Cloud 101CircleEventsBlog
The CCSK v5 and Security Guidance v5 are now available!

Privacy Notice

Effective December 23, 2019

We are the Cloud Security Alliance, with registered offices at 709 Dupont St, Bellingham, WA 98225, USA (herein after “CSA”, “we”, “us”) and we are committed to protecting your privacy as a user of this website, as well as when you use any related CSA portals, view our blogs, participate in our webinars and when you make use of any of our online services (“Website”). This Privacy PolicyOur Privacy Policy is an informative statement which explains important parts of how we use the personal data of the persons visiting our website. has been written in order to allow you to understand our policy regarding your privacy, as well as how your personal information will be handled when you use the Website.

In general, we may collect information and data that you provide to us over the Website, but we may also gather information and data on you through the Website when you make use of our services, when you send us e-mails, when you register for or attend any events which we host/promote, or when you interact with CSA representatives. This is described in Section 3 below.

Any personal dataThis means generally any information about you or other persons, as an individual. which we collect will be processedThis essentially means “used” – “processing personal data” means carrying out any activities involving personal data, from collecting personal data, to storing, transferring and even anonymizing or deleting personal data. in a lawful, fair and transparent manner. To this end, and as further described below, CSA takes into consideration internationally recognized principles governing the processing of personal data, such as the principles of purpose limitationThe principle of purpose limitation requires us to only use personal data for specific and clear purposes, and to not use personal data for any other purposes., storage limitationThe principle of storage limitation calls for us to keep personal data only for as long as we need it and to be able to justify such retention policies., data minimizationThe principle of data minimization requires us to collect only the personal data which we actually need in order to meet our purposes. We need to make sure that we do not collect excessive or unnecessary amounts of personal data., data qualityThe principle of data quality requires us to be reasonably certain that all personal data we handle is accurate and complete. and confidentialityThe principle of confidentiality requires us to ensure that all personal data we store are kept secure, and that only specifically authorised persons and organisations have access to those data..


1. Data controller and Office of Data Protection

The CSA, as identified at the top of this Privacy Policy, is the data controller regarding all personal data processing carried out through the Website.

To get in touch with CSA’s Office of Data ProtectionCSA’s Office of Data Protection is a dedicated internal team at CSA responsible for managing all matters related to the use of personal data., please contact [email protected].

2. Personal Data processed

When you use the Website or the Services, CSA will collect and process information regarding you (as an individual) which allows you to be identified either by itself, or together with other information that has been collected. CSA may also be able to collect and process information regarding other persons in this same manner, if you choose to provide such information to CSA.

This information may be classified as “Personal DataPersonal data means any information which is about an individual, so long as that individual can be identified. This includes information such as your name and contact details, but also information such as your IP address and the actions you take on our website.” and can be collected by CSA both when you choose to provide it (e.g., when you fill out a form to download a research working paper, or request other Services provided by CSA over the Website or otherwise) or simply by analyzing your behavior on the Website or the Services that you request.

Personal Data that can be processed by CSA through the Website or in connection with the Services are as follows:

a. Name, contact details and other Personal Data

In various sections of the Website, you will be asked to submit information about yourself, such as your name, e-mail address, phone number, billing address and the name of your affiliate organization. This is the case, for example, when you request to join one of CSA’s research working groups, when you download certain research reports or when you create an account on the Website (where available).

When requesting Services for which payment is required (such as when you purchase tokens for the CCSK exam or a license to use the STARWatch application), you will be asked to provide information on the payment card and bank account used. This information will be collected and processed by an external payment processor and will not be accessed or stored by CSA.

In addition, whenever you communicate with CSA via forms available on the Website (such as the “Contact Us” form provided for Membership inquiries), or by means of the contact details displayed in the “Contact” section of the Website, or when you visit us at events, CSA may collect additional information on you if you choose to provide such data.

b. Special categories of Personal Data

Certain areas of the Website include free text fields, where you can write messages to CSA, or otherwise allow you to post various types of content on the Website, which may contain Personal Data.

Where these fields are completely free, they may be used to (inadvertently or not) disclose more sensitive categories of Personal Data, such as data revealing your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. The content you upload in these fields may also (inadvertently or not) include other types of sensitive information relating to you, such as your genetic data, biometric data or data concerning your health, sex life or sexual orientation.

