Updated Privacy Policy

[Andrew van der Stock]

Hi everyone,

Please review the draft OWASP Privacy Policy via the Community Review Process.

https://owasp.org/www-policy/operational/privacy

During the process of reviewing our GDPR status for the Board, the first step was to review our privacy policy to determine what controls we should be enforcing. It immediately came to light that our privacy policy had never been formally approved by the Board. Upon reading it, it also didn't cope with GDPR. So I reached out to the Linux Foundation to re-use theirs for various reasons - primarily because it deals with GDPR thoroughly, and also copes with what we actually do with your data in OWASP's cloud-based infrastructure. As an application security non-profit, we work hard to adhere to the highest privacy regulations and standards.

 I hope to bring it to the Board for approval in February, along with a comprehensive report on GDPR status for the Board. Fixing the privacy policy is obviously a key missing gap.

All of OWASP's services are hosted in the cloud and protected by strong authentication. I don't think any of our cloud services are hosted outside the US, so please take this into consideration during your review. You may need to go to the various platforms to identify their privacy policies and controls in relation to GDPR. Generally, our selection of platforms complies with GDPR, but I don't know for sure yet (which is why the Board asked for a report on GDPR compliance!).

We may transmit, store, or process your information in the following cloud services

• Google GSuite for owasp.org and owasp.com (staff) authentication, email, documents, and other services
  
• Copper CRM - this is our main repository for your personal information
• Jira - contains ticket information that may include personal information if you've submitted it
  
• Stripe - stores payment information, but we can't see much due to Stripe's design
  
• Meetup to conduct chapter meetings
• EventBrite and Whova to conduct events and training
  
• Wufoo forms for various purposes, including speaker and trainer agreements
• DocHub for signing contracts (generally B2B, but sometimes speaker and trainer agreements with personal information)
  
• MailChimp to send bulk messages (primarily email addresses and mail analytics
• Simply Voting to conduct our elections, primarily email addresses and election results
• GitHub - including 700+ repos that you've disclosed to the public
  
• Slack - information that everyone types in
• Zoom and SteamYard (in trial) for meetings, events, conferencing, training, and webinars
• Microsoft Azure to run custom glue code via Azure Functions or automation to tie our various systems together. (No information stored here by design)
• CloudFlare for DDoS and load balancing. (No information stored here by design)
  

The architecture of our data protection and storage is to concentrate your data into Google service and Copper CRM. We enforce MFA for staff, and we strongly encourage MFA for everyone else.

We are currently selecting a new association management software that could replace Copper CRM, Meetup, and possibly Event Brite, Stripe, and Mail Chimp, which will reduce the attack surface area from a privacy perspective, and improve customer experience. More as it happens.

Some chapters use other meeting systems such as ConnPass, but these are not official OWASP data stores. Some projects use alternative repos, such as GitLab, which are not official OWASP repos.

thanks,

Andrew van der Stock

Executive Director, OWASP

+1 510 697 9315

OWASP Top 10 and OWASP Application Security Verification Standard co-lead