWASP employees or other OWASP personnel.

For purposes of the GDPR, OWASP is the controller of your personal information. Where the processing of personal information is undertaken by our affiliates, subsidiaries, and related entities, they are a joint controller with OWASP for your personal information.

Capitalized terms that are not defined in this Privacy Policy have the meaning given them in our General Disclaimer or, if you engage with OWASP, then those defined in various OWASP platforms (as applicable, the “Terms”). In this Privacy Policy, “personal information” includes references to “personal data” as defined under applicable laws. Your use of our Sites and Services, and any dispute over privacy, is subject to this Policy and the relevant Terms, including the applicable limitations on damages and the resolution of disputes. The Terms are incorporated by reference into this Policy.

Personal Information That OWASP Collects

We collect personal information directly from individuals, from third parties, and automatically through the Sites and Services. Members must provide essential personal information to permit us to provide Member services. Participants do not have to provide us with your personal information. However, if you choose not to disclose certain information, we will not be able to provide you with access to certain services or features, including account registration, event registration, and training programs, or participation in certain aspects of our open-source projects.

• Registration Information We collect personal information when you register for an account, a conference or other events or programs:
• OWASP ID, Account and Profile Information Members may sign up for, request, or order our Services and may register to receive materials from our Sites. Members are given an “OWASP ID” (also called an “OWASP Login”), which is a single sign-on account that is used for common access to many of our Services, including OWASP membership benefits. Personal information collected on the Sites includes community Google groups content, profiles, photographs, names, forwarding information for “owasp.org” email forwarding, unique identifiers (e.g., social media handles or usernames), information about your current and past employment affiliations, contact and billing information (e.g., email address, preferred personal pronoun, postal address, telephone, fax), and transaction information. To access certain personalized services on the Sites, you may be asked to also create and store a username and password for an account from OWASP, and/or to link your OWASP ID account with other providers’ social accounts (such as Facebook, Google, LinkedIn, or GitHub). Also, to tailor OWASP’s subsequent communications to users and continuously improve the Sites’ operations and services, OWASP may also ask users to provide additional optional information regarding their interests, demographics, experience, and detailed contact preferences.
• OWASP To register for and participate in the OWASP platform and related Services, such as member benefits, users must have an active OWASP ID and account (see above for information collected related to account registration).
• Events Registration When you register for one of our events (e.g., conferences and summits) to participate as an attendee, a speaker, or a sponsor, we collect personal information that includes name, company, contact information, and other information. We may also collect other optional personal information such as likes, interests, preferred personal pronoun, dietary restrictions, size preferences for conference attire gifts, and other background information. In addition, if you provide it, we may collect (1) personal information about disabilities, medical conditions, and allergies to provide appropriate accommodations for attendees, and (2) personal information about your citizenship, date of birth, and passport details if you request assistance from us with obtaining a visa letter to travel to one of our events. For in-person events requiring attendees to be vaccinated against COVID-19, to provide a safer environment for attendees and staff, we may collect information to verify your identity and COVID-19 vaccination status. We may collect this information via direct verification of identity and vaccination status documents by OWASP staff or third-party contractors, and/or using third-party vaccination status apps and service providers.
• Training Registration When you participate in one of our training programs, we collect registration-related personal information that includes name, company, certifications, contact information, and other information depending on the circumstances.
• Registration for Project Resources and OWASP Resources You can register to receive access to various resources provided by OWASP and its Projects regarding the open-source ecosystem, open-source project development, collaboration, and best practices. This includes providing us with personal information such as your email address and name to receive newsletters, mailing list postings, and social media postings, to view webinars, and to access other resources made available by OWASP and its Projects.

Your Contributions to Open-Source Projects

Attribution, Provenance, and Integrity When you contribute source code, documentation, or other content to one of our Projects (whether on your own behalf or through contributions made as part of your employment services to your employer), we collect and store the information and content that you contribute. This includes the contents of those contributions, as well as information required to confirm the provenance of intellectual property contained in those contributions, and personal information that you make publicly available in the record of the contribution pursuant to sign-offs under the Developer Certificate of Origin (https://developercertificate.org/). Some Projects require additional agreements or information pursuant to their intellectual property policies; in such cases, we collect and store information related to your acceptance of those agreements. We may also collect information relating to your participation in technical, governance, or other Project-related meetings.

