THE MITRE CORPORATION RESPECTS THE PRIVACY OF ITS WEBSITE USERS.
Effective Date: 10 June 2025
This Privacy Policy explains the types of personal information that The
MITRE Corporation ("MITRE ," "we," "our," "us") collects
from visitors to the MITRE ATT&CK® website (the "Site") at
https://attack.mitre.org; how MITRE uses, shares, protects, stores, and
otherwise processes that personal information; and your choices with
respect to our use of your personal information. By using our Site, you
acknowledge that you understand and agree to the terms outlined in this
Privacy Policy. If you have any questions, you may contact us using the
information provided at the end of this Privacy Policy.
This notice is provided in a layered format so you can click through to
the specific areas listed below.
MITRE may obtain your personal information when you interact with our
Site, for example, when you request information using the "Contact
Us" link. Personal information is data that identifies you, or could
reasonably be used to identify you, as an individual, such as your name
and email address.
We also may collect other information about your visits to our Site
using automated tools; for example, cookies and other passive
information collection technologies enable MITRE to compile aggregate
statistics concerning use of the Site, analyze trends, enhance the
security of the Site, deliver content, and otherwise administer
and improve the Site. This information may include your browser type,
language preference, operating system, device identifier, device type,
access time, Internet Protocol (IP) address, the URLs of websites you
visited before and after visiting our Site, the web search that landed
you on our Site, length of your visits to our Site, and the links you
click and pages you visit within our Site.
Your web browser may have settings that allow you to transmit a "Do
Not Track" signal when you visit various websites or use online
services. Like many websites, our Site is not designed to respond to
"Do Not Track" signals received from browsers. To learn more about
online tracking, the Federal Trade Commission (FTC) provides guidance on
How To Protect Your Privacy
Online.
The ATT&CK website is hosted on GitHub®, which provides internet hosting
for software development and version control. When GitHub is visited,
the visitor\'s IP address is logged and stored for security purposes,
regardless of whether the visitor has signed into GitHub or not. For
more information about GitHub\'s privacy and security practices, see the
GitHub Privacy
Statement.
MITRE and GitHub use a free third-party software service called Google
Analytics® to help us understand and analyze how visitors use our Site.
For more information on how Google Analytics uses data collected through
the Site, visit https://www.google.com/policies/privacy/partners/. To
opt out of Google Analytics cookies, visit:
https://www.google.com/settings/ads and
https://tools.google.com/dlpage/gaoptout/.
MITRE may use personal information we collect through our Site to:
communicate with you, including to respond to your questions and
requests, send you notices about our services, or contact you for
additional information when needed;
analyze Site trends, usage, and the activities of Site visitors;
improve our Site and notify you about important updates;
perform internal business analyses or for other business purposes
consistent with our mission;
facilitate, manage, personalize, and improve our partnership
relationships;
identify, prevent, investigate, and take other actions with respect
to suspected or actual fraud or illegal activity or other activity
that violates our policies;
ensure the security and integrity of our personal information
processing;
comply with applicable laws, rules, regulations, and legal processes
as well as our company policies; and
fulfill other purposes, with your consent (as required).
MITRE may share your personal information within our organization to:
better respond to your inquiries;
perform marketing research and for sales, support, and
service-related purposes;
protect rights, property, life, health, security, and safety;
negotiate or complete any proposed or actual merger, purchase, sale,
or any other type of acquisition or other transaction, including a
transfer of all or a portion of our business to another
organization;
disclose personal information with your consent or at your
direction; and
achieve any other purpose consistent with our statements in this
Privacy Policy or otherwise allowed by applicable law.
MITRE may disclose your personal information to comply with applicable
law, such as in response to requests from law enforcement agencies,
regulators, other public authorities, courts, and third-party litigants
in connection with legal proceedings or investigations.
Our Site may include links to other websites that are not owned or
operated by MITRE. This Privacy Policy does not apply to those websites,
which may have their own privacy policies that you should review to
understand how they may collect, use, or disclose your personal
information. MITRE is not responsible for the content or privacy
practices of any linked websites that it does not control.
MITRE maintains reasonable safeguards designed to protect personal
information from loss, theft, misuse, and unauthorized access,
disclosure, alteration, and destruction. MITRE employs encryption
technologies and user authentication procedures that are designed to
keep data secure. Nevertheless, transmission via the Internet and online
digital storage are not completely secure, so we cannot guarantee the
security of your personal information.
MITRE is based in the United States. If you are visiting our Site from
outside the United States, please be aware that information we obtain
about you may be transferred to and processed in the United States or
other jurisdictions. By using the Site and providing your personal
information, you acknowledge that your personal information may be
transferred to and processed in jurisdictions outside your own. Please
be aware that the data protection laws and regulations that may apply to
your personal information transferred to the United States or other
countries may be different from the laws in your country of residence.
We are committed to handling your personal information in an open and
transparent manner in accordance with applicable laws and regulations.
For more information on your privacy rights, you can visit the website
of The Office of the Australian Information Commissioner at
www.oaic.gov.au/.
This section provides a GDPR Notice ("Notice") for residents of the
European Economic Area ("EEA") and United Kingdom ("UK")
regarding their respective rights under the European Union's General
Data Protection Regulation and the United Kingdom's General Data
Protection Regulation (collectively, the "GDPR"). MITRE is the data
controller for personal data collected through the Site.
