SANS Privacy Policy

Updated: December 2021

SANS INSTITUTE PRIVACY POLICY

The Escal Institute of Advanced Technologies (SANS) is a US Company specializing in information security and cybersecurity training. SANS also operates its Global Information Assurance Certification (“GIAC”) programs and academic programs offered through the SANS Technical Institute (“STI”).

SANS is the data controller of your personal information. We respect the privacy of our customers and users. This Policy explains what we do to protect your privacy and comply with data protection laws.

This Policy relates to our websites and our services, as well as data that is collected from business partners and survey responses or competition entries.

When we refer to “Websites” we mean www.sans.org as well as the other websites that we operate and that link to this Policy, including: www.giac.org www.sans.edu

We need to collect Personal Information to provide services to you. Sometimes, we provide your Personal Information to third parties to help us provide our services. If you are not willing to provide your Personal Information and have it disclosed to third parties in accordance with this Policy, you will not be able to use our services.

Basis of Processing

On most occasions we process your data based on your consent or the data is necessary for us to fulfill our contractual obligations to you. You don’t have to provide consent however you may be unable to use some of our services if you do not allow us to process your personal data.

Our Websites may contain links to other websites which are not owned by SANS. You should review the privacy statements of all third-party websites you visit to understand how your data will be processed.

Personal Information We Collect

You will be asked to provide personal data when you create an account, make a purchase, or contact us for support. We also collect data recording how you interact with our services. We may also obtain information about you from our business partners or other third parties.

We may receive and collect certain data automatically for example from website analytics, information from your internet browser when you visit our Websites, and information collected by cookies. We may collect Personal Information that can identify you, such as your name and email address, and other information that does not identify you.

Information Provided by You

When You Set Up a SANS Account

We collect your name, email address, phone number(s), address, company, department, job function, industry, organizational memberships, and geographic region to create a SANS account. We also process and store data associated with training assignments, including scores on assessments you undertake, data associated with your registration for content such as webcasts and Summits, and data associated with your use of content provided by our Websites

When You Use Our Websites

We use various technologies to collect information from your computer or device and about your activities on our Websites. These are detailed below:

  1. Information automatically collected such as your IP address, your browser type and language, access times, the content of any undeleted cookies that your browser previously accepted from us, referring or exit website address, internet service provider, date/time stamp, operating system, locale and language preferences, and system configuration information.
  2. Cookies. When you visit our Websites we may assign your computer or device one or more cookies to facilitate access to our site and to personalize your online experience. These cookies may relate to tools such as Google Analytics and similar technologies. Through cookies we also may automatically collect information about your online activity on our site, such as the web pages you visit, the links you click, and the searches you conduct on our site. Please see our Cookie Policy for more detail.
  3. Other technologies. We may use standard internet technology, such as web beacons and other similar technologies, to track your use of our Websites. We also may include web beacons in promotional email messages or newsletters.

Information Collected from Other Sources

We may also obtain information about you from advertising companies, ad networks business partners, contractors, and other third parties and add it to our account information or other information we have collected. We only do this where there is a lawful basis of processing your information such as your consent.

Employer-Sponsored Training

If your employer sponsors your training and provides us with your Personal Information, SANS acts as a data controller and your employer is also a data controller. SANS will work with your employer to fulfill any data rights requests. Your information and training records will only be shared with you your employer, and our authorized service providers, as detailed below.

How We Use Personal Information

We use the Personal Information we collect for a variety of purposes. The legal basis for our processing of Personal Information will depend on the context in which we collect it.

General Uses

We may use information that we collect about you to:

  • deliver the services that you have requested
  • manage your account and provide you with customer support
  • perform research and analysis about your use of or interest in our services, our content, or products, as well as services or content offered by others
  • communicate with you by email, postal mail, telephone, our websites, our applications, and/or mobile devices about products, services, or resources that may be of interest to you either from us or other third parties
  • enforce our terms and conditions
  • manage our business and perform functions as otherwise described to you at the time of collection
  • for legal compliance purposes
  • occasionally notify you about special sales or services to personalize your experience with SANS (you can opt out if you wish)
  • process payment for any purchases or sales made on our Websites, to protect against or identify possible fraudulent transactions, and otherwise as needed to manage our business

How Long We Retain Your Personal Information

We will retain your Personal Information for as long as is needed to offer you services or comply with our legal obligations. For Personal Information that we process on behalf of a business partner or your employer, we will retain such Personal Information in accordance with the terms of our agreement with them.

Sharing your Personal Information

We share your Personal Information where it is necessary to provide the Services, including sharing information with third party service providers; when required by law; to protect rights and safety, and with your consent. These third parties are detailed below.