Other Project-related Content The content you provide in relation to Projects also includes materials that you make publicly available in connection with Project development, collaboration, and communication, such as on mailing lists, blogs, Project wiki pages and issue trackers, and related services.

Applicants for OWASP Foundation Employment and Contractors We collect and store personal information relating to individuals who apply to participate in one or more of our Project-related grant contractors, or for employment with OWASP. The personal information collected and stored for OWASP Project-related contracting, or for employment with OWASP, may include your name, address, or other contact information. In addition, if you choose to provide it, we may collect personal information regarding your membership in a diverse or underrepresented group.

Your Content We collect and store the information and content that you post to the Sites, including your questions, answers, comments, forum postings, and responses to surveys. Please see the section on Publicly Available Information for how the information you post will be viewed on our Sites.

Communications When you communicate with us (via email, phone, through the Sites or otherwise), we may maintain a record of your communication.

Payment Information To purchase Services (including membership dues, registering for events or training), users may be asked to be directed to a third-party site, such as Stripe, to pay for their purchases. If applicable, the third-party site may collect payment information directly to facilitate a transaction. OWASP generally only records the result of the transaction and any references to the transaction record provided by the third-party site.

Automatically Collected Information In addition, OWASP may automatically collect the following information about users’ use of the Sites or Services through cookies, web beacons, and other technologies: your domain name; your browser type and operating system; web pages you view; when you open certain emails we send; links you click; your IP address; your country of location; the length of time you visit our Sites and or use our Services; and the referring URL, or the webpage that led you to our Sites. We may combine this information with other information that we have collected about you, including, where applicable, your username, name, and other personal information. Our use of cookies uses both CloudFlare’s and Google’s analytics, which honor “Do not track” headers if set.

De-identified Information We may de-identify and aggregate certain personal information we collect such that the information no longer identifies or can be linked to a particular user or an individual data subject (“De-identified Information”), subject to the terms of any applicable user agreements. We may use this information to improve our Services, analyze trends, publish market research, and for other marketing, research, or statistical purposes, and may disclose such information to third parties for these specific purposes.

Purposes and Legal Bases for Our Using of Your Personal Information

Purposes and Legitimate Interests

OWASP uses the personal information we collect for our legitimate business interests, which include the following purposes:

