← About

Terms of Use

Terms governing your use of Open Security Architecture materials and tools.

Last updated: February 2026

By accessing opensecurityarchitecture.org you agree to these terms. If you do not agree, please do not use the site.

Security Guidance Disclaimer

OSA materials are informational resources, not professional security advice. Our patterns, control mappings, framework coverage data, threat models, and assessment tools represent the professional experience of the OSA community, but they are not a substitute for qualified professional judgement applied to your specific circumstances.

  • No pattern is a complete solution. Each pattern addresses a specific architectural concern. Your environment will require multiple patterns, additional controls, and context-specific design decisions.
  • Control mappings are not compliance guarantees. Our framework mappings represent OSA's professional assessment of control-objective alignment. They are not legal advice, regulatory guidance, or certification. An auditor assessing your compliance will apply the authoritative framework requirements directly.
  • Assessment scores are self-reported. Maturity scores reflect your own assessment of your control implementation. They have not been independently verified by OSA or any third party.
  • Threat models evolve. Our threat mappings reflect the ATT&CK and ATLAS knowledge bases at the time of publication. New techniques, tactics, and threat actors emerge continuously.

You are solely responsible for evaluating the suitability of any OSA material for your purposes and for the security decisions you make based on it. We strongly recommend engaging qualified security professionals for any security architecture, compliance, or risk management programme.

Use of the Assessment Tool

The self-assessment tool is provided for your own internal evaluation. You use it at your own risk. Your assessment data is encrypted client-side and we cannot access it (see our Privacy Policy). You are responsible for maintaining your encryption key and exporting backups.

Intellectual Property

OSA content (patterns, diagrams, icons, framework mappings) is licensed under Creative Commons Attribution-ShareAlike 4.0 International (CC BY-SA 4.0). See our License Terms for full details.

NIST 800-53 control data is a US government work in the public domain. Our enrichments are CC BY-SA 4.0.

The OSA name, logo, and brand identity are the property of the Open Security Architecture project. See our Brand page for usage guidelines.

Acceptable Use

You agree not to:

  • Misrepresent OSA materials as your own original work
  • Use the site to transmit malicious content
  • Attempt to access other users' data or circumvent authentication
  • Use automated tools to scrape the site at a rate that degrades service for others

Limitation of Liability

To the maximum extent permitted by law, OSA and its contributors shall not be liable for any direct, indirect, incidental, consequential, or special damages arising from your use of the site, its materials, or its tools. This includes, without limitation, damages arising from reliance on assessment results, control mappings, or threat models.

Availability

We aim to keep the site available but do not guarantee uninterrupted access. We may modify, suspend, or discontinue any part of the site at any time.

Governing Law

These terms are governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Changes to These Terms

We may update these terms from time to time. Continued use of the site after changes constitutes acceptance of the revised terms.