Offensive Security Terms and Conditions
1. About our Products
Offensive Security offers cybersecurity training and certification products and associated services. These products include pdf books, videos and hands-on labs. These products and related materials may be downloaded, accessed online or delivered in the form of live training.
Certain of our products are available on a subscription basis and require login credentials to access. Subscriptions are purchased on a per individual user basis. Login credentials may not be shared among individuals, groups, or teams or with third parties. A breach of the foregoing is a material breach of the Terms.
Product users may have access to an online account management page to manage their relationship with us depending on the product that they use.
Certification is granted if the standards required to pass an exam offered by Offensive Security are met. Exams may be proctored via webcam and screen capture. All product users and customers must comply with the Terms. All those who take our exams must comply with the Terms, our Academic Policy, Exam Guides and Proctoring Guidelines.
2. Definitions
The following capitalized terms are used in the Terms and have the meanings defined below.
Affiliate means a legal entity that directly or indirectly (a) controls (b) is controlled by or (c) is under common control of another legal entity
Confidential Information means (a) our know how (b) the content or configuration of Products, Materials and exams (c) any other information that may help a person pass one of our exams (d) the terms of your Order (e) any other business, financial or technical information in any form which the Recipient should reasonably know is confidential
Customer means a person or entity buying Product
Customer User means a person using Product under a Customer’s account (a) as Customer’s employee (b) as Customer’s contractor (c) in another capacity identified in Customer’s Order
Discloser means the party disclosing Confidential Information
Damage(s) means loss(es), damage(s) or cost(s) arising in any way
Data Privacy Laws means all data protection legislation in force from time to time applicable to the processing of Product User Personal Data including the General Data Protection Regulation ((EU) 2016/679) (GDPR)
Exam Guides means Offensive Security’s requirements and instructions for each of our exams found at https://support.offensive-security.com
Exam Related Materials means (a) exam reports (b) lab reports (c) walkthroughs for any of our course or exam labs (d) video recordings of our labs, (e) other materials created by a Product user as a result of access to our Products, Materials or exams that may help a person pass one of our exams
FAQs means frequently asked questions found at FAQs
Increase Notice means a notice we give you regarding any increase in the Price you pay will if you buy Products on a subscription basis
Intellectual Property Rights means database rights, design rights, moral rights, patents, trademarks, service marks, trade and service names, copyrights, know-how, trade secrets and similar rights existing anywhere in the world at any time
Materials means video recordings, lab contents, pdf books, data, documents, graphics, tools, dashboards, software, code, scripts, other materials and associated media provided by us with Product
Order means our online or other registration or order form that describes the Products we provide you
Payment Method means a valid credit or debit card(s) or other means of payment we accept
Personal Data means the same as it does in GDPR
Price means the amount payable for Products set out in your Order, and as adjusted by any Increase Notice
Processing means the same as it does in GDPR
Product(s) means our free or paid services, products or features (a) as described in your Order or (b) which we otherwise authorise you to use
Product User Personal Data means Personal Data provided to us by or about a Product user
Recipient means the party receiving Confidential Information
Site means www.offensive-security.com, other websites and community sites owned by us on which these terms and conditions appear, and subdomains of those sites and content provided through them
Student means an individual registered with us to use a paid Product
Terms means these terms and conditions and any further terms set out in your Order as applicable to you. If there is a conflict between your Order and these terms and conditions, your Order will take precedence
We/our/us means OffSec Services Limited or one of its Affiliates
You/your means Customer, Product user and/or Site visitor depending on the context
If we use the word “including” or similar words before describing any items, such items are examples only and should not be regarded as an exhaustive list.
3. Accepting the Terms
The Terms create a legally binding agreement between you and us and apply every time you buy or use Products, Materials or Site. If you click online to indicate your acceptance of the Terms, make payment based on an Order that references the Terms, or continue to use Products or Site, you have agreed to the Terms.
We do not accept any other terms or conditions that you attempt to impose on us including those associated with any purchase order you issue. Such other terms and conditions will not apply to your Order.
You must ensure that any of your Affiliates or Customers Users that access Products you have bought from us comply with the Terms.
4. Registering with us
When you register with us to use Products you:
- Must be 18 years old or over
- Are subject to our standard Product user registration requirements
- May not be accepted as a Product user in our sole discretion
- Must provide accurate and complete information and then keep it up to date.
5. Taking Our Exams
Our exams may be remotely proctored to ensure their integrity. Students must comply with our Academic Policy, Proctoring Guidelines, and applicable Exam Guide when taking our exams. If you breach our Academic Policy we may, in our sole discretion:
- Revoke all existing certification(s) you have obtained from us
- Disqualify you for life from all of our courses and exam(s)
- Disqualify you for life from buying our Products
6. Paying for Products
You must pay the Price on the billing date and at the billing frequency mentioned in your Order.
We will charge you the Price on (a) each renewal of your subscription period or (b) at the billing frequency stated in your Order (if different) when you buy Products on a subscription basis.
You must tell us of any dispute over the Price within 15 days of the date of our invoice or your last billing date. Overdue amounts will incur interest at a rate of 1.5% per month or the maximum rate permitted by law (whichever is less) except for amounts disputed in good faith.
The Price excludes applicable taxes. If you must deduct withholding tax from the Price, you must pay us an amount that ensures our net receipt is the same as it would have been were the payment not subject to such withholding.
7. Paying for Subscriptions
You must provide us with a Payment Method if you buy Products on a subscription basis unless we state otherwise in your Order. We can charge the Price to any Payment Method associated with your account.
We may suspend your access to Product until we have been able to charge your Payment Method for all amounts due. You are responsible for any (a) uncollected amounts (b) all fees or charges made by the Payment Method issuer.