• Providing our Sites and Services To provide the Services and our Sites (including OWASP and its service offerings, and Project Sites), to communicate with you about your use of our Sites and Services, to respond to your inquiries, provide troubleshooting of the Sites and for other purposes to support users and the community.
• Operating our Open-Source Projects To enable communication between and among open source developers in the community; to facilitate and document Project governance and technical decision-making; to maintain, and make publicly available on a perpetual basis, records regarding intellectual property provenance and license compliance for Project contributions; and for related activities to further OWASP’s core purpose of fostering an ecosystem that supports the collaborative and public development of free and open source software projects. See the “Attribution, Provenance and Integrity” section above for more information.
• Maintain our Training Programs To maintain records about who has attended or registered to attend training programs, and received completion or participation certificates.
• Event Administration To plan, organize, and facilitate access to events and related services and activities, and to conduct informative and safe events for participants, including attendees, speakers, and sponsors. If you provide us information about disabilities, medical conditions, and allergies, we will use this information to provide appropriate accommodations for attendees and to ensure their health and safety; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights. If you request assistance from us for obtaining a visa letter to travel to one of our events and provide us with information required for such assistance (such as your citizenship, date of birth, and passport details), we will use this information in order to assist with providing you a visa letter; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights. For in-person events requiring attendees to be vaccinated against COVID-19, we use information regarding your COVID-19 vaccination status to provide a safer environment for attendees and staff, to confirm vaccination status before permitting access to the event venue space.
• Contractor and Employment Applications To select participants for our Project-related grant contractor programs or for employment, including the evaluation and selection of contractors or employees from among applicants. If you choose to provide information regarding your membership in a diverse or underrepresented group, we will use this information in connection with diversity programs we may operate; we will not use this information for other purposes, unless required by law or as necessary to defend our legal rights.
• Personalization. To tailor the content and information that we may send or display to you on our Sites and in our Services, to offer location customization and personalized help and instructions and to otherwise personalize your experiences.
• Marketing and Promotions For marketing and promotional purposes, such as to send you news and newsletters, special offers, and promotions, or to otherwise contact you about Projects, Services, events, trainings, or other information we think may interest you related to OWASP, and, subject to applicable law, our affiliates, subsidiaries, and managed services entities.
• Advertising For targeting advertising to you on our Sites and third-party sites and measuring the effectiveness and reach of ads and services (through third-party ad networks and services).
• Analytics To gather metrics to better understand how users access and use our Sites and Services and participate in our Projects; to evaluate and improve the Sites, including personalization, to develop new services; and to understand metrics regarding the community health of our Projects. If a user voluntary provides and explicitly consents to our processing of personal information regarding their demographics and socioeconomics, we process such personal information for the specific purposes for which you have consented, which may include for the purpose of compiling, analyzing and disclosing aggregate statistics regarding diversity of participation in open source projects and communities (including in OWASP projects and OWASP Mentorship opportunities), to help track progress towards meeting OWASP’s commitment to diversity initiatives and subject to your consent.
• Compliance To comply with legal obligations and requests. For example, to comply with laws that compel us to disclose information to public authorities, courts, law enforcement or regulators, maintain records for a certain period, or maintain records demonstrating enforcement and sublicensing of our trademarks and those of our Projects.
• Business and Legal Operations As part of our general business and legal operations (e.g., accounting, record keeping, and for other business administration purposes), and as necessary to establish, exercise and defend (actual and potential) legal claims.
• Prevent Misuse Where we believe necessary to investigate, prevent or act regarding illegal activities, suspected fraud, situations involving potential threats to the safety of any person or violations of the relevant Terms or this Privacy Policy.

Purposes and Legal Bases

Sharing of Personal Information

We disclose personal information as set forth below, and where individuals have otherwise consented:

• Publicly Available Information, including Your Contributions to Open-Source Projects Usernames, other user ids, email addresses, and other attribution information related to the information and contributions that a member posts in conjunction with or subject to an Open-Source license are publicly available in the relevant Project source code repositories. Your contributions to Open-Source Projects, and certain of your other Content such as comments and messages posted to public forums, are available to other participants and users of our Projects and of our Services and may be viewed publicly. In some cases, you may be able to provide Project or contribution-related information directly to third-party sites and services; these third parties are independent data controllers, and their use of your personal information is subject to their own policies.
• OWASP Within OWASP, in addition to the other specific disclosures set forth in this Privacy Policy, we disclose certain of your information to enable you to receive, participate in and make use of OWASP Services, including engagement with open-source projects and communities through Mail Chimp, which is used to communicate with our members and participants.
• Service Providers We may share your information with third-party service providers who use this information to perform services for us, such as payment processors, hosting providers, auditors, advisors, contractors, and consultants.
• Organizational Events We may disclose or transfer information, including personal information, as part of any merger, sale, and transfer of our assets, or restructuring of all or part of our business operations, bankruptcy, or similar event, including in negotiations, due diligence, and integrations related to such transactions.
• Event Participants If you register for an event, we may ask for your consent to share your personal information with third-party sponsors and other participants; for example, to facilitate your ability to swipe your badge or visit and interact with a virtual booth to easily sign up for or participate in activities, events, and gifts offered by third parties participating in the event, or to give you the option to be listed on the attendee list that is available to other attendees, sponsors, and participants. We will not share your event information with third parties without your consent, and, you have the choice whether to permit your badge to be swiped by any third party participating in the event, or to visit and interact with a third party’s virtual booth. For in-person events requiring attendees to be vaccinated against COVID-19, we may use third-party service providers to validate your identity and COVID-19 vaccination status.
• Training and Program Sponsors If you participate in one of our training programs that a third party has sponsored or engaged us to provide to you and others (e.g., your employers), we may receive attendee list information from them and may share information about your completion of the program, including confirmation of your participation as applicable; these third parties are independent data controllers and their use of your personal information is subject to their own policies. You may also elect to provide third parties (e.g., your employers or your prospective employers) with information that will enable them to look up your participation status; if you do so, we may share your participation status with such third parties.
• Legally Required We may disclose your information if we are required to do so by law (including to law enforcement in the U.S. and other jurisdictions).
• Protection of Rights We may disclose information, where we believe it necessary to respond to claims, asserted against us or, comply with legal process (e.g., subpoenas or warrants), enforce or administer our agreements and terms, for fraud prevention, risk assessment, investigation, and protect the rights, property or safety of OWASP, its Members, participants in its events or Projects, or others.
• Anonymized and Aggregated Information We may share aggregate or de-identified information with third parties for research, marketing, analytics, and other purposes, provided such information does not identify a particular individual.

