Privacy PolicyEffective Date: November 29, 2023 This Privacy Policy explains the types of personal information that the CWE™ and CAPEC™ Programs (“the Programs,” “we,” “our,” “us”) collects from users of its sites at cwe.mitre.org and capec.mitre.org (the “Sites”); how we use, share, protect, store, and otherwise process that personal information; and your choices with respect to our use of your personal information. These Sites are operated by The MITRE Corporation (“MITRE”) on behalf of the U.S. Department of Homeland Security (DHS) which funds the Programs, and other partner organizations. By accessing these Sites, you acknowledge that you understand and agree to the terms outlined in this Privacy Policy. If you have any questions, you may contact us using the information provided at the end of this Privacy Policy.
This notice is provided in a layered format so you can click through to the specific areas listed below.
Personal Information We CollectPersonal Information You Give UsThe Programs may obtain your personal information when you interact with our Sites. Personal information is data that identifies you, or could reasonably be used to identify you, as an individual, such as your name, postal address, email address, and phone number. Information We Collect AutomaticallyWe also may collect other information about your visits to our Sites using automated tools; for example, cookies and other passive information collection technologies enable MITRE to compile aggregate statistics concerning use of the Sites, analyze trends, enhance the security of the Sites, deliver content, and otherwise administer and improve the Sites. This information may include your browser type, language preference, operating system, device identifier, device type, access time, Internet Protocol (IP) address, the URLs of websites you visited before and after visiting the Site, the web search that landed you on the Site, length of your visits to the Sites, and the links you click and pages you visit within our Sites. The Sites use cookies for purposes of generating analytics as described in the following paragraph. We do not use cookies for personalization or for targeted advertising. For more information, see our Cookie Notice. We use certain third-party web analytics services to help us understand and analyze how visitors use our Sites and to serve on our behalf across the Internet. We have implemented Google Analytics on our Sites. For more information on how Google Analytics uses data collected through the Sites, visit https://www.google.com/policies/privacy/partners/. To opt out of Google Analytics cookies, visit: https://www.google.com/settings/ads and https://tools.google.com/dlpage/gaoptout/.
Please note that we, and other parties we work with, may collect personal information about your online activities over time and across different devices and sites when you visit the Sites. Your web browser may have settings that allow you to transmit a “Do Not Track” signal when you visit various websites or use online services. Like many websites, these Sites are not designed to respond to “Do Not Track” signals received from browsers. To learn more about online tracking, the Federal Trade Commission (FTC) provides guidance on How To Protect Your Privacy Online. How We Use Personal InformationThe Programs may use personal information we collect through the Sites to:
How We Share Personal InformationThe Programs do not sell or share your personal information to deliver targeted advertising to you. The Program may share your personal information within our Programs and with our program partners. We also may share your personal information to:
The Programs may disclose your personal information to comply with applicable law, such as in response to requests from law enforcement agencies, regulators, other public authorities, courts, and third-party litigants in connection with legal proceedings or investigations. Linked WebsitesOur Sites may include links to other websites that are not owned or operated by the Programs. This Privacy Policy does not apply to those websites, which may have their own privacy policies that you should review to understand how they may collect, use, or disclose your personal information. The Programs are not responsible for the content or privacy practices of any linked websites that it does not control. Social FeaturesCertain features of our Sites may permit you to interact with social media networks operated by unaffiliated parties, for example, if you “like” or “follow” the Programs on those platforms (“Social Features”). If you choose to “like” or share content or post information using Social Features, that information may be publicly displayed, and the party operating the social media platform may receive information about you and your use of our Sites. Similarly, if you interact with us through Social Features, we may have access to information about you from the social media platform. Please note that if you mention the Programs, or comment about or in response to us, in your post on a social media platform, that platform may allow us to publish your post on our Sites. You should review the terms, policies, and settings of these platforms to learn more about their data practices and adjust your settings accordingly. Security of Personal InformationThe Programs maintain reasonable safeguards designed to protect personal information from loss, theft, misuse, and unauthorized access, disclosure, alteration, and destruction. The Programs employ encryption technologies and user authentication procedures that are designed to keep data secure. Nevertheless, transmission via the Internet and online digital storage are not completely secure, so we cannot guarantee the security of your personal