You can update your Payment Method by going to your online account management page. We may also update your Payment Method using information provided by your payment service providers. We can continue to charge the applicable Payment Method(s) following any such update.
We use third parties to process payments. Your payment information, Payment Method and other Personal Data will be passed to such third parties.
8. Adjusting Subscription Prices
We may increase the Price by providing you with an Increase Notice at any time if you buy Products on a subscription basis. Any increase will apply from the next renewal of your subscription period occurring 30 days or more after the date of the Increase Notice.
9. Using Products
We authorize you to use Site, Products and Materials for your own personal use in accordance with the Terms.
You must make sure (a) you have the knowledge, expertise, equipment and facilities needed to use Products (as posted on Site from time to time) (b) Products are suitable for your purpose.
You must start using a Product within any specific time period we specify and we are under no obligation to extend that period.
In relation to Products, Materials and Site, you must not (a) remove or hide proprietary notices (b) remove or hide Personal Data we use to identify you as Product user including watermarks on the pdf books and videos you download (c) perform any attack, scan, test, probe or penetration other than as specifically permitted by us in our course or exam materials (e) perform other actions that may cause damage (f) use data mining, robots or similar data gathering methods (g) harm or interfere with other Product users.
To ensure you comply with the Terms, we will routinely monitor your activity while you are using our Products or taking an exam.
10. Using Interactive Product Features
Some Products may allow interactivity among Product users including instant messaging, chatrooms, blogs, forums, polls or bulletin boards. We do not routinely check interactions among Product users and accept no liability for material posted via these interactive features. We have no obligation to remove these materials but we may do so at our sole discretion.
You must not (a) use abusive, defamatory, illegal or objectionable language (b) send advertising or marketing material (c) infringe others’ privacy, confidentiality or intellectual property rights when using interactive Product features.
11. Responsibility for Customer Users
If you are a Customer purchasing Products for your Customer Users:
- As Customer, you are permitted to use Products and associated Materials for your own internal
business purposes in accordance with the Terms - As Customer, you may only allow your Customer Users to use Products and Materials
- As Customer, you must ensure Products and Materials are not shared between your Customer Users
- We can communicate directly with your Customer Users in relation to our products and services.
12. IP Ownership
All Intellectual Property Rights in Site, Products and Materials are owned by us. You have no rights in Site, Products or Materials except as stated in the Terms. We own and will continue to own the media by which Products and Materials are provided to you. You cannot use our name, logos, trademarks or any derivatives. You must not copy, share, sub-license, change, create derivative works from, or in any other way misuse any part of Site, Products or Materials.
This includes not (a) sharing all or part of our course materials with any third party including by posting on any platform, repository or on social media (b) video recording your screen while it interacts with any of our labs (c) using our course materials to assist any person to pass one of our exams including sharing lab walk throughs, exam walk throughs (d) accessing Site, Products or Materials for competitive purposes.
If you share or publish Exam Related Materials in breach of the Terms, on the date of such breach, you automatically assign to us all Intellectual Property Rights in such Exam Related Materials together with all rights in respect of any infringement.
We collect and use (a) information related to your use of Products (b) your feedback on Products. We may use that feedback freely and without compensation to you and we will own all Intellectual Property Rights in derivative works we create based on that feedback.
13. Keeping Products Secure
Access to Products and Materials is subject to password and other security credentials we provide. We can change such passwords and other security credentials on notice. They must not be shared. You must (a) put in place appropriate security measures to prevent unauthorized access to or disclosure of Products or Materials. Those measures must be consistent with standards reasonably expected of an information security professional (b) promptly cure and tell us about any unauthorized access or disclosure of Products or Materials when you become aware.
14. Making Changes to Products
We constantly improve our Products to deliver a better experience or better value to our Customers. We reserve the right to change a Product at any time (including changing specifications, delivery media or platform or removing third party owned content). We will not change a Product’s fundamental nature without letting you know.
15. Supporting our Customers
We may provide self-help via various tools and will provide email and/or online access to our support team to help resolve Customer technical and other issues. The FAQs provide more information on the support we provide.
16. Confidential Information
Recipient and its Affiliates must (a) hold Discloser’s Confidential Information in confidence and disclose it to no third party (b) use that Confidential Information solely for Recipient’s provision or use of Products. Recipient must ensure its Affiliates comply with the Terms relating to Confidential Information.
If you are Recipient, you will be in breach of your duties of confidentiality if you disclose:
- Information in your exam report
- Information in your lab report
- Any walk through for any of our course or exam labs
- Vulnerabilities and exploits in the context of any of our course or exam labs
- Any other information that may help a student pass our exams
Sharing or publishing such Exam Related Materials is also a breach of our Academic Policy.
Confidential Information will not include information which (a) is or becomes generally available to the public through no act or omission of Recipient or its Affiliates (b) becomes known to Recipient or its Affiliates through a third party (c) was lawfully in the possession of Recipient or its Affiliates before disclosure by the Discloser (d) is limited to the name and logo of Customer disclosed on Site or in our other promotional material.
If the law compels Recipient to disclose Discloser’s Confidential Information, Recipient must (a) provide prompt notice to Discloser (if legally permissible) (b) limit that disclosure to the extent of the legal requirement. Any disclosed information will remain Confidential Information despite that disclosure.
You and your Affiliates must promptly return, delete or destroy (at our discretion) our Confidential Information if your right to use Product terminates or when asked by us at any time. You can keep copies to the extent required by law and those copies will remain our Confidential Information.
Our Confidential Information is made up of trade secrets that (a) we own (b) are secret (c) have commercial value because they are secret (d) we have taken steps to keep secret.
17. Your Data Privacy
We are the Data Controller (as defined in GDPR) of Product User Personal Data. We will process Product User Personal Data in accordance with the duties imposed on us under the Data Privacy Laws and our Privacy Notice from time to time.
