Digital Security Exchange

Privacy and Data Retention

Digital Security Exchange (DSX) is committed to protecting the privacy of visitors to our website, to organizations and providers who submit data through our forms, and to users of the CiviCDR issue tracking platform. This privacy policy explains what data we collect through our website, how it is used, and how it is protected.

Data about Visitors

As detailed in our security practices document, standard web logs are utilized on the DSX website, but minimized to reduce or remove identifiable information about visitors.

We only collect the following data about website visitors (based on the Tor Project’s web tracking practices):

The date the site was accessed (but not the time or time zone) Country, by looking up visitors’ IP addresses in a GeoIP database

Data that is not stored includes:

In addition, the DSX website does not utilize third-party analytics software (like Google Analytics) and does not include beacons or other tracking code. To enable supporters to donate to the project, we do include third-party donate “buttons” on our Support the DSX page. We use session cookies on certain portions of the website. Session cookies expire when you close your browser.

Information Gathered Through Intake Forms

Our website is built in Jekyll, the static site generator. There is no database; all pages exist as static HTML pages. The intake forms at Request Assistance and Become a Provider are built on the fly using PHP. When user data is submitted through the forms, it is placed in a remote directory and encrypted. Only DSX staff have the private key necessary to decrypt these forms.

The DSX endeavors to provide the highest level of protection for user data. We will only disclose personally identifiable information about you to third parties in limited circumstances, including: (1) with your consent; or (2) when subject to a subpoena or other judicial or administrative order.

If we are required by law to disclose the data users have submitted, we will attempt to provide them with prior notice (unless we are prohibited from doing so) to give users an opportunity to object to the disclosure.

Donation Information

When you make a donation through the DSX website, you tell us how much money you want to donate and information required by your choice of payment processor including your name, email address, and billing address. As noted on our donation page, your donation will go to the Internet Systems Consortium, DSX’s fiscal sponsor and a registered 501(c)(3).

When you donate, we will store the amount of your donation, the distribution of organizations you wish to send money to, and your payment processor’s transaction ID. We won’t associate this donation with your identity in our database; however it could possibly be tracked back to you through your payment processor.

You also send information to your payment processor, which might include credit card or bank account numbers. DSX cannot control what the payment processor does with that information, so you should consult their privacy policies.

CiviCDR

We utilize the CiviCDR ticketing and issue tracking platform to manage organizational requests and connect them to the appropriate provider. The CiviCDR project is a partner of DSX, and shares duties related to web and platform development, provider and organization outreach, and fundraising.

While technologies vary across platforms, usage of CiviCDR is subject to the same privacy policy as the DSX website and intake forms. That said, DSX usage of CiviCDR expands beyond the usage of the website and intake forms and requires an additional set of policies.

Information Handling Policy

DSX will request only the information required to assess a partner’s problem and how to assist them. This may include description of problem, measures taken, or relevant files. We will not be privy to incident details between the organization and digital security provider unless we are specifically given access to such details. As a general rule, information requested by DSX and any disclosure of information to providers is done on a need-to-know basis. Incident information (other than number and type of incidents) will be deleted once a ticket is closed.

Private incident information will never be shared with donors or other stakeholders. Donors will only be privy to threat notifications and quantitative project monitoring data such as number of incidents dealt with. Non-sensitive information related to community threats will be extracted from incidents and shared as a community alert, in order to help prevent other partners avoid similar incidents. Sensitive incident information may be shared privately with specific partners if they are at risk from the incident. All sharing of information will be conducted in coordination and with the approval of the partners concerned. However, where a vulnerability may seriously affect the security of DSX partners, and the relevant partner is non responsive, we reserve the right to notify the affected stakeholders. (See Vulnerability Disclosure Policy below)

DSX and the providers we work with will handle all information responsibly and protect it against inadvertent disclosure to unauthorized parties. Sensitive information will be kept and sent only in encrypted formats or over secure channels – this explicitly includes back-ups of sensitive information.

Vulnerability Disclosure Policy

DSX adheres to a do no harm approach. Vulnerabilities reported to DSX through CiviCDR which may seriously affect the security of our partners will be disclosed to stakeholders within three weeks after the initial report. Extenuating circumstances, such as active exploitation, threats of an especially serious (or trivial) nature, or situations that require changes to an established standard may result in earlier or later disclosure. It is the goal of this policy to balance the need of the public to be informed of security vulnerabilities with organizations’ need for time to respond effectively.