CSA asks that you do not disclose any Sensitive Personal DataCertain categories of personal data are considered special or sensitive. These include personal data which reveal your racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership. These also include your genetic data, biometric data (in some cases) and also any personal data which concern your health, sex life or sexual orientation. on the Website, unless you consider this to be strictly necessary. CSA requires your explicit consentConsent, in order to be valid, must be a specific, informed and unambiguous expression of your wishes. Explicit consent calls for you to provide us with a clear statement that specifically refers to the processing for which the consent is being requested from you and is separate from other consents requested. to process this sort of Personal Data (which can be provided, e.g., by declaring that you “explicitly consent to the processing of special categories of personal data, as necessary to comply with my request” in messages you send to CSA).

c. Other persons’ Personal Data

As mentioned in the previous section, certain areas of the Website include free text fields where you can write messages to CSA or otherwise allow you to post various types of content on the Website. These messages and content may (inadvertently or not) include Personal Data related to other persons.

In any situation where you decide to share Personal Data related to other persons, you will be considered as an independent data controllerIn other words, you will be considered responsible for having made the decision to share this information with CSA. This means that you will need to make sure that you can lawfully share this information with CSA; otherwise, if the person whose data is shared, or a supervisory authority, makes any claim against CSA regarding those data, you may be required to indemnify CSA. regarding that Personal Data and must assume all inherent legal obligations and responsibilities. This means, among other things, that you must fully indemnify CSA against any complaints, claims or demands for compensation for damages that may arise from the processing of this Personal Data, brought by the third parties whose information you provide through the Website.

As CSA does not collect this information directly from these third parties (but rather collects them from you indirectly), you must make sure that you have these third parties’ consent before providing any information regarding them to CSA. If this is not the case, then you must make sure there are other appropriate grounds on which you can rely to lawfully provide such information to CSA.

d. Browsing data

The Website’s operation involves the use of computer systems and software procedures, which collect information about the Website’s users as part of their routine operation, also known as browsing dataBrowsing data is collected automatically whenever you access our website. This includes information about your computer (or other device) and the operating system you use, such as your IP address, location (country), the domain names of your computer, the URI (Uniform Resource Identifier), addresses of resources you request on the site, the time of the requests made, the methods used to submit requests to the server, the dimensions of the file obtained in response to a request, the numerical code indicating the status of the response sent by the server (successful, error, etc.).. While CSA does not collect this information in order to link it to specific users, it is still possible to identify those users either directly via that information, or by using other information collected – as such, this information must also be considered Personal Data.

These data are used to compile statistical information on the use of the Website, ensure its correct operation and identify any faults and/or abuse of the Website. Save for this last purpose, these data are not kept for more than 7 business days.

e. Cookies

- Definitions, characteristics, and application of standards

Cookies are small text files that may be sent to and registered on your computer by the websites you visit, to then be re-sent to those same sites when you visit them again. It is thanks to cookies that those websites can “remember” your actions and preferences (e.g., login data, language, font size, other display settings, etc.), so that you do not need to configure them again when you visit the website at a later time, or when you change pages within a website.

Cookies are used for electronic authentication, monitoring of session and storage of information regarding your activities when accessing a website. Some operations within a website may not be able to be performed without the use of cookies which, in certain cases, are technically necessary for operation of the website.

When browsing a website, you may also receive cookies from websites or web servers other than the website being visited (i.e., “third-party cookies”).

According to the law that may be applicable to you, your consent may not always be necessary for cookies to be used on a website. In particular, “technical cookiesTechnical cookies are either necessary to allow messages to be sent through a network, or otherwise they are necessary to allow us to provide you with services that you ask for. These cookies can be used without your consent, but only for these purposes.” – i.e. cookies that are only used to send messages through an electronic communications network, or that are needed to provide services you request – typically do not require this consent. This includes browsing or session cookiesBrowsing and session cookies allow you to login to a website, and stay logged in. These cookies can also be used without your consent. (used to allow users to login) and function cookiesFunction cookies are used to remember the choices you make when you access the website, such as the language and products selected for purchase. These typically do not require your consent. (used to remember choices made by a user when accessing the website, such as language or products selected for purchase).

