Updated: August 2021
Escal Institute of Advanced Technologies, Inc., which does business as SANS Institute, is sensitive to privacy issues on the Internet. We believe it is important that you understand how we treat the information you may provide to us. This privacy statement applies to information collected by the websites we manage and control, including sans.org, sans.edu, giac.org, and other domains owned and operated by The Escal Institute of Advanced Technologies, Inc. / dba SANS Institute, GIAC, and SANS Technology Institute hereafter referred to collectively as SANS.
In the normal course of business, we will collect both personal information about you and non-personal information associated with you. We will always endeavor to protect this information, hold it in confidence, and protect it from theft. In general, we utilize both non-personal and personally identifiable information that you provide to us or that we collect in the normal course of business to communicate with you about our service and product offerings and deliver those offerings in an efficient manner. For these purposes, SANS employees, instructors or authorized contractors and third-party agents will have access to some or all of this non-personal and personally identifiable information.
Unless specifically stated otherwise, the information you provide or that is associated with you is never shared with anyone other than SANS employees, instructors, or authorized contractors and agents. SANS never trades or sells its student's personal information except as provided in this policy.
How We Gather Information
SANS and its affiliates gather and store information in many ways, including but not limited to the following:
Your SANS Dashboard Account: To save you time and make our web services even easier to use, you may create a SANS dashboard account using your personal information. You may do this by visiting https://www.sans.org/account/. The SANS account dashboard system saves your information and references it to your email address and password. The next time you visit the SANS website, you can simply enter your email address and password. If you purchase a product or service from us, we request certain personally identifiable information from you on our order form. You must provide contact information (such as name, email, and shipping address) and financial information (such as credit card number, expiration date) though SANS does not retain credit card information after your transaction is completed. We use this information for billing purposes and to fill your orders. If we have trouble processing an order, we will use this information to contact you. We also use the mailing address to send you conference brochures and other items of interest.
Event or course registration: When you register online for a conference, we collect the information you provide us, including your name, contact information, affiliation, the name and location of the course, and attendance information. We use this information to ensure that you are properly registered for the course you have selected, and to notify you about other courses that may be of interest to you. We also use this information in the course of fulfilling our obligations to provide the course to you, including providing you course materials and contacting you with respect to the course itself. In addition, student evaluation forms, together with the identity of the student completing the evaluation, may be made available to SANS employees responsible for evaluating the quality of the course, including the instructors themselves.
Your employer: Many organizations purchase vouchers that may be used by their employees to pay for SANS training. By using a voucher, the student understands and agrees that their student data, including contact information and course-related data may be shared with the organization's designated contact. If your employer has purchased SANS Security Awareness training, your company email address may have also been provided to us by your organization. This information is used solely for the purposes of deploying purchased training across your organization.
Vendor-sponsored events/webcasts: When you register for a free vendor-sponsored webcast, your contact information may be shared with the sponsoring vendor. The information SANS provides to the vendor is for their organization only and the sponsoring vendor agrees not to share or resell the provided information. The data given to the sponsoring vendor includes email address, first name, last name, title, work phone, company name, address, city, state, postal code and country.
Contest or surveys: SANS may occasionally provide you the opportunity to participate in contests or surveys on our site. If you participate, we may request certain personally identifiable information from you. Participation in these surveys or contests is completely voluntary and you therefore have a choice whether or not to disclose this information. The requested information typically includes contact and demographic information such as name and address. We may share aggregated demographic information about our user base with our partners and advertisers. This information does not identify individual users.
Normal course of business: When you contact SANS, we may keep a record of your communication to help solve any issues you might be facing. We may use your email address to inform you about our services, such as letting you know about upcoming changes or improvements.
Marketing and communications channels: SANS may use Twitter, Facebook or other social media outlets to market and promote its offerings and services. Any communications you make with SANS using these media may be used by SANS in accordance with this policy.
Vendors, Suppliers, or Other Access to Your Information
SANS may be liable, in the event of damages, if we choose a third party to process your personal data when or while we know that the third party processes your data in a manner that is inconsistent with the Privacy Shield Principles and we are responsible for the event.
Legal Access to Your Information
We may share personal information with companies, organizations or individuals outside of SANS if we have a good-faith belief that access, use, preservation or disclosure of the information is reasonably necessary to:
- meet any applicable law, regulation, legal process or enforceable governmental request.
- detect, prevent, investigate or otherwise address fraud, security or technical issues.
- protect against harm to the rights, property or safety of SANS, our users or the public as required or permitted by law.
GIAC Certification Information
GIAC Certified Professionals are listed on the GIAC website and their identities and certifications are considered public information. Published data includes Analyst Number, Certification Holder's Name and Certification Expiration Date. No personal contact information is published.
