🔐 CSOH Privacy Policy

👥 Who we are

Cloud Security Office Hours (CSOH) is a free, volunteer-run, vendor-neutral cloud-security community. We are not a company. We have no products and we do not sell anything. The website at csoh.org is community-maintained on GitHub.

🍪 Cookies and tracking

We do not set any cookies on csoh.org. The site is static HTML, CSS, and JavaScript served from our host. There is no analytics provider (no Google Analytics, no Plausible, no anything). There are no pixel trackers, fingerprinting scripts, or session-replay tools.

Your browser stores one thing in local storage if you use it: your dark-mode preference, so the site remembers it next visit. That value lives only in your browser and is never sent to us.

📨 What we collect, and why

1. Mailing list (the only personal data we collect)

When you sign up at sendfox.com/CSOH, you give us your email address — and optionally a first name. We use that exclusively to send you:

• The Zoom link for the weekly Friday session
• Calendar / meeting info for upcoming sessions
• Occasional community announcements (rare — typically <1 per month)

That is the entire purpose. We do not run promotional campaigns, sponsored emails, partner mailings, or anything else against the list. If you stop wanting our emails, the unsubscribe link in every message removes you immediately.

The list itself is hosted by SendFox (an email-service provider). SendFox processes the mail on our behalf and is bound by their own privacy policy. We do not export the list to any other service.

2. Email correspondence

If you email admin@csoh.org or another organizer, we keep that thread for as long as is reasonable to follow up. We don't add you to anything else based on that email.

3. GitHub contributions

If you open an issue or pull request on our GitHub repository, your GitHub username and any data you choose to include become part of a public open-source project's history. That's GitHub, not CSOH — see GitHub's privacy statement.

4. Zoom sessions

Joining the Friday session means Zoom processes your name, audio, video (if you turn it on), and chat messages. Zoom is the data controller for that session — see Zoom's privacy statement. We do not record sessions by default. The presentation portion of a session is recorded only when the speaker has agreed; participant Q&A is not recorded. Anything we publish from a session (e.g., a meeting recap on meetings.html) summarizes topics, not individuals' personal details.

5. Server logs

Our web host keeps standard access logs (IP address, requested URL, user-agent, timestamp) for short-term operational purposes — debugging, abuse handling, capacity planning. Logs are not used to profile visitors and are not joined with the mailing list or anything else. We do not analyze them for marketing or "engagement."

🔗 External links and tracking parameters

csoh.org links to thousands of external resources. Two things to know:

• Outbound links are scrubbed of tracking parameters (e.g. utm_*, fbclid, gclid, msclkid) before publication. A monthly automated job and a per-PR check enforce this — see tools/normalize_urls.py.
• Once you click an external link, the destination site's privacy policy applies. CSOH has no control over what those sites do.

The same scrubbing is applied to URLs that community members share in Zoom chat before they appear on chat-resources.html.

📰 News aggregator

Our news page and RSS feed are populated by a script that pulls from public RSS feeds every three hours. The aggregator runs on GitHub Actions; it has no idea who is reading the page. Read counts and click-throughs are not tracked.

👶 Children

CSOH is aimed at working cloud-security professionals. The site is not directed at children under 16, and we do not knowingly collect data from anyone in that age range.

🌍 Where data lives

The website is hosted in the United States. The mailing list (SendFox) and code repository (GitHub) are also US-based. By emailing us or signing up for the list, you consent to your data being processed in the US.

🔒 Security

We follow standard practices to protect what little data we hold: HTTPS everywhere, narrow access to mailing-list and email accounts, MFA on organizer accounts, strict Content Security Policy on the site, automated URL-safety scanning before merge. To report a vulnerability, see our Security Policy.

📜 Your rights

You have the right to:

• Know what we hold about you (mailing-list address, prior email correspondence with organizers).
• Correct inaccurate information.
• Delete it — unsubscribe from the list at any time, and email admin@csoh.org to delete a prior thread.
• Object to any specific use of your data.
• Get a copy of your data in a portable format on request.

To exercise any of these, email admin@csoh.org. We aim to respond within 14 days.

🔄 Changes to this policy

If we make material changes, we'll post them here with a new "Last updated" date and call them out in the next mailing-list email. We'd consider any change that broadens what we collect, who we share with, or what we use data for to be material.

📞 Contact

• Email: admin@csoh.org
• Mail-list opt-out: Use the unsubscribe link in any CSOH email, or email us
• Security issues: See our Security Policy