In order for us to keep a public register of the status of our certificate holders, we reserve the right to publish Student information. This information includes (a) Student name (b) Student Offensive Security Identification Number (OSID) (c) course taken by Student (d) exam passed by Student (e) certificate issuance and cancellation status and information. We can also provide such information to any third party who has paid for you to access Products.
If you are a Customer User using Products via a Customer’s account (a) any account you create will be subject to control by Customer and Customer’s admins (b) your account information and other Personal Data will be shared with Customer and Customer’s admins (c) your Personal Data may also be visible to other Product users in Customer’s account.
If the domain of the email address associated with your account is owned by a Customer and Customer wishes to add that email address to its account, the Personal Data concerning your existing account may become accessible to that Customer.
18. Our Liability to Each Other
You must indemnify us against any Damages we suffer or incur if you breach any of the Terms. We may also, in our sole discretion:
- Revoke all existing certification(s) you have obtained from us
- Disqualify you for life from all of our courses and exam(s)
- Disqualify you for life from buying our Products
Our total liability to each other for Damages in connection with the Terms, Products or Materials will not exceed the amount paid by you for the Product giving rise to the claim during the 12 months immediately preceding the date the claim arose.
We have no liability to you if you are a Site visitor or user of our free Products only.
Neither of us will be liable for (a) indirect, incidental, punitive, special or consequential Damages (b) loss of profits (except regarding non payment of the Price) even if that Damage or loss could have been foreseen or prevented.
The limits on liability in the Terms do not apply to (a) fraud, fraudulent misrepresentation, gross negligence or willful misconduct (b) negligence causing death or personal injury (c) your indemnification obligations (d) a party’s infringement of the other’s Intellectual Property Rights (e) breaches relating to Confidential Information (f) your liability to pay the Price. Nothing in the Terms limits liability that cannot be limited by law.
19. What We Are Not Responsible for
Exercises contained in our labs should only be attempted inside our hosted lab environment which is segregated from the internet. Attempting these exercises in a live environment would be illegal without permission of the system owner. We do not authorize you to perform these exercises outside our lab environment. You must indemnify us against Damage we suffer or incur if you do so. If we provide you with links to other websites or services, accessing those links is at your sole discretion and risk. We do not review, endorse and are not responsible for such websites or services.
We exclude all warranties, conditions and other terms implied by law to the maximum extent allowed by law. We provide Site, Products and Materials “as is” and “as available” without warranty of any kind. We do not warrant that Site, Products or Materials (a) will be free of interruptions, delays, omissions, inaccuracies or errors or that any such thing will be corrected (b) will be available at any particular time or location (c) are free of viruses, worms, Trojan horses, email bombs, back doors or other harmful components (although we will implement reasonable measures designed to ensure Site, Products and Materials being are free of such items based on the nature and intended use of Products).
20. Third Party IP Claims
We will indemnify Customer against Damages Customer incurs because of any claim that Product or Materials infringe the Intellectual Property Rights of a third party. This indemnity will not apply if Damages result from (a) the combination of Product or Materials with third party products or services (b) changes to Product or Materials other than by us (c) use of a version of Product or Materials if we have told you to use a later version (d) Customer’s breach of the Terms.
We can cure alleged or anticipated infringements of third-party Intellectual Property Right by (a) procuring the right for Customer to continue to use Product or Materials (b) modifying affected products or Materials so they become non-infringing without reducing performance or functionality (c) replacing affected Products or Materials with non-infringing items without reducing performance or functionality.
Our indemnification duties in this Section are subject to Customer (a) providing us with prompt notice of the claim (b) giving us control of the claim if we ask for it (c) co-operating at our expense in the defense or prosecution of the claim (d) not making any admission or trying to settle any claim without our prior written approval. Customer can participate in the defense of such claims through legal counsel of Customer’s choice and at Customer’s expense.
21. Circumstances Beyond Your or Our Control
Neither party will be liable for Damages arising from failure to perform that party’s obligations due to circumstances beyond that party’s reasonable control. If those circumstances cause material deficiencies in a Product and continue for over 30 days, either party can terminate its obligations for the affected Product on notice to the other party.
22. Complying with the Law
We provide and you must use Products in accordance with applicable laws and regulations.
You must not obtain, keep, use, or provide access to any Product to an Affiliate, Product user or any other third party in a manner that may breach the export control or economic sanctions laws and regulations for any jurisdiction including the United States of America, the United Kingdom and the European Union and its Member States. You warrant that you are not (a) specially designated or sanctioned (b) affiliated with a specially designated or sanctioned person or entity, under any of such laws. You must not involve third parties that are subject to economic sanctions, including by submitting funds to us via sanctioned financial institutions when you deal with us or our Affiliates.
You must not use knowledge or expertise gained from Products in any illegal or unethical manner or to harm any person or entity.
23. Length of Our Relationship
If you are a Site visitor, the applicable Terms will apply for as long as you use our Site.
Otherwise, your agreement with us starts with effect from the date your Order is accepted by us and will stay in force until it is terminated in accordance with the Terms.
If you are entitled to use Product for a specific term, you cannot terminate your obligations during that term.
Your Order or online account management page will state if your Order is on a subscription basis and if so, the subscription period and the billing frequency. On expiry of each subscription period, your subscription will automatically renew for additional periods equal to your original subscription period unless terminated in accordance with the Terms.
24. Suspending or Terminating Our Relationship
We can suspend your rights in relation to Product if (a) we have the right to terminate such rights or (b) to protect our systems or security. Suspension will not affect any of our rights to later terminate your use of Products.
If you buy Products on a subscription basis:
- With a monthly subscription period, you can terminate your Order at any time by using your online account management page and following the instructions for cancellation or by giving us written notice.
