Data Retention Policy

As cybersecurity incident responders, we care a great deal about data retention. Specifically, we don’t want to retain anything unless we absolutely have to.

Information we collect about you is limited to:

  • Full name
  • Email address
  • Company/Organization name
  • Class selection
  • Browser interaction with our servers

If you register for a classified briefing, we are required to collect more information. This is detailed in Classified Briefing Registration.

We go out of our way to get rid of information as soon as we can.

Your Registration Data

We collect the following data at registration:

  • Full name: to print on your badge
  • Email address: so we can send you updates about the event, and let you know about future events
  • Company/Organization name: to report statistics to our sponsor
  • Class selection: to print on your badge, email you class-specific updates, and know when classes are full

This data is aggregated (see below) for reporting purposes.

We also add all attendees’ email addresses (not names) to an announcements email list, so we can tell you about upcoming events. We do not use your email address for anything else.

One (1) month after every event, we destroy all the event’s registration data.

Report Data

While registration is open, we generate periodic reports based on registration data, by importing a scrubbed registration feed into spreadsheets. This scrubbed registration feed provides the following:

  • Email address domain (only the part after @)
  • Company name
  • Class selection

The scrubbed feed is generated from registration data on demand, over HTTPS, and is protected by a shared secret unique to each event.

Report data disappears when event registration data is removed.

Aggregated Historical Data

We aggregate report data into long-term historical reports, to understand registration trends over time. The data in these reports consists of:

  • Total attendees by Criticial Infrastructure sector (determined from email address and company name)
  • Total attendees per class (determined by class selection)

We keep aggregated data forever, even after destroying the registration data.

Classified Briefing Registration

If you register for the classified briefings, we are required to ask for more information about you. We will pass the following to the hosting organization:

  • Email address
  • Full name
  • Employer/Organization name
  • Social Security Number (if required by hosting organization)
  • Other personal information (if required by hosting organization)

We destroy clearance-passing data one (1) week after the event that required it.

We have no control over what the hosting organization does with your data: each agency will have its own policies.

Web Servers

Cyber Fire events use multiple web servers, each with its own unique data collection.

Public Web Server (this site)

Our public web server does not use cookies. Every time you load a page, we log:

  • The time of the page load
  • Your IP address
  • The resource path (part of the URL)

These logs may be stored for up to five (5) years.

Puzzle Server

Our puzzle server uses local browser storage, which is similar to a cookie. If you disable local storage, you will still be able to use the puzzle server.

When you provide your team name and team identifier, it will record these for use in the scoreboard. It will ask your browser to store your team identifier, to make it simpler to fill in answer submissions. If you disable local storage, you will have to type your team identifier each time you submit an answer.

The puzzle server may ask you for your Participant Identifier. If you give it to us, it will be sent as part of the path of every server interaction, to help us understand how people work through our content.

The puzzle server may also pre-fetch and/or cache content, so you can work on puzzles off-line. This information is never sent back to us, it is only stored for your benefit.

Each interaction with the puzzle server logs:

  • The time of the page load
  • Your IP address
  • The resource path (part of the URL)

Puzzle server logs may be stored for up to five (5) years.

Team identifiers

Team identifiers are random strings of letters and numbers that we use to identify your team. We use team identifiers so that we don’t need to ask for any information about you, allowing your team to remain mostly anonymous.

Points log

When your team makes a point, it is added to a points log. Each log entry consists of:

  • The time of the log entry
  • Your team identifier
  • The category in which the points were scored
  • The number of points

These logs, and the mapping of team identifiers to team names, may be stored indefinitely.

Scoreboard storage

When you load the scoreboard, the scoreboard program asks your browser to store the last 20 versions of the scoreboard data. This would help us recover from a complete loss of data, should one ever occur. This information is never sent back to us, we would have to ask you for it. The scoreboard will still work if you disable local storage.

Scoreboard data consists of:

  • The points log, with anonymized team identifiers
  • A mapping from anonymized team identifiers to team names

Announcements Email List

We use an email list to let past participants know about upcoming events. This list contains email addresses only, there’s no need for it to know your name or anything else about you.

Every email from the list has an unsubscribe link that deletes your address. If you unsubscribe, we will forget all about you, including the fact that you asked for your email address to be removed. If you attend another event, you will be placed back on the mail list and will have to unsubscribe again.

Participant Identifier

To better understand how effective our events are, we will track your progress through the event, by using Participant Identifiers.

When you arrive at an event, we will ask you to select an Participant Identifier from a pre-printed list, and attach it to the back of your badge. You can choose any identifier you like: we have no interest in knowing which one you take.

This identifier is used in several places:

  • Logging in to the puzzle server (optional when playing on a team)
  • Attendance sheets
  • Surveys
  • Forms requesting CPE credits

Some surveys may ask you for your email address. We typically ask for an email address when we want to send you a follow-up survey after the event. When we do this, it will either be optional to provide your address, or the survey will be optional. We will never require you to put your email address on a survey.

If you provide your Participant Identifier and your email address in the same survey or form, we will be able to track your activities to your email address.


We care a lot about your privacy, our custodianship of the information you give us, and your understanding of why we’ve made these decisions. After all, we are a cybersecurity training program!

If you have any questions about anything, please don’t hesitate to reach out to us either by using the email address at the bottom of every page on this site, or by asking any staff member at any event.