- Types of cookies used by the Website

The Website uses the following types of cookies:

  • Browsing or session cookiesWe use browsing or session cookies as they are strictly necessary for the operation of our site, and/or to allow you to use the website’s content and services., which are strictly necessary for the Website’s operation, and/or to allow you to use the Website’s content and Services.
  • Function cookiesWe use function cookies to activate specific functions of the site and to configure the site according to your choices (e.g., language), in order to improve your experience., which are used to activate specific Website functions and to configure the Website according to your choices (e.g., language), in order to improve your experience.
  • Analytics cookiesWe use analytics cookies to understand how users make use of our site and track traffic to and from the site., which allow CSA to understand how users make use of the Website, and to track traffic to and from the Website.

CSA also uses third-party cookies – i.e. cookies from websites / web servers other than the Website, owned by third parties. These third parties will either act as independent data controllers from CSA regarding their own cookies (using the data they collect for their own purposes and under terms defined by them) or as data processors for CSA (processing personal data on our behalf). For further information on how these third parties may use your information, please refer to their privacy policies:

CSA uses Google Analytics on the Website. This is a tool developed by Google and used to collect information that permits evaluation of the use of the Website, analysis of your behavior and improvement of your experience with the Website. You can obtain more information about how to opt out of Google Analytics at:

- Cookies present on the Website

In detail, the first-party cookies present on the Website are as follows:

Technical NameCookie Type, Function and PurposeDuration
CSA and
Function cookies: Identifying information saved from form fields when user:
  • requests inclusion to Working Group
  • requests to participate in draft / peer review process
  • downloads a whitepaper and other resources
The data stored in the cookie is used to pre-fill forms with previously provided information, saving the user from typing it again.
30 days
csa_cn_hideFunction cookie: Used to hide the cookie consent notification once the user has accepted cookies, avoiding to ask the use again for 30 days.30 days
_csa and
Function cookies: Temporary session identifier.
Equal to the duration of the session.
Function cookies: Temporary session identifier.
Equal to the duration of the session.

Cookie settings

You can change the cookie settings for our website though our cookie banner.

You can also block or delete cookies used on the Website via your browser options. Your cookie preferences will be reset if different browsers are used to access the Website. For more information on how to set the preferences for cookies via your browser, please refer to the following instructions:

You may also provide set your preferences on third-party cookies by using online platforms such as AdChoice and Network Advertising Imitative

CAUTION: If you block or delete technical and/or function cookies used by the Website, the Website may become impossible to browse, certain services or functions of the Website may become unavailable or other malfunctions may occur. In this case, you may have to modify or manually enter some information or preferences each time you visit the Website.

3. Purposes of processing

CSA intends to use your Personal Data, collected through the Website, for the following purposes:

  • To allow you to create and maintain a registered user account, to verify your identity and to assist you in case you lose or forget your login/password details, to respond to your inquiries, to submit entries to the STAR Registry, to acquire a STARWatch license (or request a trial), to allow you to adhere to CSA research working groups and to download CSA research artifacts, to finalize purchase orders and to deliver any other Services that you may request (“Service Provision”);
  • For future marketing, promotional and publicity purposes, including over e-mail or over the phone, regarding CSA’s products and services, as well as those of selected third parties (sponsors and CSA corporate members) (“Marketing”);
  • For compliance with laws that require us to collect and/or further process certain kinds of Personal Data (“Compliance”);
  • For development and administration of the Website or our Services, in particular by use of data analytics regarding how you and other users make use of the Website, as well as the information and feedback you provide, in order to improve CSA’s offerings and to troubleshoot any technical issues which may arise in connection with the use of the Website or Services (“Analytics”);
  • To prevent and detect any misuse of the Website or Services, or any fraudulent activities carried out through the Website or Services (“Misuse/Fraud”).
  • To keep track of payments when you purchase a service from us. However, we do not collect or store specific payment information such as credit card numbers; this information is collected by our payment processing service provider and is subject to its privacy policy (“Recipients of Personal Data”).

