FIRST Privacy Policy

Also available as PDF (117kb)

Version 2 (Effective at April 2020)

The Forum of Incident Response and Security Teams (FIRST or we subsequently) processes personal information in its capacity as a data controller. We collect and process this information according to the policy described herewith.

FIRST respects the privacy of your personal information and does not rent, trade, or share it with third-parties for their marketing purposes.

This policy does not apply to web sites linked from the FIRST site. FIRST recommends reviewing the privacy policy of those respective third-party web sites in addition to ours.

Collection and Usage of Personal Information

FIRST only collects personal information that is relevant to its activities and seeks to ensure the personal information is accurate and up-to-date. FIRST will use your personal information for staying in touch with you and generally for the purposes for which you provided it (as described in more detail below), including in order to:

The personal information that FIRST collects about your use of our services and that you provide to us may occasionally be used to improve our Web Site and wider offerings (on a confidential basis) or to enable us to comply with our legal obligations.

Personal information collected by FIRST may include: your name, address, employment details, and contact details, including your IP address, email address and telephone number. You may choose to inform us in confidence about what gender you identify as, whether you identify as a member of an underrepresented group, and if you have a disability.

Team/Member Database

FIRST maintains member databases that contain mailing, billing, and member profile information (such as your name, address and contact details). The information in these databases is used by authorized FIRST staff members to process orders; mail invoices, purchases, renewal notices, and announcements; respond to Member inquiries; and help us improve our offerings. Member records are maintained as long as an individual (or their team) is a FIRST member and for two years following a membership lapse. Purchases and credit card transactions are retained for as long as required to meet contractual, tax, or auditing needs.

All personally identifiable information contained in FIRST membership and registration databases is treated as confidential and will be used only for the purposes stated in this Policy, except where required by law.

FIRST Emails

FIRST maintains various mailing lists and may send out emails to members or previous attendees of events, such as:

FIRST does not sell, rent, or exchange email addresses of its members and customers, with the exception of sign-ups to events which are organized by a third party. In those cases, contact information will be provided to the organizer. If at any time you decide that you no longer wish to receive any of the emails described above, you may do so by using the "unsubscribe" instructions set out at the bottom of each email.

FIRST Identity

Various FIRST services are access-controlled by the FIRST identity solution. The account is created either by a successful membership application, or if you are joining FIRST activities as a non-member (e.g., attending an event, participation in a Special Interest Group, or sponsoring a FIRST event). A user profile is stored in our membership and account databases. It will consist of the following information: (1) email address, (2) full name, (3) securely stored authentication information (e.g., password or multi-factor authentication secrets), and (4) if provided, additional contact information, such as your public PGP key or other secure communication channels (e.g., Wire, Threema, Signal, Keybase).

Collaboration Platforms

In order to fulfill our mission to bring security teams together, FIRST is using various platforms where members can discuss security-related topics. FIRST is using self-hosted as well as third-party service providers. FIRST leverages its identity management solution to connect to third-party providers in order to provide controlled access by authorized users. FIRST aims to limit the exposure of any sensitive user information.However, it may be necessary to share details with service providers such as full name, user ID, and email address to run the service. Use of third-party collaboration services is opt-in.

Event Registration

When you register for an event, you will provide information, such as full name, address, email, phone number, and payment information. You may also choose, at your discretion, to be listed on the attendee list, state your gender, social media accounts information, and request special meals. We collect this information to register you for conferences, print your badge, and provide other event services. We also share anonymized statistics about job function and industry with businesses that sponsor our events.

Event Attendee List

If you choose to be included on the attendee list for an event, it will include your name, affiliation, and state/country. This list is available for download from our website by the other registered attendees of that conference. You can choose not to be listed on the public list, by choosing the appropriate option during event sign-up.

If a registered attendee contacts us to request another attendee's email address, we request permission before sharing this information.