Cookies, Tracking, and Interest-Based Ads

We and our third-party providers use cookies, clear GIFs/pixel tags, JavaScript, local storage, log files, and other mechanisms to automatically collect and record information about your usage and browsing activities on our Site and across third party sites or online services. We may combine this information with other information we collect about users. Below, we provide a summary these activities.

• Cookies These are small files with a unique identifier that are transferred to your browser through our websites. They allow us to remember users who are logged in, to understand how users navigate through and use the Sites, and to display personalized content and targeted ads (including on third party sites and applications).
• Pixels, web beacons, clear GIFs These are tiny graphics with a unique identifier, similar in function to cookies, which we track browsing activities. We use these as part of our Training Affiliate Program. We also use these in our emails to let us know when they have been opened or forwarded, so we can gauge the effectiveness of our communications.
• Analytics Tools We may use internal and third-party analytics tools, including Google Analytics. The third-party analytics companies we work with may combine the information collected with other information they have independently collected from other websites and/or other online products and services. Their collection and use of information is subject to their own privacy policies.
• Targeted Ads We may work with third party advertisers to display more relevant ads on our website and on third party sites; these third parties may display ads to you based on your visit to our Sites and other third-party sites. For more information about this and how you can opt out of such ads, please see our Cookie Policy.

Please note that OWASP has no control over how CloudFlare or Google Analytics respond to browser “do not track” signals or other similar mechanisms.

Data Security

We have implemented commercially reasonable precautions designed to protect the information we collect from loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware that despite our best efforts, no data security measures can guarantee 100% security.

You should take steps to protect against unauthorized access to your passwords, phone, and computer by, among other things, signing off after using a shared computer, choosing robust passwords that nobody else knows or can easily guess, not using a password for more than one site or service, and keeping your logins and passwords private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity. We ask you to promptly notify us if you become aware that any information provided by or submitted to our Sites or through our Services is lost, stolen, or used without permission at [email protected].

Marketing Choices

You may opt out of or withdraw your consent to receive direct marketing emails from us by using the unsubscribe or opt out mechanisms included in our marketing emails or by emailing [email protected]. You may also unsubscribe from mailing lists via the applicable mailing list’s subscription website or, in some cases, by using the unsubscribe mechanisms included in such emails.

Retention of Your Personal Information

We generally keep personal information only for as long as required to fulfill the purposes for which it was collected. However, in some circumstances, we may retain personal information for other periods of time, for instance where we are required to do so in accordance with legal, tax and accounting requirements, or if required to do so by a legal process, legal authority, or other governmental entity that has authority to make the request, for so long as required. In specific circumstances, we may also retain your personal information for longer periods of time corresponding to a statute of limitation, so that we have an accurate record of your dealings with us in the event of any complaints or challenges.

International Transfers

If you are located within the European Economic Area, the United Kingdom or Switzerland, you should note that your personal information will be transferred to countries outside these jurisdictions, including the United States where OWASP is located. The U.S. is deemed by the European Union to provide inadequate data protection. However, we have put in place European Commission approved Standard Contractual Clauses to provide for adequate safeguards to protect personal information transferred outside these jurisdictions, including between OWASP entities. In addition, if personal information is transferred to third party service providers located outside these jurisdictions, we will take steps to ensure that your personal information receives the same level of protection as if it remained within these jurisdictions, including by entering into data transfer agreements, using the European Commission approved Standard Contractual Clauses or other safeguards as approved by the European Commission. You have a right to obtain details of the mechanism under which your personal information is transferred outside of the EU by emailing [email protected].