4. Grounds for processing and mandatory / discretionary nature of processing

The grounds on which the CSA relies on to process your Personal Data, according to the purposes identified in Section 3, are as follows:

  • Service Provision: processing for these purposes is necessary to provide the Services and, therefore, is necessary to address a request made by you, to perform a contract entered into with you or to take steps prior to entering into a contract with you. It is not mandatory for you to give CSA your Personal Data for these purposes. However, if you do not, CSA will not be able to provide certain Services to you over the Website or otherwise.
  • Marketing: processing for these purposes is based on your consent. It is not mandatory for you to give consent to CSA for use of your Personal Data for these purposes, and you will suffer no consequence if you choose not to give it (aside from not being able to receive further marketing communications from CSA). Any consent given may also be withdrawn at a later stage (please see Section 8 for more information).
  • Compliance: processing for this purpose is necessary for CSA to comply with its legal obligations. When you provide any Personal Data to CSA, CSA must process it in accordance with the laws applicable to it, which may include retaining and reporting your Personal Data to official authorities for compliance with tax, customs or other legal obligations.
  • Analytics: processing for this purpose is based on CSA’s interest in understanding the performance of Services provided over the Website and improving the Website accordingly, with the aim to provide a better user experience, as well as to troubleshoot any technical issues which users may encounter on the Website.
  • Misuse/Fraud: processing for this purpose is based on CSA’s interest in preventing and detecting fraudulent activities or misuse of the Website (for example, for criminal purposes).

5. Recipients of Personal Data

Your Personal Data may be shared with the following list of persons / entities (“RecipientsA recipient of personal data is anyone that may receive data from us. This includes, for example, persons authorized to carry out technical maintenance on our networks, hosting providers, our administration, etc.”):

  • Sponsors and selected CSA Corporate Members, where you provide consent for your Personal Data to be used for third-party marketing purposes;
  • Persons, companies or professional firms providing CSA with advice and consultancy regarding accounting, administrative, legal, tax, financial and debt collection matters related to the provision of the Services;
  • Entities engaged in order to provide the Services (e.g., hosting providers or e-mail platform providers, event organizers);
  • Persons authorized to perform technical maintenance (including maintenance of network equipment and electronic communications networks);
  • Persons authorized by CSA to process Personal Data needed to carry out activities strictly related to the provision of the Services, who have undertaken an obligation of confidentiality or who are subject to an appropriate legal obligation of confidentiality (e.g., employees or contractors working for CSA);
  • Other entities within CSA for internal administrative purposes, including the processing of Personal Data on users making inquiries, customers and Working Group volunteers; and
  • Public entities, bodies or authorities to whom your Personal Data may be disclosed in accordance with applicable law or binding orders of such entities, bodies or authorities;
  • Our payment processing service provider (“BrainTree Payments,” a PayPal service). All credit card information and other customer details that are required to process credit card payments are collected directly by our payment processing service provider, in accordance with its data handling practices (see

6. Transfers of Personal Data

Considering our worldwide presence and global business operations, your Personal Data may be transferred to Recipients located in several different countries. CSA implements appropriate safeguards to ensure the lawfulness and security of these Personal Data transfers, such as by relying on adequacy decisions from the European CommissionThe European Commission has the power to decide whether a country or territory outside of the EU/EEA offers a sufficient level of protection to personal data. If the Commission decides so, personal data can be freely transferred from the EU/EEA to that country. You can find a list of adequacy decisions here: = link_to nil, "" span . , Standard Contractual Clauses adopted by the European Commission“Standard contractual clauses” are pre-defined agreements which can be entered into between an organization within the EU/EEA and an organization outside the EU/EEA, in order to lawfully regulate an export of EU-originating personal data to outside of the EU/EEA. For more information, see: = link_to nil, "" span . , and/or other safeguards or conditions considered adequate to the relevant transfer.

More information on these transfers is available upon written request to CSA at the following address: [email protected].

7. Retention of Personal Data

Personal Data processed for Service Provision will be kept by CSA for the period deemed strictly necessary to fulfill such purposes – in any case, as this Personal Data is processed for the provision of the Services, CSA may continue to store this Personal Data for a longer period, as may be necessary to protect our interests with respect to potential liabilityFor example, certain types of documents, e-mails or data (which may all include personal data) may need to be further retained by CSA to prove that CSA has correctly performed all of its obligations regarding its services. related to the provision of the Services.