- With any other subscription period, either of us can terminate your Order in the way specified in your online account management page or by giving to the other at least 30 days prior written notice to expire with effect from the end of the then current subscription period.
You will continue to have access to Products through to the end of your current subscription period. No refunds of the Price are given if you terminate part way through a subscription period.
Either party can terminate its obligations in relation to Product immediately on notice if the other party materially breaches the Terms and the breach (a) cannot be cured or (b) continues 30 days after the date the breaching party receives notice describing the breach and requiring it to be cured.
We can suspend or terminate your access to free Products, interactive Product features or Site at any time.
If you use Product under a Customer’s account that terminates, your right to use Product will also terminate automatically and without notice.
25. Miscellaneous Terms
Notices
Notices of breach of the Terms by us must be given by email to legal@offensive-security.com attn General Counsel. Other notices to us must be given by email to orders@offensive-security.com. Notices to you will be given by email to any email address you provided to us in your Order or in your online account management page. Increase Notices may also be given through your online account management page.
Notices given by email to the correct email address will be deemed delivered when sent. Notices given through your online account management page will be deemed delivered when posted.
Survival of Terms
Terminating your rights to use Products will not affect your or our respective accrued rights and duties. The following sections of the Terms will survive termination: 2 (Definitions), 3 (Accepting the Terms) 12 (IP Ownership), 13 (Keeping our Products secure), 16 (Confidential Information), 17 (Your Data Privacy), 18 (Our liability to each other), 19 (What we are not responsible for), 22 (Complying with the law), and 25 (Miscellaneous terms).
Dispute Resolution
The Terms and disputes or claims about the Terms will be governed by the laws of the State of New York. Each of us consents to the non-exclusive jurisdiction of the federal and state courts located in New York City to settle disputes or claims about the Terms.
Nothing in the Terms prevents either of us from seeking an immediate injunction or similar remedy from any court of competent jurisdiction to prevent or restrain breaches of the Terms.
Changes
These terms and conditions can be changed by us from time to time and such changes will take effect when posted on Site. Your continued use of Product, Materials or Site constitutes your agreement to such changes. Assignment
Without the other party’s prior written consent, neither of us can assign or transfer in any other way any right or duty under the Terms. We can assign the Terms (a) to an Affiliate (b) in connection with our or an Affiliates’ sale of a division, product or service (c) in connection with a reorganization, merger, acquisition or divestiture of us or an Affiliate or any similar business transaction.
Unenforceable Terms
If any non-fundamental Terms are illegal or unenforceable, those Terms will be deemed changed to the minimum extent necessary to make them legal and enforceable. Those Terms will be considered deleted if that change is impossible. Any change or deletion will not affect the validity and enforceability of the rest of the Terms.
Delays
If either of us delays or fails to exercise any right or remedy under the Terms, such delay or failure shall not constitute a waiver of that right or remedy.
Entire Agreement
The Terms contain the entire understanding between you and us about Site, Product and Materials and supersede all prior agreements or understandings, verbal or written. Each of us agrees that it has not relied on, and neither of us has any liability for, any representations not expressed in the Terms.
OFFENSIVE Security’s ACADEMIC POLICY – TRY HARDER
At Offensive Security we train our students by developing their mindset. We believe the “Try Harder” mindset is essential to be a successful security professional. We develop this mindset through hands-on labs and exams. We believe that working independently through the exercises and training materials is part of the journey necessary to gain this mindset. To achieve our training goals, we do not provide our students with hints or answers. Instead we expect them to ask targeted and researched questions and work independently through repeated trial and error to find solutions to the various challenges in our training and exams. With these goals and spirit in mind, our Academic Policy describes the actions and behaviors expected of our students.
In this Academic Policy the phrase “Course Materials” means Offensive Security’s (a) course books and videos (b) course and exam lab machines and associated content (c) exam and lab report templates (d) any other non-public material Offensive Security supplies to its students.
While in our labs, preparing for or taking our exams and at all times after:
- You must:
- Put in place appropriate physical and technical security measures to prevent unauthorized access to or disclosure of our Course Materials consistent with standards reasonably expected of an information security professional.
- Promptly cure and tell us about any unauthorized access or disclosure as soon as you become aware.
- Course Materials are for your personal use only. You must not sell or make available Course Materials to anyone else.
- You must only use Course Materials that are provided to you by Offensive Security.
- You must not have someone else take an exam for you and you must not take an exam for someone else.
- You must not ask for assistance from anyone during an exam. You also must not provide assistance to anyone who is taking an exam.
- You must not (a) use cell or mobile phones or other electronic devices (b) interact with any third party in each case while seated at your exam workstation. If you need to do so, you must request a break and step away from your workstation.
- You must not video record your screen while it is interacting with any of our Course Materials. However, you may take screenshots and copy data to the extent needed for your exam or lab report.
- Any information related to our course or exam machines is considered strictly confidential. This includes:
- Your exam report.
- Your lab report.
- Any walk through for any course or exam machine.
- Vulnerabilities and exploits in the context of any course or exam machine.
- Any other information that may help a student pass the exam.
If such information has been shared by somebody else in breach of this Academic Policy, you must not use it to help you pass your exam.
- You are strictly prohibited from downloading any applications, files or source code from the exam environment to your local machine.
- You must not misrepresent your identity or provide false statements to gain accommodations during the course or exam.
- You must not participate in any other conduct that might compromise the integrity or confidentiality of our exams.
- You must not use any knowledge or skills gained from any of Offensive Security’s courses in an illegal, unethical manner, or to harm any person or entity.
Academic Policy Violations:
To ensure the confidentiality and integrity of our exams and training materials, we have a very strict posture regarding any breach of our Academic Policy. In our sole discretion, we will take the following actions against violators of our Academic Policy:
- We will revoke all existing Offensive Security certification(s) you have obtained.
