Last Updated June, 3 2019
Offsec Services Limited, a Gibraltar company along with its affiliates and individual contractors (“Offensive Security”), is a company that teaches ethical penetration testing methodologies and the use of the tools included within the Kali Linux distribution, among other tools. Our products and services (“Services”) include various course offerings and technical certifications, including but not limited to “Penetration Testing with Kali Linux – (PWK)”, “Wireless Attacks – (WiFu)”, “Cracking the Perimeter – (CTP)”, “Advanced Windows Exploitation – (AWE)”, “Advanced Web Attacks and Exploitation – (AWAE)”, and any other courses as advertised on Offensive Security’s Websites (as defined below) and offered to students who obtain our Services (“Students”).
1. Personal Data That We Collect
When you interact with our Websites or Services, we collect information that, alone or in combination with other information, could be used to identify you (“Personal Data”).
Automatically Collected Data: When you access the Websites or use the Services, the following information is created and automatically logged in our systems:
- Log data: Information (“log data”) that your browser automatically sends whenever you visit the Offensive Security Websites. Log data includes your Internet Protocol (“IP”) address, browser type and settings, the date and time of your request, and how you interacted with the Websites or Services.
- Device information: Information (“device data”) that includes the type of device you are using, operating system, settings, unique device identifiers, network information and other device-specific information. The information collected may depend on the type of device you use and its settings.
- Usage Information: Information (“usage data”) we collect about how you use our Websites and Services, such as the types of content that you view or engage with, the features you use, and the actions you take.
We may use Google Analytics or our own systems to access your log data, device data, and usage data.
Personal Data You Give Us. When you access the Websites, we may collect additional Personal Data from you through web forms such as names, phone numbers, postal addresses, email addresses, or other information that you choose to provide to us. We store and process all of this information on our servers located in the United States and in Israel, and we use this information for our internal purposes and to provide you with information, support, and Services, etc. as appropriate.
When you sign up for or use the Services, you voluntarily give us certain Personal Data, including your first name, middle name, last name, prefix, suffix, company, gender, age range, various email addresses, IT experience level, phone number, home address, and invoice address. We also may collect from you billing information (i.e., country, credit card name, credit card number, credit card expiration date, billing address, and credit card CVV). We may further collect from you a scanned government ID, scanned utility bill(s), scanned bank statement(s), and scanned income statement(s), parent name(s), IDs, and consent letters.
We also collect information you choose to provide to us when you complete any “free text” boxes in our forms or provide us with any emails (for example, support request or survey submission). In addition, we may collect Personal Data disclosed by you on our blogs and our other areas of the Services to which you can post information and materials.
We may also collect non-Personal Data, such as your time zone or language.
2. How We Use Data
We use the Personal Data we collect, described above:
- To authenticate users, provide the Services, process transactions and respond to your requests. For all Website visitors and Students, including visitors and Students located within the EU, this use is necessary to provide the Websites to you and perform the Service(s) contract with you. In the event that we are unable to verify a Student’s identity with the basic information we collect, we may request additional information such as a scanned government ID, scanned utility bill(s), or scanned bank statement(s). We process this data to confirm your identity and to ensure that we can lawfully provide you with our Services (g., screening against various “prohibited persons” lists and sanctioned countries). For Students under the age of 18, we collect parent name(s), IDs, and consent letters in order to lawfully obtain parental consent and to provide you with services. We do not permit any users under the age of 16.
- As necessary for certain legitimate business interests, which include the following:
- To customize the user experience.
- To better understand how visitors interact with our Websites and ensure that our Websites are presented in the most effective manner for you, and as part of our efforts to keep our Websites, network, and information systems secure.
- To conduct analytics to inform our marketing strategy and enable us to enhance and personalize our communications and the experience we offer to our visitors and Students.
- To provide communications by post which we think will be of interest to you.
- If you ask us to delete your data or to be removed from our marketing lists and we are required to fulfill your request, we will keep basic data to identify you and prevent further unwanted processing.
- For billing purposes. For all Website visitors or Students requesting paid Services, we collect your billing information identified above to process payments using our third-party Vendors and Service Providers referenced below. This is applicable to all Website visitors and Students, including those located within the EU, and this use is necessary for us to perform the Services contract with you. We store and process this information in addition to providing this information to our third-party Vendors and Service Providers (described below).
- For mailing your certificate. We collect your physical address information so that we can mail you a certificate upon completing and passing any certification.
- To protect our intellectual property. We may use your Personal Data to mark course materials we provide to you so that we can monitor and protect our confidential intellectual property. Any marking of materials may include the Student’s full name, home address, personal email address, and OSID, in a visible form.
- To terminate or suspend your access to our products or prevent you from placing future orders. We will use your Personal Data to record situations where we believe you have cheated in relation to our examinations, have abused our intellectual property rights or otherwise breached the contractual terms and conditions you agree to when you register with us. We may use this record to terminate or suspend your access to our course materials and associated products and services and prevent you from being able to place orders with us in the future.
- For online proctoring of examinations. When an examination is subject to online proctoring, the Student’s webcam and computer screen will be monitored, viewed, recorded, stored, and/or audited to ensure the integrity of the examination, including by Offensive Security’s employees, contractors, proctors, and/or agents. This means that Student and any of Student’s immediate surroundings, and anything else within range of Student’s webcam or viewable on Student’s computer screen, may be monitored, viewed, recorded, stored, and/or audited during and following the examination. The Student’s video feed and screen feed is monitored by Offensive Security proctoring personnel located in the Philippines and stored on Offensive Security’s servers located in the Philippines.