Personal Data processed for Marketing will be kept by CSA from the moment you give consent (if any) until it is withdrawnFor more on how you can withdraw this consent, please see Section 8 “Data subjects’ rights”, below.. When you withdraw your consent, your Personal Data will no longer be used for these purposes, although it may still be kept by CSA, as it may be necessary to protect our interests related to potential liabilityFor example, we may still keep a limited amount of your information as needed to prove that you once gave valid consent for use of your data for marketing purposes (in the form of consent records). related to this processing.

Personal Data processed for Compliance will be kept by CSA for the period required by the specific legal obligation or by the applicable lawThis could include obligations to store certain types of documents or data for a given time, obligations to report certain types of documents or data to authorities, and others..

Personal Data processed for preventing Misuse/Fraud, as well as for Analytics will be kept by CSA for as long as deemed strictly necessary to fulfil the purposes for which it was collected, unless you validly object to the processing of your Personal Data for these purposes (please see Section 8 for further information).

8. Data subjects’ rights

As a data subject, you are entitled at any time to exercise the rights listed below before CSA. Your rights include the possibility to:

  • Access your Personal Data being processed by CSA (and/or a copy of that Personal Data), as well as information on the processing of your Personal Data;
  • Correct or update your Personal Data processed by CSA, where it may be inaccurate or incomplete;
  • Request erasure of your Personal Data being processed by CSA, where you feel that the processing is unnecessary or otherwise unlawful;
  • Request the restriction of the processing of your Personal Data, where you feel that the Personal Data processed is inaccurate, unnecessary or unlawfully processed, or where you have objected to the processing;
  • Exercise your right to portability, the right to obtain a copy of your Personal Data provided to CSA, in a structured, commonly used and machine-readable format, as well as the transmission of that Personal Data to another data controller;
  • Object to the processing of your Personal Data, based on relevant grounds related to your particular situation, which you believe must prevent CSA from processing your Personal Data (for Misuse/Fraud or Analytics); and
  • Withdraw your consent to processing (for Marketing).

Please note that most of the Personal Data you provide to us can be changed at any time, including your e-mail preferences, by accessing, where applicable, your user profile created on the Website.

You can also withdraw consent for Marketing (for communications received via e-mail) by selecting the appropriate link included at the bottom of every marketing e-mail message you receive. The same applies to communications you may receive from us by subscribing to the CSA Announcements Mailing List.

Aside from the above-mentioned means, you can always exercise your data subject rights described above by sending a written request to us at the following address: [email protected].

In any case, please note that, as a data subject, you are entitled to file a complaint with the competent supervisory authorities for the protection of Personal Data if you believe that the processing of your Personal Data carried out through the Website is unlawful.

9. Rights of California Residents

California requires operators of websites or similar services to make certain disclosures to users who reside in California regarding their rights, specifically:

Shine the Light

Under California law, a business that has an established business relationship with an individual, and has, within the immediately preceding calendar year, disclosed personal data that is primarily used for personal, family or household purposes to a third party for the third party’s direct marketing purposes, upon request disclose to its California users the identity of any such third party, along with the type of personal data that has been/is disclosed.

You can contact us and our Office of Data Protection at [email protected]. Please note that, under California law, businesses are only required to respond to a user’s request once during any calendar year.


Some browsers give individuals the ability to communicate that they wish not to be tracked while browsing the Internet. California law requires that we disclose to users how we treat do-not-track requests. The Internet industry has not yet agreed on a definition of what “Do Not Track” means, how compliance with “Do Not Track” would be measured or evaluated, or a common approach to responding to a “Do Not Track” signal. Due to the lack of guidance, we have not yet developed features that would recognize or respond to browser-initiated Do Not Track signals in response to California law.

In the meantime, there are technical means to prevent some of the tracking, if any. See the Section on “Cookie Settings” for more information.


This Privacy Policy entered into force on 25 May 2018, and was last updated on December 23, 2019.

CSA reserves the right to partly or fully amend this Privacy Policy, or simply to update its content, e.g., as a result of changes in applicable law. CSA will inform you of such changes as soon as they are introduced (e.g., by e-mail), and they will be binding as soon as they have been brought to your attention and published on the Website.


This website uses third-party profiling cookies to provide services in line with the preferences you reveal while browsing the Website. By continuing to browse this Website, you consent to the use of these cookies. If you wish to object such processing, please read the instructions described in our Privacy Policy.