This Notice supplements the information in this Privacy Policy and other
MITRE privacy policies and notices. If there is a conflict between any
other MITRE privacy policy, statement, or notice and this Notice, this
Notice will prevail.
Personal data collected through this Site may include:
Contact Data. You may provide your contact details, such as your
name, phone number, postal address, email address, and company
affiliation; for example, when you contact us for further
information or subscribe to receive our news and information
offerings.
Device Data. We may obtain information about devices that access
our Site, including the type of device, operating system, device
settings, unique device identifiers, and error data.
Other Data You Provide. This includes personal data you include
in communications you send to us, such as inquiries about our
services.
Your personal data is required for us to provide some of our services.
In some instances, if you fail to provide your personal data, you may
not be able to access or use our services. We may process the personal
data you provide for any of the purposes identified in the "How We Use
Personal Information" and "How We Share Personal Information"
Sections of this Privacy Policy.
Your personal data is processed pursuant to the following legal
bases:
The processing is necessary for us to provide you with the
services you request or to respond to your questions.
We have a legal obligation to process your personal data, such
as compliance with applicable tax laws or other government
regulations or compliance with a court order or binding law
enforcement request.
We have a legitimate interest in processing your personal data
and our reasons for using the personal data outweigh the potential
prejudice to your data protection rights. In particular, we have a
legitimate interest in the following instances:
To analyze and improve the safety and security of our Site and
services, including by implementing and enhancing security
measures and safeguards and protecting against fraud, spam, and
other abuses;
To maintain and improve our Site and services; and
To operate and promote MITRE's services and provide you with
information and communications about our services that are
tailored to, and in accordance with, your preferences.
You have consented to our processing of your personal data. When
you consent, you may change your mind and withdraw your consent at
any time by emailing us at
privacy@mitre.org.
The GDPR provides individuals with certain rights regarding their
personal data. You may ask us to take the following actions:
provide you with information about our processing of your personal
data and access to your personal data;
update or correct inaccuracies in your personal data;
delete your personal data;
transfer a copy of your personal data to you or a third party of
your choice;
restrict the processing of your personal data;
object to our use of your personal data for marketing purposes; and
object to our reliance on legitimate interests as the basis for
processing your personal data.
You may submit these requests by email to
privacy@mitre.org. We may
require specific information from you to help us verify your identity
prior to processing your request. Applicable law may require or permit
us to decline your request. If we decline your request, we will tell you
why, subject to any legal restrictions on disclosing this information.
If you would like to submit a complaint about our use of your personal
data or our response to your request regarding your personal data, you
may contact us at
privacy@mitre.org or submit a
complaint directly to the data protection authority in your
jurisdiction. If you reside in the EEA, you can find information about
your data protection authority
here.
If you reside in the UK, you may file complaints with the Information
Commissioner's Office
here.
MITRE retains your personal data for no longer than is necessary to
achieve the purposes for which the personal data was collected, or as
may otherwise be permitted or required under applicable law. To
determine the appropriate retention period, we will consider the scope
and sensitivity of the personal data; the potential risk of harm from
unauthorized access to, use, or disclosure of the data; the purposes for
which we process the data; whether we can achieve our purposes through
other means; our business needs; and applicable legal requirements.
Unless otherwise required by applicable law, at the end of the retention
period, we will anonymize or securely destroy your personal data.
By using this Site, you acknowledge that your personal data may be
collected, transferred to, and processed in jurisdictions outside your
own. When you directly provide your personal data through our Site, you
acknowledge that your personal data is being provided by you to a
company based in the United States. The laws that apply to personal data
protection in the United States differ from those applicable in the EEA
and the UK.
If it is necessary for us to transfer personal data out of the EEA and
the UK, we do so by using suitable data transfer mechanisms, such as the
standard contractual clauses approved by the European Commission, which
impose data protection obligations on parties to the transfer.
Residents of U.S. states with consumer privacy laws in effect and
enforceable may contact us at
privacy@mitre.org for further
information about our privacy practices.
This Site is not intended for children, and we do not knowingly collect
personal information from children. If we become aware that we have
collected personal information from a child, we will delete it in
accordance with applicable law.
MITRE may update or modify this Privacy Policy from time to time at our
discretion. We will indicate changes to this Privacy Policy by updating
the "Effective Date" at the beginning of the Privacy Policy. Please
review this Privacy Policy periodically and especially before you
provide any personal information to us. Your continued use of this Site
after any update to this Privacy Policy will constitute your acceptance
of our changes.
If you have questions about this Privacy Policy or MITRE's privacy
practices, you may email
privacy@mitre.org.
MITRE's Data Protection Officer for Singapore may be contacted as
follows:
In the United States
Dena Kozanas -- Data Protection Officer
Associate General Counsel & Chief Privacy Official
7515 Colshire Drive
McLean, VA 22102
Phone: +1 (703) 269-8515
Email: privacy@mitre.org
In Singapore
MITRE Asia Pacific Singapore
Thomas (Tass) Bruce Hudak -- Privacy Coordinator
1 Changi Business Park Avenue 1
Suite #02-03/04
Singapore 486058
Phone: +65 8876 4609
Email: privacy@mitre.org