- Marketing. We may send you updates and information about our new products and services, upcoming events or other promotions or news by email or push notification. Where required by law, we will only send you marketing information if you consent to us doing so at the time you provide us with your Personal Data. When registering for Services, you may opt out of receiving such marketing information. Additionally, you may opt out of receiving such emails by following the instructions contained in each promotional email we send you. In addition, if at any time you do not wish to receive future marketing communications, please contact us at email@example.com. We will continue to contact you via email regarding the provision of our Services and to respond to your requests. We do not, however, share your Personal Data with any third parties for marketing purposes.
For information on your rights under the applicable European Union (“EU”) law, please see the “Rights under EU Law” section below. At Offensive Security we believe that privacy is a critically important issue, and accordingly we make these EU rights available to all users of our Services.
3. Sharing And Disclosure
We may share your Personal Data and other information with certain third parties in the following circumstances:
- Publication of Personal Data in connection with Certifications: When a Student passes an examination and obtains a certification, we may publish certain Personal Data of the Student on a publicly available website so that anyone from the public can confirm the Student obtained the certification(s). We allow the public to search by a name (using modified fuzzy logic) or by an Offensive Security ID (OSID), but we display only the Student’s name, OSID, and course information and certificate information, including course(s) taken, course(s) and examination(s) status, certificates received, and associated dates. We do not publish the fact that a Student failed an exam, although that Student’s name would not be published if a member of the public were to search for that Student and the Student had failed an examination.
- Service Providers: To assist us in providing products and services and to operate our business, your Personal Data may be shared with our third-party service providers. These include organizations who provide services in relation to the training we provide, marketing, infrastructure and information-technology, payment processing, logistics and shipping and professional advice.
- Business Transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of a service to another provider, your Personal Data and other information may be transferred to a successor or affiliate as part of that transaction.
- Legal Requirements: If required to do so by law, applicable regulation or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Offensive Security, (iii) act in urgent circumstances to protect the personal safety of users of the Websites or the Services, or the public, or (iv) protect Offensive Security against legal liability.
4. Data Retention
We do have additional specific data retention policies for certain categories of data.
- Authentication and Parental Consent: For the additional Personal Data collected as part of the authentication process (e., scanned government ID, scanned utility bill(s), or scanned bank statement(s)), we delete this data after 30 days. We also delete limited Personal Data collected as part of the parental consent process (i.e., parental IDs) after 30 days.
- Billing Information: For the Personal Data we collect for billing purposes (e., country, credit card name, credit card number, credit card expiration date, billing address, and credit card CVV), we store this data in encrypted form and do not store the complete credit card number. We delete this data after 1 year from the most recent transaction (payment or refund). This retention policy applies only to the billing information stored by Offensive Security and not to the billing information we provide to our third-party Vendors and Service providers.
- Proctoring Video and Screen Feeds: For any video and screen feeds obtained by Offensive Security during the proctoring of an examination, we delete this data after 15 days.
All of the Personal Data that we collect from all Website visitors and Students is stored and processed on servers located in the United States and in Israel. We take various security steps to ensure that your Personal Data is protected from unauthorized disclosure.
5. Update Your Information
If you need to change or correct your Personal Data, or wish to have it deleted from our systems, you may contact us at firstname.lastname@example.org.
6. Rights Under EU Law
Scope. This section provides information on your rights under EU law (for these purposes, reference to the EU also includes the European Economic Area countries of Iceland, Liechtenstein and Norway). Offensive Security strongly believes in respecting the privacy concerns of its Students, and therefore extends these rights to all Students.
Data Controller. Offensive Security is the data controller for your Personal Data.
Your Rights. Subject to EU law, you have the following rights in relation to your Personal Data:
- Right of access: If you ask us, we will confirm whether we are processing your Personal Data and, if so, provide you with a copy of that Personal Data along with certain other details. If you require additional copies, we may need to charge a reasonable fee.
- Right to rectification: If your Personal Data is inaccurate or incomplete, you are entitled to ask that we correct or complete it. If we shared your Personal Data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to erasure: You may ask us to erase your Personal Data in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable). If we shared your data with others, we will alert them to the need for erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data with so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restrictions on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to data portability: You have the right to obtain your Personal Data from us that you consented to give us or that was provided to us as necessary in connection with our contract with you. We will give you your Personal Data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us at any time to stop processing your Personal Data, and we will do so:
- If we are relying on a legitimate interest (described under the “How We Use Data” section above) to process your Personal Data — unless we demonstrate compelling legitimate grounds for the processing; or
- If we are processing your Personal Data for direct marketing.
- Rights in relation to automated decision-making and profiling: You have the right to be free from decisions based solely on automated processing of your Personal Data, including profiling, unless this is necessary in relation to a contract between you and us or you provide your explicit consent to this use.
- Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has already taken place.
- Right to lodge a complaint with the data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority that is authorized to hear those concerns.
You may contact us at email@example.com to exercise your rights.
7. Publicly Posted Information
Offensive Security does not knowingly collect Personal Data from children under the age of 16. If you have reason to believe that a child under the age of 16 has provided Personal Data to Offensive Security through the Websites or Services please contact us at firstname.lastname@example.org and we will endeavor to delete that information from our databases.
9. Links To Other Websites
We take reasonable administrative and technical steps to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the internet is 100% secure. Therefore, while we strive to protect your data, we cannot guarantee its absolute security.
12. Contact Us