FIRST Privacy Policy

Also available as PDF

FIRST processes personal information in its capacity as a controller. We collect and process this information according to the policy described herewith.

The Forum of Incident Response and Security Teams (FIRST) respects the privacy of your personal information and does not rent, trade, or share it with third-parties for their marketing purposes.

This policy does not apply to web sites linked from the FIRST site. We recommend reviewing the privacy policy of those respective third-party web sites in addition to ours.

Collection and Usage of Personal Information

FIRST only collects personal information that is relevant to its activities and seeks to ensure the personal information is accurate and up-to-date. We will use your personal information for staying in touch with you and generally for the purposes for which you provided it (as described in more detail below), including in order to:

The personal information that FIRST collects about your use of our services and that you provide to us may occasionally be used to improve our Web Site and wider offerings (on a confidential basis) or to enable us to comply with our legal obligations.

Personal information collected by FIRST may include: your name, address, employment details, and contact details, including your IP address, email address and telephone number. You may choose to inform us in confidence about what gender you identify as, whether you identify as a member of an underrepresented group, and if you have a disability.

Team/Member Database

FIRST maintains member databases that contain mailing, billing, and member profile information (such as your name, address and contact details). The information in these databases is used by authorized FIRST staff members to process orders; mail invoices, purchases, renewal notices, and announcements; respond to Member inquiries; and help us improve our offerings. Member records are maintained as long as an individual (or their team) is a FIRST member and for two years following a membership lapse. Purchases and credit card transactions are retained for as long as required to meet contractual, tax, or auditing needs.

All personally identifiable information contained in FIRST membership and registration databases is treated as confidential and will be used only for the purposes stated in this Policy, except where required by law.

FIRST Emails

FIRST maintains various mailing lists and may send out emails to members or previous attendees of events, such as:

FIRST does not sell, rent, or exchange email addresses of its members and customers, with the exception of sign-ups to events which are organized by a third party.In those cases, contact information will be provided to the organizer. If at any time you decide that you no longer wish to receive any of the emails described above, you may do so by using the "unsubscribe" instructions set out at the bottom of each email.

FIRST Identity

Various FIRST services are access-controlled by the FIRST identity solution. The account is created either by a successful membership application, or if you are joining FIRST activities as a non-member (e.g., attending an event, participation in a Special Interest Group, or sponsoring a FIRST event). This account is stored in our membership and account databases. It will consist of the following information: (1) email address, (2) full name, (3) securely stored password, and (4) if provided, your public PGP key.

Event Registration

When you register for an event, you will provide information, such as full name, address, email, phone number, and payment information. You may also choose, at your discretion, to be listed on the attendee list, state your gender, social media accounts information, and request special meals. We collect this information to register you for conferences, print your badge, and provide other event services. We also share anonymized statistics about job function and industry with businesses that sponsor our events.

Event Attendee List

If you choose to be included on the attendee list for an event, it will include your name, affiliation, and state/country. This list is available for download from our website by the other registered attendees of that conference. You can choose not to be listed on the public list, by choosing the appropriate option during event sign-up.

If a registered attendee contacts us to request another attendee's email address, we request permission before sharing this information.

Payment Information

When you become a member or register for a FIRST event, we collect payment information in order to facilitate the processing of payments. Payment information you submit online will be collected directly by third-party payment processors according to their privacy policies and is not shared with FIRST. If you submit payment information directly to FIRST by another means, we will provide that information to the payment processor.

Event Paper Submissions and Talk/Training Proposals

We use third-party processors to collect paper submissions and conference presentation proposals. This information is accessible to FIRST staff as well as event volunteer organizers (e.g., program committees). Successful submissions are posted on our website, in conference proceedings, in conference directories, and other publicly available locations. Comments made by reviewers in these systems are accessible only to FIRST and conference organizers and are not distributed. Other Voluntarily Shared Data During your interaction with FIRST, you may choose to provide us with personal information when you emailus, chat with us by phone, complete a survey, sign up for event-specific news or a registration waiting list, comment on our blog, communicate with us through social media services such as Twitter, Facebook, or LinkedIn, use the FIRST conference mobile application, collaboration platforms, or through other communication methods. We will use this information only for the purposes it was submitted.

We will ask for your consent before using information for a purpose other than those that are set out in this Privacy Policy.

Technical Personal Information

Other than in the access controlled services that require a FIRST Account, FIRST does not log the identity of visitors. However, we may keep access logs, for example containing a visitor's IP address and search queries. We may analyze log files periodically to help maintain and improve our public services and enforce our online service policies. Raw log files are treated as confidential.

FIRST does not use any user-specific tracking cookies. A cookie is a small file of letter and numbers that is placed on your device. Cookies are only set by FIRST when you visit restricted portions of our Web Site and help us to provide you with an enhanced user experience.

Third Parties

We may share and disclose your personally identifiable information in these limited circumstances:

We may disclose aggregate, non-identifying information about our members and constituents based on anonymized data.

We collect personal information from you where the processing is in our legitimate interests. As described above, the data is collected to provide services to our members, event attendees, and other interested parties.

We send communications announcing upcoming events, submission deadlines, and other issues of interest to our membership and constituents. You may opt out of these communications at any time.

If you have questions about or need further information concerning the legal basis on which we collect and use your personal information, please contact us at privacy@first.org.

Security

The security of personal information is very important to FIRST. FIRST maintains all personal informationwith technical, administrative, and physical safeguards to protect against loss, unauthorized access, destruction, misuse, modification, and improper disclosure. No computer system or information can ever be fully protected against every possible attack. FIRST provides reasonable and appropriate security controls to protect personal information against foreseeable attack. If nevertheless a successful attack was identified, FIRST will inform the affected persons via email.

Data Retention

We retain your personal information and a record of membership, event attendance, volunteer service, and related data. As described in the next section, you have the right to request that your personal informationbe deleted. For additional details see the Document Record Retention and Destruction Policy.

Your Data Protection Rights

You have the following rights:

Changes to This Policy

FIRST reserves the right to modify this Privacy Policy at any time. However,we will take appropriate measures to inform you about material changesto this policy in a timely manner.

Contact Us

If you have any questions or concerns regarding the use or disclosure of your personal information, you can contact us through by email privacy@first.org.