  • Authorized service providers: These services may include fulfilling orders, processing credit card payments, delivering materials, providing customer service and marketing assistance, performing business and sales analysis, supporting our Website functionality, and supporting contests, promotions, sweepstakes, surveys and other features offered through our Websites. These service providers may have access to Personal Information needed to perform their functions but are not permitted to share or use such information for any other purposes.
  • Co-Sponsoring organizations: Some SANS training events are co-sponsored by other organizations. Examples include SANS Private Training events, sponsored webcasts, or sponsored whitepapers. When you register for an event, the co-sponsoring organization may have access to your registration data where you agree and provide your explicit consent.
  • GIAC Certification Information: GIAC Certified Professionals are listed on the GIAC website and their identities and certifications are considered public information. Published data includes Analyst Number, Certification Holder’s Name and Certification Expiration Date. No personal contact information is published.
  • Business partners: When you make purchases or engage in promotions offered through our Websites, we may share Personal Information with your consent with the businesses with which we partner to offer you those Services, promotions, contests and/or sweepstakes.
  • Other situations: We also may disclose your information where required by law or in response to a court order or to prevent or detect crime
  • Aggregated and Non-personal Information: We may share aggregated and non-personal information we collect under any of the circumstances set forth in this Policy.

Your Privacy Rights

How You Can Access Your Information

If you have an online account with us, you can review your Personal Information by logging into your account. You can also update your Personal Information by contacting us.

You can ask us to delete, rectify, or port your data by submitting a request through your account or by contacting privacy@sans.org.

We will handle your request as soon as possible; however, we may still need to retain certain information for example for legal purposes.

Opt-Out

We will not share personal data without your permission, unless it is necessary for us to provide services to you.

You can opt out of non-essential use of your data at any time by selecting the “Opt-Out” link found in the footer of the communication or on our Websites and following the instructions or contacting us.

If you opt out of receiving promotional communications, you may continue to receive emails and notifications relating to business-related communications.

The General Data Protection Regulation (GDPR)

If you are a European citizen, the General Data Protection Regulation (GDPR) is applicable to our use of your data. The lawful basis for processing your Personal Information will depend on the Personal Information concerned and the specific context in which we collect it as detailed above. Under the GDPR you have a number of rights. For example, you can request to see a copy of the data we process about you, to delete or rectify your data, or to transfer your data elsewhere. You also have the right to make a complaint to your local supervisory authority and in the first instance to our Data Privacy department.

If you wish to exert any of your rights, please contact us at via email at privacy@sans.org.

You should be aware that your Personal Information may be transferred to, stored, and processed within the United States and other jurisdictions outside of the USA and EU. We will always work with suitable and safe partners who process data on our behalf and will take all appropriate measures to safeguard your information including applying standard contractual clauses to ensure data security.

California Privacy Rights (CCPA)

If you are a California resident, the California Consumer Privacy Act (CCPA) grants you certain rights and imposes restrictions on particular business practices. SANS always complies with the requirements of the CCPA as outlined within this privacy notice. California residents may make a Request to Know up to twice every 12 months. The CCPA prohibits discrimination against California residents for exercising their rights under the CCPA. SANS acts in accordance with its duties under the law and will never discriminate against a student for exercising their legal rights. If you are offered the opportunity to sign up for a webcast, we will seek your consent. Registration data for Webcasts is provided to the Sponsor for the purposes of advertising their services. Where SANS is required to assign a value to the data provided, we will always use a reasonable method to determine this.

If you are a California resident, you may specifically instruct us not sell your Personal Information. SANS does not sell personal data of its students. If you are a California resident and would like to make a request to exercise your rights under the CCPA, please contact privacy@sans.org. We will respond to verifiable requests received from California residents as required by law. For more information about our privacy practices, you may contact us as set forth in the Section below entitled “Contact Us.”

Federal Education Rights and Privacy Act (FERPA)

SANS values the student’s right to privacy. SANS Technology Institute (STI) adheres to a federal law called the Family Educational Rights and Privacy Act (FERPA) that sets privacy standards for student educational records. The Act serves two primary purposes: It gives eligible students more control over their educational records, and it prohibits educational institutions from disclosing “personally identifiable information” in education records without the written consent of an eligible student. To review our full FERPA policy, please visit the Federal Education Rights Privacy Act Policy.

Children’s Personal Information

When SANS works with children under the age of 17, we always seek appropriate parental consent to process data.

Other Important Information

Security

The security of your Personal Information is important to us. We follow generally accepted standards to protect the Personal Information provided to us by taking all measures necessary, including physical, electronic, and procedural measures. You should also be aware that the internet is a global communications vehicle open to threats, viruses, and intrusions from others, so we cannot promise - and you should not expect - that we will be able to protect your Personal Information at all times and in all circumstances.

Contact Us

To make a request or exercise your data privacy rights, if you have a complaint, or if you have any questions or suggestions regarding this Policy or our processing of your Personal Information, please contact us at privacy@sans.org.