- We will disqualify you for life from any Offensive Security courses and exams.
- We will disqualify you for life from making future Offensive Security purchases.
Your certification status may be disclosed to enquiring parties.
When taking our exams, we encourage all our students to read our Exam Guides and our Proctoring FAQs.
- OSCP Exam Guide
- OSWP Exam Guide
- OSEE Exam Guide
- OSWE Exam Guide
- OSED Exam Guide
- KLCP Exam Guide
- OSEP Exam Guide
- OSDA Exam Guide
- OSMR Exam Guide
- OSWA Exam Guide
Offensive Security Privacy Notice
Last Updated: February 1, 2023
This is our Privacy Notice. Please scroll down or click on the headings to the left to discover more.
In Summary
When you interact with us, our websites or products and services, we collect and you provide information about you that alone or when combined with other information, could be used to identify you (Personal Data).
(a) We only process your Personal Data if we have a legal basis to do so – this may be consent but more likely another legal basis (b) we collect only the Personal Data necessary to manage your relationship with us (c) we don’t sell your Personal Data to third parties (d) we only use your Personal Data in the way this Privacy Notice describes.
For the full version please continue reading.
Background to this Privacy Notice
This Privacy Notice explains what Personal Data we collect (a) because you interact with our websites and community sites (Sites) (b) because you use our free or paid for products and services promoted on the Sites (Products) (c) as the result of the provision of products and services to us by third parties (Suppliers).
Offensive Security is the brand name of a group of companies that includes OffSec Services Limited (Offensive Security, we, us, our).
OffSec Services Limited of 5 Secretary’s Lane, Gibraltar is the data controller of your Personal Data. OffSec Services Limited provides Products to both individual Product users and customers who are organizations (Customers).
This Privacy Notice explains how we use and share Personal Data, and your choices about our data practices. Please read this Privacy Notice before using the Sites or Products.
Other related terms and conditions
This Privacy Notice should be read in conjunction with our terms and conditions for the purchase and use of our Products (Product T&Cs). It should also be read in conjunction with our Academic Policy and our Cookie Policy.
What this Privacy Notice does not apply to
This Privacy Notice does not apply to:
- Personal Data we hold about our employees or consultants
- Personal Data gathered by other companies or organizations that promote our Services and who use cookies, tags and other technology to collect and use your Personal Data
- How other organizations use your Personal Data if you link to their sites, apps, products, services or social media from our Sites, apps or social media. By providing these links we do not imply that we endorse or have reviewed these third party sites. Please contact those sites directly for information on their privacy practices and policies.
Accessing your Personal Data
We want to make sure the Personal Data we hold about you is up to date and relevant. You are also legally entitled to know what Personal Data we store. If you’d like a copy of some or all of your Personal Data or you think your Personal Data is inaccurate, please contact us at privacy@offensive-security.com.
Please be aware that if you do not want to provide your Personal Data to us or ask us to delete it, we may not be able to provide Products to you and you may not be able to use the Sites.
Personal Data we collect
Automatically Collected Data
When you access the Sites or use Products, the following Personal Data is created and automatically logged in our systems:
- Log data: Information that your browser automatically sends whenever you visit the Sites. Log data includes your Internet Protocol address, browser type and settings, the date and time of your request, and how you interacted with the Sites or Products.
- Device information: Information that includes the device you are using, operating system, settings, unique device identifiers, network information and other device-specific information. The information collected may depend on the device you use and its settings.
- Usage Information: Information we collect about how you use our Sites and Products, such as the content you view or engage with, the features you use, and the actions you take.
We use various technologies to collect and store information, including cookies, pixel tags, local storage such as browser web storage or application data caches, databases and server logs.
Personal Data You Give Us
You provide us with Personal Data when:
- You enquire about Products: we will collect Personal Data from you through web forms such as name and contact details
- You sign up to use Products: you may be required to give us Personal Data, including your name and contact details, employer, gender, age range and billing information (e.g. credit card details)
- We need to verify your ID: we may collect copies of government IDs, utility bills, bank statements and/or parental consent letters
- You email us or online chat with us: for example when you request customer support
- You use our community Sites, blogs and forums: you may post comments and materials.
Personal Data we create or collect
We may create or collect the Personal Data about you in the following ways:
- When you register to use Products, our systems will generate unique identifiers including your main Offensive Security ID (OSID), Purchase ID, Lab ID, Certificate ID, Video ID, system username and password. These identifiers are known as “pseudonymized” personal data. They cannot alone identify you but can identify you when combined with other Personal Data we hold.
- We may gather nicknames or handles you operate under in public blogs, forums, chat rooms or other channels. We keep a record of your purchase history and exam history.
- We may keep administrative notes on your file.
- When we proctor our exams, we create videos of those taking our exams and their computer screens. These videos may include third party Personal data if within range of Product User’s webcam or viewable on Product User’s computer screen.
- When we look into potential breaches of our (a) Academic Policy (b) Product T&Cs (c) intellectual property rights, we may carry out public domain research. That research may provide us with Personal Data about you and those you appear to be associated with. Sources of this Personal Data include social media sites, chat rooms, forums and community sites.
Personal Data We Get From Third Parties
We may receive Personal data from a number of third parties including:
- Our Customers if they are paying for you to use Products
- Our Suppliers and business partners if you are working with us on their behalf
- Data brokers providing non-public lists
- Publicly available sources like LinkedIn, other social media sites and other directories
- ID verification service providers including those who check you are not subject to regulatory sanctions
- Credit reference agencies
- Third parties who report you to us because they believe you have breached our Product T&Cs, Academic Policy or intellectual property rights.