Information that We Collect from You on Our Websites
We also may use various technologies to collect information from your computer or device and about your activities on our Websites.
1. Information collected automatically. We may automatically collect information from you when you visit our Websites. This information may include your IP address, your browser type and language, access times, the content of any undeleted cookies that your browser previously accepted from us, referring or exit website address, internet service provider, date/time stamp, operating system, locale and language preferences, and system configuration information.
2. Cookies. When you visit our Websites, we may assign your computer or device one or more cookies to facilitate access to our site and to personalize your online experience. Some of these cookies are necessary for the website to function, and others provide enhanced functionality and personalization. Other cookies help us measure and improve the performance of our Websites, and some of the cookies are used to build a profile of your interests and show you relevant content and advertisements on other websites. Through the use of a cookie, we also may automatically collect information about your online activity on our site, such as the web pages you visit, the links you click, and the searches you conduct on our site. Most browsers automatically accept cookies, but you can usually modify your browser setting to decline cookies. If you choose to decline cookies please note that you may not be able to sign in or use some of the interactive features offered on our Websites. A cookie is a small text file that is stored on a user’s computer or device for record keeping purposes. Cookies can be either session cookies or persistent cookies. A session cookie expires when you close your browser and is used to make it easier for you to navigate our website. A persistent cookie remains on your computer or device for an extended period of time. For example, when you sign in to our Websites, we will record your user or member ID, which is your email address, and the name on your user or member account in the cookie file on your computer or device. We store your unique member ID in a cookie for automatic sign-in. This cookie is removed when you sign-out. For security purposes, we will encrypt the unique member ID and any other user or member account-related data that we store in such cookies. In the case of sites and services that do not use a user or member ID, the cookie will contain a unique identifier. We may allow our authorized service providers to serve cookies from Websites to allow them to assist us in various activities, such as doing analysis and research on the effectiveness of our site, content and advertising.
For more about the cookies used on our Websites, please see our Cookie Notice .
You may delete or decline cookies by changing your browser settings (click “Help” in the toolbar of most browsers for instructions). If you do so, some of the features and services of our Websites may not function properly. You also may manage your cookie preferences on our Websites by visiting our Cookie Notice and choosing “Cookie Settings.”
3. Other technologies. We may use standard Internet technology, such as web beacons and other similar technologies, to track your use of our Websites. We also may include web beacons in promotional e-mail messages or newsletters to determine whether messages have been opened and acted upon. The information we obtain in this manner enables us to customize the Services we offer to users of our Websites to deliver targeted advertisements and to measure the overall effectiveness of our online advertising, content, programming or other activities. Web beacons (also known as clear gifs, pixel tags or web bugs) are tiny graphics with a unique identifier, similar in function to cookies, and are used to track the online movements of web users or to access cookies. Unlike cookies, which are stored on the user’s computer hard drive, web beacons are embedded invisibly on the web pages (or in email) and are about the size of the period at the end of this sentence. Web beacons may be used to deliver or communicate with cookies, to count users who have visited certain pages and to understand usage patterns. We also may receive an anonymous identification number if you come to our site from an online advertisement displayed on a third-party website.
Information Collected From Other Sources
We may also obtain both Personal Information and other information about you from third party companies such data aggregation firms that sell public information and append this data to other information we have collected. Examples of such information that we may receive include: updated postal and email addresses, as well as corporate and additional demographic information. We may combine this information with information we collect through our Websites or from other sources.
Marketing & Advertising, Including on Other Websites
We engage third-party companies, including but not limited to Google, to place and track advertisements on third-party websites. Like most advertisers, we place advertisements where we think they will be most relevant to customers. We place advertisements by developing and using our own marketing segments that may combine online and offline information about our current and prospective customers. In addition, we may use marketing segments provided by online publishers and network advertising companies. You may choose to opt-out of such internet-advertising campaigns by visiting the Network Advertising Initiative's Consumer Opt-Out page at https://www.networkadvertising.org/choices/.
Network advertising companies that provide these services have their own privacy policies and are not subject to our online privacy statement. Many of these companies provide ways to avoid targeted advertising provided by, or thru, them. We may base these campaigns on non-personal information collected about you (e.g. we may track site activity and then deliver ads via third-party sites related to cookies associated with these activities), or on personally identifiable information (e.g. we may select a subset of cookies associated with certain courses taken, and customize an informational campaign more relevant to, say, penetration testers than incident responders).