Children’s Privacy

Except as specifically indicated within a Site, we do not knowingly collect or solicit personal information from anyone under the age of eighteen (18), or knowingly allow such persons to register. If we become aware that we have collected personal information from a child under the relevant age without parental consent, we take steps to delete that information. Where we specifically indicate that we collect personal information from minors under eighteen, we will obtain the parent or guardian’s consent and provide adequate notice.

Links to Third Party Sites and Services

The Sites may contain links to third party sites or online services. Please refer to the privacy policies of the relevant third-party websites or services to find out more about how they process and manage personal information.

Your Rights

Access and Amendment If you have registered with us and created an OWASP ID profile or an OWASP Account wish to access or update certain personal information contained therein, you may do so online by visiting the OWASP Member portal by visiting https://members.owasp.org/. You may also contact our privacy coordinator, as set forth below, to access or amend your personal information.

Additional Rights for EEA individuals

Individuals in the European Economic Area (and other jurisdictions where applicable) have additional rights under applicable law:

• to obtain a copy of your personal information together with information about how and on what legal basis that personal information is processed.
• to rectify inaccurate personal information (including to have incomplete personal information completed).
• to erase your personal information (in limited circumstances, such as where it is no longer necessary in relation to the purposes for which it was collected or processed).
• to restrict processing of your personal information under certain circumstances.
• to export certain personal information in machine-readable format to a third party (or to you) when we justify our processing based on your consent or the performance of a contract with you and the processing is carried out by automated means.
• to withdraw your consent to our processing of your personal information (where that processing is based on your consent, without affecting the lawfulness of processing based on consent before its withdrawal).
• to obtain, or see a copy of the appropriate safeguards under which your personal information is transferred to a third country or international organization; and
• to object to our use and processing of your personal information that is conducted based on our legitimate interest. You also have the right to object at any time to any processing of your personal information for direct marketing purposes, including profiling for marketing purposes.

Lodging a Complaint You also have the right to lodge a complaint with your local supervisory authority for data protection, or privacy regulator.

Submitting a Request To exercise the above rights or contact us with questions or complaints regarding our treatment of your personal information, contact us at [email protected]. Please note that we may request proof of identity, and we reserve the right to charge a fee where permitted by law, especially if your request is manifestly unfounded or excessive. We will respond to your request within the applicable timeframes set out by law.

California Privacy Rights

California law permits users who are California residents to request and obtain from us once a year, free of charge, a list of the third parties to whom we have disclosed their personal information (if any) for their direct marketing purposes in the prior calendar year, as well as the types of personal information disclosed to those parties. If you are a California resident and would like to request this information, please submit your request in an email to [email protected]. We may ask you to verify your California residency.

Contact Us

If you have questions or suggestions about this Privacy Policy, or the information collected under this Privacy Policy, please email us at [email protected] or contact us directly. If you have any questions about our practices or this Privacy Policy, please contact us at [email protected], or write to us at: OWASP, Attn: Legal Department, 300 Delaware Ave. Ste. 210 #384, Wilmington DE 19801. You can also reach our EU entity, OWASP Europe vzw, whose registered address is Leinstraat 104A, 9660 Opbrakel, Belgium, situated in the court district of Oudenaarde/Brakel, but any correspondence with that entity will take some considerable time.

Depending on your jurisdiction, you also may have the right to lodge a complaint with a supervisory authority competent for your country or region.

Copyright notice

Portions (C) 2022 Linux Foundation. This privacy policy is forked from the Linux Foundation’s Privacy Policy with their written permission, and updated by the OWASP Executive Director. As a condition of re-use, the Linux Foundation requested OWASP obtain qualified legal review of the forked policy, to which we agreed. As of the time of writing this draft has not been reviewed by qualified legal counsel; review will occur after the OWASP Community Review Process. Any errors or omissions are solely the responsibility of the OWASP Foundation.