Where we process your Personal Data
We store and process your Personal Data on servers both within and outside the European Economic Area (the “EEA” which includes countries within the EU plus Iceland, Liechtenstein and Norway). For example, outside the EEA we process Personal data on servers in the USA, Israel and the Philippines.
How we use personal data
Below is a description of how we use your Personal Data and our legal basis for doing so
| Usage | To provide Products to you |
| Basis | For our legitimate interests and/or to perform a contract |
| Description | We process your Personal Data to register you, authenticate your identity, provide Products to you, process financial transactions and manage your relationship with us.
If we cannot verify your identity with the basic information we collect, we may request additional Personal Data such as government ID, utility bill(s), or bank statement(s). For Product users under the age of 18, we collect name(s) and IDs of and consent to provide you with Products from, the person who has parental responsibility for you |
| Usage | To undertake Product related activities |
| Basis | For our legitimate interests |
| Description | We use your Personal Data:
|
| Usage | To manage Customer relationships |
| Basis | For our legitimate interests and/or to perform a contract |
| Description | If one of our Customers pays for you to use Products, we will use your Personal Data to manage our relationship with that Customer. This may include disclosing (a) your usage of Products (b) your performance in our exams (c) any sanctions we impose on you as a result of a breach of our Academic Policy or Product T&Cs.
If you use Products under a Customer’s account (a) any account you create will be subject to control by Customer and Customer’s admins (b) your account information and other Personal Data will be shared with Customer and Customer’s admins (c) your Personal Data may also be visible to other Product users in Customer’s account. If the domain of the email address associated with your account with us is owned by a Customer and Customer wishes to add that email address to its account, the Personal Data concerning your existing account may become accessible to that Customer. |
| Usage | To undertake marketing |
| Basis | For our legitimate interests and, where required by law, with your consent |
| Description | We use your Personal Data to send you updates and information about Products, upcoming events or other promotions or news by telephone, email or push notification.
You may opt out of receiving further marketing emails by following the instructions contained in each promotional email we send you or by contacting us at privacy@offensive-security.com. If you opt out of marketing, we will continue to contact you regarding Products you use. |
| Usage | To bill and collect payment from you |
| Basis | For our legitimate interests and/or to perform a contract |
| Description | If you buy Products from us, we collect your billing information to process payments. We use third party payment providers to process payments for us.
If you don’t pay our bills, we will use your Personal Data to help us collect payment. We might ask a third party to collect the amount you owe. We’ll give them Personal Data about you (such as your contact details) and your account (the amount of the debt) and may sell the debt to another organization to allow us to receive the amount due. |
| Usage | To enforce our Product T&Cs and Academic Policy and/or prevent abuse of our intellectual property rights |
| Basis | For our legitimate interests and/or to perform a contract and/or to prevent or detect a crime |
| Description | We may use your Personal Data to mark course materials we provide to you so we can monitor and protect our intellectual property and confidential information.
We will use your Personal Data to record and look into situations where we believe you or those you appear associated with may have breached (a) our Product T&Cs (b) our Academic Policy (b) our intellectual property rights (c) the law by committing an offense of dishonesty. We may analyze your Personal Data in conjunction with the Personal data of third parties if we think you may have been involved in the same incident. For example, we will compare your exam and lab reports with the reports of others to look for possible collaboration in breach of our Academic Policy. We may use the results of public domain research to further investigate you and/or those you appear to be associated with. Our findings may be used to (a) revoke any of our certificates you hold (b) terminate or suspend your access to Products (c) prevent you from doing business with us in the future (d) keep a record of our findings and sanctions imposed to ensure they can be enforced |
| Usage | To proctor our exams |
| Basis | For our legitimate interests and/or to perform a contract and/or to prevent or detect a crime |
| Description | Our exams may be subject to online proctoring to ensure their integrity is maintained.
A student’s webcam and computer screen will be monitored, viewed, recorded, stored, and/or audited. This will include images of the student, the student’s immediate surroundings, anything within range of the student’s webcam and anything viewable on the student’s computer screen. Any communications you have with a student that are visible on that student’s computer screen will also be monitored, viewed, recorded, stored, and/or audited by us. |
| Usage | To keep a public register |
| Basis | For our legitimate interests |
| Description | If you have passed one of our exams, we may use your Personal Data to keep a public register of the status of all our certificate holders. This Personal Data may include (a) your name (b) your Offensive Security Identification Number (OSID) (c) the course you took (d) the exam you passed (e) the status of the certificate that was issued to you. |
| Usage | To undertake background checking |
| Basis | For our legitimate interests and/or to comply with the law |
| Description | We may use your Personal Data to carry out credit reference checks and checks to ensure the law does not prohibit us from doing business with you e.g. because you are subject to regulatory sanctions or in a country that is sanctioned.
We will use the results of these checks to decide whether to do business with you. We will keep a record of the results of these checks and this record may be used to prevent you from doing business with us. When credit reference agencies get a search request from us, a ‘footprint’ goes on your file which other organizations might see. |
| Usage | To prevent or detect crime |
| Basis | For our legitimate interests and/or to comply with the law |
| Description | We’ll use and share your Personal Data to help prevent and detect crime.
For example, we will use your Personal Data to investigate, detect and prevent attempts to obtain our certifications fraudulently or in any other dishonest manner. We might share your Personal Data with government and law-enforcement agencies. We’ll also use your Personal Data to prevent and detect criminal attacks on our computer network. |
| Usage | To comply with our legal obligations |
| Basis | For our legitimate interests and/or to comply with the law |
| Description | We will use and share Personal Data where we are obliged legally. That might be when the law says we have to or because of a court order. |
| Usage | To manage Supplier relationships |
| Basis | For our legitimate interests and/or to perform a contract |
| Description | if you are a Supplier or an employee or contractor of one of our Suppliers, we use your Personal Data to manage our relationship with you/that Supplier, for payment and to communicate with you/that Supplier about Products and services you/they are supplying to us |
Our legitimate interest in using your Personal Data
We will use your Personal Data for our legitimate interests if we believe we have a legitimate business interest in doing so to operate our business.