information. Your ChoicesIf you are currently on our communications list and do not wish to receive further promotional email messages, you may email a request to “[email protected]” with the subject “signoff cve-announce-list.” Opting out of marketing emails will not affect our administrative emails to you (for example, emails about your use of our services). Information for Visitors from Outside the United StatesIf you are a visitor from outside the United States, please be aware that information we obtain about you may be transferred to and processed in the United States or other jurisdictions. By using our Sites and providing your personal information, you acknowledge that your personal information may be transferred to and processed in jurisdictions outside your own. Please be aware that the data protection laws and regulations that may apply to your personal information transferred to the United States or other countries may be different from the laws in your country of residence. Information for Visitors from the European Economic Area and the United KingdomThis section provides a GDPR Notice (“Notice”) for residents of the European Economic Area (“EEA” ) and United Kingdom (“UK” ) regarding their respective rights under the European Union’s General Data Protection Regulation and the United Kingdom’s General Data Protection Regulation (collectively, the “GDPR” ). MITRE is the data controller for personal data collected through our Site. This Notice supplements the information in this Privacy Policy and other MITRE and Program privacy policies and notices. If there is a conflict between any other privacy policy, statement, or notice and this Notice, this Notice will prevail. Our Collection and Use of Personal DataPersonal data collected through the Sites may include:
Our Processing of Your Personal DataYour personal data may be required for us to provide some of our services. In some instances, if you fail to provide your personal data, you may not be able to access or use our services. We may process the personal data you provide for any of the purposes identified in the “How We Use Personal Information” and “How We Share Personal Information” Sections of our Online Privacy Policy. Your personal data is processed pursuant to the following legal bases:
Your Rights Under the GDPRThe GDPR provides individuals with certain rights regarding their personal data. You may ask us to take the following actions:
You may submit these requests by email to [email protected]. We may require specific information from you to help us verify your identity prior to processing your request. Applicable law may require or permit us to decline your request. If we decline your request, we will tell you why, subject to any legal restrictions on disclosing this information. If you would like to submit a complaint about our use of your personal data or our response to your request regarding your personal data, you may contact us at [email protected] or submit a complaint directly to the data protection authority in your jurisdiction. If you reside in the EEA, you can find information about your data protection authority here. If you reside in the UK, you may file complaints with the Information Commissioner’s Office here. Our Retention of Your Personal DataThe Programs retain your personal data for no longer than is necessary to achieve the purposes for which the personal data was collected, or as may otherwise be permitted or required under applicable law. To determine the appropriate retention period, we will consider the scope and sensitivity of the personal data; the potential risk of harm from unauthorized access to, use, or disclosure of the data; the purposes for which we process the data; whether we can achieve our purposes through other means; our business needs; and applicable legal requirements. Unless otherwise required by applicable law, at the end of the retention period, we will anonymize or securely destroy your personal data.
Personal Data TransfersBy using the Sites, you acknowledge that your personal data may be collected, transferred to, and processed in jurisdictions outside your own. When you directly provide your personal data through our Sites, you acknowledge that your personal data is being provided by you to entities based in the United States. The laws that apply to personal data protection in the United States differ from those applicable in the EEA and the UK. If it is necessary for us to transfer personal data out of the EEA and the UK, we do so by using suitable data transfer mechanisms, such as the standard contractual clauses approved by the European Commission, which impose data protection obligations on parties to the transfer. Information for Specific IndividualsResidents of U.S. states with consumer privacy laws in effect and enforceable may contact us at [email protected] for further information about our privacy practices. Privacy of ChildrenOur Sites are not intended for children, and we do not knowingly collect personal information from children under the age of 16. If we become aware that we have collected personal information from a child, we will delete it in accordance with applicable law. Changes to Our Privacy PolicyThe Programs may update or modify this Privacy Policy from time to time at our discretion. We will indicate changes to this Privacy Policy by updating the “Effective Date” at the beginning of the Privacy Policy. Please review this Privacy Policy periodically and especially before you provide any personal information to us. Your continued use of these Sites after any update to this Privacy Policy will constitute your acceptance of our changes. QuestionsIf you have questions about this Privacy Policy or the Programs’ privacy practices, you may email [email protected]. |