Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Community Resources

SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

Solutions for Emerging Risks

Discover tailored resources that translate emerging threats into actionable strategies

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations

Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk With an Expert
Talk With an Expert

SANS Privacy Policy

Updated: June 2025

SANS INSTITUTE PRIVACY POLICY

The Escal Institute of Advanced Technologies, Inc. d/b/a the SANS Institute is a United States–based company specializing in information security and cybersecurity training. The SANS Institute has wholly owned subsidiaries operating globally, including but not limited to: SANS Training - UK Limited ("SANS UK"), SANS Training Australia Pty Limited ("SANS Australia"), SANS Training Singapore PTE LTD ("SANS Singapore"), SANS Training Japan GK ("SANS Japan"), SANS Training Europe, B.V (“SANS Netherlands”) and SANS Training Limited ("SANS Ireland"). The SANS Institute, together with these entities, is referred to as “SANS.”

SANS also operates the Global Information Assurance Certification (“GIAC”) program and academic programs through the SANS Technology Institute (“STI”).

SANS participates in the EU-U.S. Data Privacy Framework (“DPF”) and the UK Extension to the EU-U.S. DPF, as administered by the U.S. Department of Commerce. We apply the DPF Principles to all personal data received from the European Union (EU) and the United Kingdom (UK) in reliance on these frameworks. For more information visit https://www.dataprivacyframework.gov.

This Policy explains how SANS, as a data controller, collects, uses, and processes personal data from users of our websites, business contacts, competition participants, and others interacting with our services. This policy excludes HR-related data, which is covered under a separate policy.

When we refer to “Websites” we mean www.sans.org as well as the other websites that we operate and that link to this Policy. Note that GIAC has its own privacy policy at www.giac/privacy, and STI has its own privacy policy at www.sans.edu/privacy. This Policy does not apply to personal information collected and processed by GIAC or STI.

We need to process personal information to provide services to you. Sometimes, we provide your personal information to third parties, including SANS affiliate organizations such as GIAC and STI, to help us provide our services. If you are not willing to provide your personal information and have it disclosed to third parties in accordance with this Policy, you may not be able to use our services.

Basis of Processing

We process your personal data based on your consent, to fulfill contractual obligations, or where we have a legitimate interest or legal requirement. Refusal to provide data may limit your access to services.

Our Websites may contain links to other websites which are not owned by SANS. You should review the privacy statements of all third-party websites you visit to understand how your data will be processed.

Personal Information We Collect

We collect personal data when you:

  • Create a SANS account
  • Make purchases
  • Interact with our websites
  • Participate in employer-sponsored training
  • Engage in events, surveys, or promotions

We also collect technical data from cookies, analytics tools, session replay software, and similar technologies. Full details are found in our Cookie Policy.

Use of Personal Information

We use personal data to:

  • Deliver requested services
  • Provide customer support
  • Communicate marketing offers (with opt-out option)
  • Perform analytics and market research
  • Process payments and prevent fraud
  • Enforce our terms and comply with legal obligations

Data Sharing and Disclosures

We share data with:

  • Authorized service providers (e.g. payment processors, analytics firms)
  • Event co-sponsors (with your consent)
  • GIAC (for certification listings)
  • Business partners (e.g. promotional partners)
  • Affiliates (e.g. GIAC, STI) for support purposes
  • Public authorities as required by law
  • In case of mergers, transfers, or restructuring
  • For fraud prevention, dispute resolution, and legal claims

In general, we may disclose the following categories of personal information in support of our business purposes identified above:

  • Name, contact information, and other identifiers
  • Customer records
  • Protected classifications
  • Commercial Information
  • Usage data
  • Audio, video, and other electronic data
  • Education information
  • Profiles and inferences

We have disclosed the categories of personal information listed above to the following categories of third parties in the preceding twelve months: data analytics providers, service providers, and sponsors of SANS events, programs, and papers.

In compliance with the DPF Principles, SANS is responsible for the processing of personal data we receive under the DPF and subsequently transfer to a third party acting as an agent on our behalf. We require that all third-party agents with whom we share personal data agree to safeguard it in accordance with the DPF Principles and other applicable data protection laws.

SANS remains responsible under the DPF if a third-party agent processes such personal data in a manner inconsistent with the DPF Principles, unless we can demonstrate that we are not responsible for the event giving rise to the damage.

We ensure that all third-party agents agree to:

  • Process the personal data only for the limited and specified purposes consistent with the consent provided by the data subject.
  • Provide at least the same level of protection as the DPF Principles require.
  • Notify us if they can no longer meet these obligations, at which point we will take reasonable and appropriate steps to stop or remediate unauthorized processing.