When do we believe we have a legitimate business interest?
We’ll have formed the view:
- The usage is necessary and there’s no less intrusive way to achieve the same result
- Your interests don’t override our interests
- You would reasonably expect us to use your Personal Data in this way
- You would not find the usage intrusive and it would not cause you harm
- That we have taken extra care to protect the interests of children
- That we have considered safeguards to reduce the impact where possible
- That we have offered you an opt out where appropriate.
Sharing And Disclosure
We may share your Personal Data and other information with certain third parties in these circumstances:
- Affiliates within the Offensive Security group: for security, business, operational and administrative support purposes.
- Your Employer and others: If your employer or another third party has paid us for you to use Products.
- Service providers: your Personal Data may be shared with our third-party service providers to assist us in providing Products and to operate our business. These include organizations who provide services in relation to marketing, infrastructure and information-technology, payment processing, logistics and shipping and professional advice.
- Third party accreditation: Sometimes, our certifications will be accredited by their parties as equivalent to their own. If you wish to take advantage of such accreditation, we will transfer your Personal Data to such third parties.
- Business transfers: If we are involved in a merger, acquisition, financing due diligence, reorganization, bankruptcy, receivership, sale of all or a portion of our assets, or transition of service to another provider, your Personal Data and other information may be transferred to a successor or affiliate as part of that transaction.
- Legal requirements: If required to do so by law, applicable regulation or in the good faith belief that such action is necessary to (i) comply with a legal obligation, (ii) protect and defend the rights or property of Offensive Security, (iii) act in urgent circumstances to protect the personal safety of users of the Sites or Products, or the public, or (iv) protect Offensive Security against legal liability.
Where we use another organization to provide services or products to us, we still control and are responsible for your Personal Data and for ensuring there are controls in place to make sure it’s adequately protected.
If we need to transfer your Personal Data to another organization for processing in countries outside the EEA and not listed as ‘adequate’ by the European Commission, we’ll only do so if we have model clauses or other appropriate safeguards (protection) in place. For transfers between our Affiliates, we rely on model clauses. In relation to our US cloud platform providers, we rely on a combination of model clauses and the US Privacy Shield. We have a further data center in Israel which is a country listed as adequate by the European Commission.
Data Retention
We will keep your Personal Data while we have a legitimate business need to do so for the reasons described in this Privacy Notice or as required by law (whichever is the longer).
Set our below are some specific data retention policies for certain categories of data.
- Authentication and parental consent: additional Personal Data collected as part of the ID authentication process (e.g. government ID, utility bill(s), or bank statement(s)) will be deleted after 120 days. We also delete the Personal Data collected as part of the parental consent process (i.e., parental IDs) after 120 days.
- Billing information: For the Personal Data we collect for billing (, country, credit card name, credit card number, credit card expiration date, billing address, and credit card CVV), we store this data in encrypted form and do not store the complete credit card number. We delete this data after 1 year from the most recent transaction (payment or refund). This retention policy applies only to the billing information stored by Offensive Security and not to the billing information we provide to our third-party vendors and service providers.
- Proctoring video and screen feeds: video and screen feeds obtained during exam proctoring will be retained for up to 6 months. This will include images of your ID that you have shown to the proctor.
We may keep any Personal Data for longer than usual if we suspect you may have breached our (a) Product T&Cs (b) Academic Policy or (c) intellectual property rights.
Cookies
Cookies are a standard feature of Sites that allow us to store small amounts of data on your computer about your visit to the Site. They are widely used to help make Sites work or work in a better, more efficient way, such as by recognizing you and remembering information that will make your use of the Site more convenient (such as by remembering your preference settings). Cookies also help us to learn which areas of the Site are useful and which areas need improvement, and to track your usage of the Site to provide you with targeted advertisements.
To learn more about how we use cookies please visit our Cookie Policy.
Rights Under European Law
This section provides information on your rights where applicable as a data subject under European data protection law.
Subject to applicable European law, you have the following rights in relation to your Personal Data:
- Right of access: If you ask us, we will provide you with a copy of the Personal Data we hold on you along with certain other details.
- Right to rectification: If your Personal Data is inaccurate or incomplete, you may ask that we correct or complete it. If we shared your Personal Data with others, we will tell them about the correction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to erasure: You may ask us to erase your Personal Data in some circumstances, such as where we no longer need it or you withdraw your consent (where applicable). If we share your data with others, we will alert them to the need for erasure where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data with so you can contact them directly.
- Right to restrict processing: You may ask us to restrict or ‘block’ the processing of your Personal Data in certain circumstances, such as where you contest the accuracy of the data or object to us processing it (please read below for information on your right to object). We will tell you before we lift any restrictions on processing. If we shared your Personal Data with others, we will tell them about the restriction where possible. If you ask us, and where possible and lawful to do so, we will also tell you with whom we shared your Personal Data so you can contact them directly.
- Right to data portability: You have the right to obtain your Personal Data from us that you consented to give us or that was provided to us in connection with our contract with you. We will give you your Personal Data in a structured, commonly used and machine-readable format. You may reuse it elsewhere.
- Right to object: You may ask us to stop processing your Personal Data, and we will do so:
- If we are relying on a legitimate interest (described under the How We Use Data section above) to process your Personal Data — unless we demonstrate compelling legitimate grounds for the processing; or
- If we are processing your Personal Data for direct marketing.