How We Protect Your Personal Information
SANS safeguards the security of the data you send us with physical, electronic, administrative and managerial procedures. Likewise, we urge you to take every precaution to protect your personal data when you are on the Internet. These precautions include storing passwords in a reputable password manager, using unique passwords for every website or application, changing your password often, using a combination of letters, numbers and symbols, and using a secure browser over a secured network.
The SANS website currently uses at least TLS v1 encryption on all web pages where personal information is submitted. This is designed to protect the confidentiality of your personal and credit card information as it is transmitted to us over the Internet.
SANS has designed its system to not store credit card numbers on our servers. Credit card numbers are submitted to a credit card authorization service. This service provides SANS with credit card validation information only. We do not have access to your personal financial data.
SANS may employ independent contractors to help manage data services, and such contractors may have access to data, similar to the access we give our employees. For example, we may choose to use a third-party application service to manage our customer relationship management activities, and SANS may store sales account data, including personally identifiable information, with such a service provider. We endeavor to ensure that these third-party providers are protecting your information, but we are not ultimately responsible for their practices.
Access and Use of Your Personal Information
To review and update your personal contact information, simply visit https://www.sans.org/account/ and log in with your email address and password, then select "Personal Information" under your name. We encourage you to review your preferences regularly to keep the information current.
You may choose to unsubscribe from our marketing communications by following the instructions or unsubscribe mechanism in the message you received.
If at any time after registering for information, your personal data changes, you change your mind about receiving information from us, wish to cancel your account or request that SANS no longer use your information to provide you services, contact us at firstname.lastname@example.org to have the information changed or removed, subject to our need to comply with our legal obligations or contractual agreements.
Newsletters and Promotional Emails
If you no longer wish to receive our newsletters and promotional communications from SANS, you may opt-out of receiving them by following the instructions included in each newsletter or communication or by accessing your preferences by logging into https://www.sans.org/account/ as described in the previous paragraph.
Links To Other Sites
The SANS web site contains links to other sites that are not owned or controlled by SANS. Please be aware that SANS is not responsible for the privacy or security practices of such other sites. We encourage you to be aware when you leave our site and to read the privacy statements of each and every web site that collects personally identifiable information.
Information Obtained From Third Parties
SANS does not sell or trade your personal information. We may at times receive contact lists from other organizations. We may send mailings such as brochures to these addresses. Typically, these are one-time mailings, and the data is not entered into our database. If you want to remove yourself from the third party's database, you must contact them directly. These mailings have a brochure code printed on the mailing label. By providing this code, we will be able to tell you from what provider we received your contact info.
Statement Regarding Privacy Shield
SANS complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework (Privacy Shield) as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and the United Kingdom and Switzerland to the United States.
You may be aware that a recent court decision has called into question the validity of Privacy Shield. While SANS is waiting for detailed guidance from the relevant Regulators, SANS has taken steps to ensure our processing remains lawful and transparent.
SANS data is processed within the EU, the United Kingdom and other relevant jurisdictions. Data is also securely stored on servers within the United States of America. SANS remains confident that its processing activity is secure and complies with the protections provided within the General Data Protection Regulation 2016. We have taken steps to ensure that all sub processors that we engage have provided us with appropriate assurances in the form of ‘standard contractual clauses’. SANS itself also abides by all the principle requirements of these legal protections. We would however bring to your attention the current issues in relation to Privacy Shield.
By using SANS services and products you are consenting to the processing of your data in the United States of America. You can find further information on Privacy Shield via this link.
SANS has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to the EU Data Protection Authorities (DPAs), or where applicable instead, to the Swiss Federal Data Protection and Information Commissioner. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit the following web site for more information and to file a complaint with the EU DPAs: http://ec.europa.eu/justice/data-protection/article-29/structure/data-protection-authorities/index_en.htm.
If you have exhausted all other means to resolve your complaint, you may be able to engage in binding arbitration.
SANS' commitments under the Privacy Shield are subject to the investigatory and enforcement powers of the United States Federal Trade Commission.
California Privacy Rights
California Civil Code Section 1798.83, also known as the “Shine The Light” law, permits our users who are residents of the State of California in the United States to annually request and obtain, at no charge, information about the personal information (if any) we have disclosed to third parties for direct marketing purposes in the preceding calendar year. This information would include a list of the categories of personal information that was shared and the names and addresses of all third parties with which we shared information in the immediately preceding calendar year. If you are a California resident and would like to make such a request, please submit your request to the email@example.com
Our services are not directed to children under the age of 13. We do not knowingly collect personal information from children under the age of 13, nor do we knowingly distribute such information to third parties. If we become aware that we received personal information from someone under the age of 13, we will take steps to delete such information from our records. If you believe we have personal information from someone under 13, please contact us firstname.lastname@example.org.
Changes To This Privacy Statement