We may also share de-identified and aggregated data that cannot be traced back to you.

Your Choices and How to Limit Use and Disclosure

Under the Data Privacy Framework, individuals have the right to limit the use and disclosure of their personal data. Where we intend to use personal data for a purpose materially different from that for which it was originally collected, or where we disclose it to a third party not acting as our agent, we will provide individuals with an opportunity to opt out. Individuals who wish to limit the use or disclosure of their personal data can contact us at privacy@sans.org or follow the opt-out instructions provided in our communications.

Onward Transfers under DPF

  • In accordance with the DPF Principles, SANS:
  • Is responsible for third-party processors’ handling of personal data
  • Requires third parties to provide equivalent data protection and notify us if they can no longer comply
  • Will take steps to remediate unauthorized use

Data Sold or Shared (California)

The California Consumer Privacy Act (“CCPA”) defines a “sale” as disclosing or making available to a third party personal information in exchange for monetary or other valuable consideration, and it defines “share” in pertinent part as disclosing personal information to a third party for cross-context behavioral advertising.

As defined by the CCPA, the categories of personal information that we may “sell” include:

  • Name, contact information, and other identifiers

As defined by the CCPA, the categories of personal information that we may “share” include:

  • Name, contact information, and other identifiers

The categories of third parties to whom we sell or share the data, as defined by the CCPA, may include:

  • Data analytics providers
  • Service providers who are assisting us in fulfilling our contracts and carrying out our business
  • Sponsors of SANS events, programs and papers

The business purpose for which we sell or share the data, as defined by the CCPA, may include:

  • Lead generation, business prospecting, and similar activities
  • To gain insights into online activities through analytics
  • To provide leads to sponsors of SANS events, programs and papers

We have “sold” and “shared” the categories of personal information listed above to data analytics providers in the preceding twelve months.

Opt-Out

You can opt out at any time here.

Data Retention

We retain personal data for as long as necessary to provide services and meet legal obligations. If your data is provided by an employer or partner, their agreement may govern retention.

Your Rights

You can:

  • Access or correct your data
  • Request deletion or data portability
  • Submit requests via your account or email privacy@sans.org

We may retain necessary information as required by law.

Independent Dispute Resolution

If you have a complaint or concern regarding our compliance with the DPF, please contact us first at privacy@sans.org or by phone at +1 301-654-7267 and request to speak with the Data Privacy Department. We will respond to complaints within a reasonable timeframe.

For individuals in the European Union and the United Kingdom: In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, SANS commits to cooperate and comply respectively with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner’s Office (ICO) with regard to unresolved complaints concerning our handling of data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF.

SANS is subject to the investigatory and enforcement powers of the United States Federal Trade Commission (FTC).

Under certain conditions, individuals may invoke binding arbitration for complaints regarding DPF compliance not resolved by other mechanisms. For more information, see Annex I of the DPF Principles available here.

Additional Information for Residents of Certain Jurisdictions

You may have additional data protection rights afforded to you by the state or country where you reside, including but not limited to, in the United States, European Union member state, the United Kingdom or other jurisdictions. Please click here for additional information regarding data protection rights that may be afforded to you by your state or country of residence.

Federal Education Rights and Privacy Act (FERPA)

Where applicable, SANS adheres to a U.S. federal law called the Family Educational Rights and Privacy Act (FERPA) that protects student educational records. The Act serves two primary purposes: It gives eligible students more control over their educational records, and it prohibits educational institutions from disclosing “personally identifiable information” in education records without the written consent of an eligible student or in certain other circumstances. To review our full FERPA policy, please visit the Federal Education Rights Privacy Act Policy.

Children’s Personal Information

SANS does not knowingly collect or retain personal information about persons under the age of 16. Any person who provides their personal information to SANS represents they are 16 or older. When a person is under the age of 16 and desires to provide personal information to SANS, SANS strives to seek appropriate parental consent to process their information. If SANS learns that it has collected personal information from an individual under the age of 16 without parental consent, SANS will take reasonable measures to delete such information (except where required to protect the individual or others or as required or allowed by law). If you believe SANS has personal information from individuals under the age of 16, please contact SANS at privacy@sans.org.

Other Important Information

Security

The security of your personal information is important to us. Be aware that the internet is a global communications vehicle open to threats, viruses, and intrusions from others, so we cannot promise - and you should not expect - that we will be able to protect your personal information in all circumstances

Contact Us

To make a request or exercise your data privacy rights, if you have a complaint, or if you have any questions or suggestions regarding this Policy or our processing of your personal information, please contact us at privacy@sans.org or at +1 301-654-7267 and request to speak to the Data Privacy Department.