← About

Privacy Policy

How we handle your data -- we collect very little and respect your privacy.

Last updated: February 2026

We take security of OSA systems and data exceptionally seriously. We do not maintain long-term storage of access information beyond operational logging needs, and website usage does not require registration.

Who We Are

Open Security Architecture (OSA) operates the website at opensecurityarchitecture.org. OSA is maintained by its founding team in London and Zurich.

What Data We Collect

Browsing (no account required)

No registration is needed to browse patterns, controls, or framework mappings. We use Cloudflare Web Analytics for aggregate traffic metrics (page views, visitor counts by country). Cloudflare Web Analytics is privacy-first: it does not use cookies, does not track individual users, and does not collect personal data. We do not use Google Analytics or any other third-party tracking.

Authentication

If you choose to log in (required for assessments and comments), we support GitHub OAuth and LinkedIn OIDC. When you authenticate, we receive your display name, email address, and profile picture URL from the provider. We store these in our database (Cloudflare D1) to identify your account. We do not access your repositories, connections, or any other data from these providers.

Session Cookies

Authenticated sessions use a session cookie to maintain your login. This cookie expires after 2 days, or several weeks if you select "Remember Me". No tracking cookies are set.

Comments

Comments are stored in our database with your display name and the date posted. Comments are publicly visible. You may request removal of your comments at any time.

Email

We use Resend (resend.com) to send transactional emails (email verification codes). We do not send marketing emails. Resend processes your email address solely to deliver the message.

Assessment Data Encryption

All security maturity assessment data is encrypted client-side using AES-256-GCM before it reaches our servers. Your encryption key is generated and stored in your browser -- it is never transmitted to us. This means:

  • We cannot read your assessment scores or notes. Our database stores only encrypted ciphertext that we cannot decrypt.
  • Only you can access your data. The encryption key exists solely in your browser's local storage.
  • Clearing your browser data deletes your key. Encrypted assessments become unrecoverable unless you have exported a backup. You can export and import your key from the assessment dashboard.
  • Benchmark contributions are separate. If you choose to share scores to the anonymous benchmark pool, only numeric scores (no notes or identity) are sent as plaintext. This is the only assessment data visible to us.
  • Analysis runs on your data transiently. Threat analysis, gap analysis, and reports are computed from scores your browser provides temporarily -- they are never stored in plaintext on our servers.

Where Data Is Stored

All data is stored on Cloudflare's global network using Cloudflare D1 (SQLite). Cloudflare operates data centres worldwide; data may be processed in any Cloudflare location. We do not store data outside of Cloudflare infrastructure.

Data Retention

  • Account data (name, email, profile URL): retained while your account is active. Deleted on request.
  • Assessment ciphertext: retained while your account is active. You can delete individual assessments from the dashboard. Deleted on account deletion.
  • Benchmark contributions: anonymised and aggregated. Cannot be attributed to you after submission.
  • Comments: retained until you request removal or we moderate them.
  • Server logs: Cloudflare operational logs, retained per Cloudflare's standard retention policy.

Your Rights

You may at any time:

  • Access your data by viewing your profile and assessments in the dashboard
  • Export your assessment data from the dashboard
  • Delete your account and all associated data by contacting us
  • Remove individual comments or assessments

To exercise these rights, contact us via GitHub or at the email address on our website.

Security Practices

We follow NIST cyber security guidelines and conduct regular system security testing. Assessment data is protected with AES-256-GCM client-side encryption. All server communication uses TLS. Authentication tokens and API keys are stored securely in Cloudflare's secret management.

Changes to This Policy

We will update this page when our practices change. Material changes will be noted with an updated date at the top of this policy.