- Rights in relation to automated decision-making and profiling: You have the right to be free from decisions based solely on automated processing of your Personal Data, including profiling, unless this is necessary in relation to a contract between you and us or you provide your explicit consent to this use.
- Right to withdraw consent: If we rely on your consent to process your Personal Data, you have the right to withdraw that consent at any time, but this will not affect any processing of your data that has taken place.
- Right to lodge a complaint with a data protection authority: If you have a concern about our privacy practices, including the way we handled your Personal Data, you can report it to the data protection authority authorized to hear those concerns.
You may contact us at privacy@offensive-security.com to exercise your rights.
Changes to processing
We will notify you of changes to the data processing activities described in this Privacy Notice by updating the Privacy Notice or as otherwise required by law.
Children
The Site and Product is not directed to, nor intended to be used by, individuals under the age of 16, or the equivalent minimum age in the relevant jurisdiction. We do not knowingly collect Personal Data from individuals under the age of 16, or the equivalent minimum age in the relevant jurisdiction.
For Product users under the age of 18, we collect name(s) and IDs of and consent to process your personal data and provide you with Products from the person who has parental responsibility for you.
If you believe we are processing the Personal Data of a student under the age of 18 without consent from the person who has parental responsibility for them, please contact us at privacy@offensive-security.com and we will endeavor to delete that Personal Data from our databases.
Security
We try to protect the Personal Data from loss, misuse and unauthorized access, disclosure, alteration, or destruction. However, no method of transmission over the internet is 100% secure.
Changes to our privacy notice
We may change this Privacy Notice at any time and when we do we will post an updated version on this page.
Complaints
If you want to make a complaint about how we have handled your Personal Data please contact us at privacy@offensive-security.com and we will investigate and report back to you. If you are still not satisfied after our response or believe we are not using your Personal Data in line with the law, you also have the right to complain to a data-protection regulator in Gibraltar this is the Gibraltar Regulatory Authority (www.gra.gi), alternatively see here for details of your local regulator https://edpb.europa.eu/about-edpb/board/members_en
Questions
If you have questions about our Privacy Notice or our data practices, please contact us at privacy@offensive-security.com.
California Consumer Privacy Act
Supplemental Notice for California Consumers
For individuals who are California residents, the California Consumer Privacy Act (“CCPA”) requires certain disclosures about your personal information. This notice (“CCPA Notice”) explains how we collect, process, and share personal information of California residents covered by the CCPA . The terms “personal information” and “selling” used below will have the meaning under the CCPA.
Personal Information We Collect, Process, and Share
We collect and process personal information about California residents, and have for the preceding 12 months, including the following:
– If you request product information or support, or if you register to receive newsletters or other promotional material, we may collect your personal information including name, email, employer name, job title, phone number, location, and IP address in response to a request. We may also collect personal information if someone refers you to us or if you refer someone to us to receive information about our products and services.
– If you submit information to us, such as filling out a survey about your user experience.
– If you use social media features or interact with our Site (e.g., “like” or “share” buttons), we collect your personal information. The other site may also collect your personal information. Your interactions with the other site’s features are subject to the terms of the company providing the site.
Our sources of personal information may include: you, such as through your use of our Site, products or services; our affiliate companies or third parties; or referring individuals who think you may be interested in our products or services.
We disclose your personal information to third parties as required for business purposes or under applicable law, including: our affiliates; contractors, vendors or third parties who process personal information on our behalf; channel partners such as distributors and resellers; and any parties to whom we are legally required to disclose your personal information.
Categories of Data and Business Purpose
We collect and process, and have for the preceding 12 months, the following categories of personal information about California residents.
| Category of Personal Information | Examples |
| Identifiers, including any categories of Personal Information listed in Section 1798.80 of the California Consumer Records statute | Name, address, email address, telephone number, employer information, IP address, or other similar identifiers, or transactions information |
| Commercial information | Records of products or services requested or considered |
| Financial Information | Billing information |
| Internet or other electronic network activity information | Browsing history and information regarding interaction with the web site |
| Location data | Location information you provide as part of your request or registration or approximate location based on your IP address |
| Professional or employment-related information | Employer name or job title that you provide as part of your request or registration |
| Legally protected classifications | Gender; marital status |
| Other information that identifies or can reasonably be associated with you | Preferences |
We may use your personal information, including for the following purposes: To respond to requests or product inquiries, and to provide services or support; to provide security and safety of the site, our IT and users of the site, and also to prevent and detect fraud; to provide a customized web experience, including tracking your activities to understand site usage and improve the content and offerings of the website; to operate our business, which includes analysis of our site performance, research, and improvement and development of our products and services; and to comply with and enforce legal and contractual obligations.
Sale of Personal Information
California residents may opt out of the “sale” of their personal information. We do not sell California resident’s personal information as defined under the CCPA and thus, we do not offer an opt-out.
Your Consumer Rights Under The CCPA
If you are a California resident, you have certain rights related to your personal information:
- Request disclosure, free of charge, the following information (if applicable) covering the preceding 12 months regarding:
a) Categories of personal information we collect and our purposes for collecting the personal information;
b) Categories of the sources of personal information we collect;
c) Categories of third parties to whom we disclosed your personal information, along with categories of personal information disclosed and the purpose for disclosing; and
d) The specific pieces of personal information we collect about you, unless subject to certain conditions and limitations under the law; - Request deletion of personal information we collected from you, subject to certain conditions and limitations under the law; and
- Be free from unlawful discrimination for exercising your rights under the CCPA.
How To Exercise Your Rights
If you are a California resident, you may submit a request by contacting us at privacy@offensive-security.com. For security purposes, we may request additional information to verify your identity before further action is taken on your request.
Contact Us
If you have any questions regarding this CCPA Notice, you may write to us at privacy@offensive-security.com or call us at (704) 899 4093.