Payment Information

When you become a member or register for a FIRST event, we collect payment information in order to facilitate the processing of payments. Payment information you submit online will be collected directly by third-party payment processors according to their privacy policies and is not shared with FIRST. If you submit payment information directly to FIRST by another means, we will provide that information to the payment processor.


FIRST is using a third-party financial service provider to provide accounting, tax preparation, and general financial support. Information is shared only as required to fulfill FIRST’s legal requirements to provide proper accounting. In addition, a third-party accounting service is leveraged that stores invoice, bookkeeping, and accounting data.

Event Paper Submissions and Talk/Training Proposals

We use third-party processors to collect paper submissions and conference presentation proposals. This information is accessible to FIRST staff as well as event volunteer organizers (e.g., program committees). Successful submissions are posted on our website, in conference proceedings, in conference directories, and other publicly available locations. Comments made by reviewers in these systems are accessible only to FIRST and conference organizers and are not distributed. Other Voluntarily Shared Data During your interaction with FIRST, you may choose to provide us with personal information when you emailus, chat with us by phone, complete a survey, sign up for event-specific news or a registration waiting list, comment on our blog, communicate with us through social media services such as Twitter, Facebook, or LinkedIn, use the FIRST conference mobile application, collaboration platforms, or through other communication methods. We will use this information only for the purposes it was submitted.


In order to comply with our legal obligations, FIRST needs to validate various information for FIRST teams, their members, and event attendees. This includes the name of the individual, their employer or organization name, address and other contact information. This purpose of this validation is to determine if an organization or individual is listed on a sanctions list or otherwise restricted from participating as a member or attending events. FIRST uses an external service provider for performing this validation. This external provider performs a “fuzzy match” of the information provided by a registrant, member, member-applicant, or any other individual or organization participating with FIRST, against government-provided sanctions lists. Results of these checks are returned to FIRST.

We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.

Technical Personal Information

Other than in the access controlled services that require a FIRST Account, FIRST does not log the identity of visitors. However, we may keep access logs, for example containing a visitor's IP address and search queries. We may analyze log files periodically to help maintain and improve our public services and enforce our online service policies. Raw log files are treated as confidential.

FIRST does not use any user-specific tracking cookies. A cookie is a small file of letters and numbers that is placed on your device. Cookies are only set by FIRST when you visit restricted portions of our Web Site and help us to provide you with an enhanced user experience.

Third Parties

We may share and disclose your personally identifiable information in these limited circumstances:

We may disclose aggregate, non-identifying information about our members and constituents based on anonymized data.

We collect personal information from you where the processing is in our legitimate interests. As described above, the data is collected to provide services to our members, event attendees, and other interested parties.

We send communications announcing upcoming events, submission deadlines, and other issues of interest to our membership and constituents. You may opt out of these communications at any time.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us at


The security of personal information is very important to FIRST. FIRST maintains all personal information with technical, administrative, and physical safeguards to protect against loss, unauthorized access, destruction, misuse, modification, and improper disclosure. No computer system or information can ever be fully protected against every possible attack. FIRST provides reasonable and appropriate security controls to protect personal information against foreseeable attack. If nevertheless a successful attack was identified, FIRST will inform the affected persons via email.

Data Retention

FIRST retains your personal information and a record of membership, event attendance, volunteer service, and related data. As described in the next section, you have the right to request that your personal information be deleted. For additional details see the Document Record Retention and Destruction Policy.

Your Data Protection Rights

You have the following rights:

Changes to This Policy

FIRST reserves the right to modify this Privacy Policy at any time. However, we will take appropriate measures to inform you about material changes to this policy in a timely manner.

Policy History

Version Date Author(s) Changes
1 March 2019 Thomas Schreck Initial release
2 April 2020 Thomas Schreck,
Dave Schwartzburg
Updated to address:
  • New Identity and Collaboration Platforms
  • Accounting reform
  • Compliance

Contact Us

If you have any questions or concerns regarding the use or disclosure of your personal information, you can contact us through email