Privacy Policy

We have recently made changes to our website and have changed our website Privacy Policy to align with those changes. The changes we have made include providing:

• the identity of the controller of your personal information, which will be responsible for your information and for complying with applicable laws including EU and UK laws;
• additional information on the personal information we collect, its purpose of use, and our legal bases for collecting it;
• information on the privacy rights of our web visitors, including those accessing our website from the EU and UK; and
• additional information on the cookies we use, the information we collect via cookies, and how we use this information. Please see our Cookie Notice for more information. 

If you have questions about these changes, please contact us. 

• What is The MITRE Corporation?
• How We Collect Your Personal Data
• The Data We Collect About You, Purpose, and Legal Basis
• Third-Party Data Collection
• Children
• Sharing Personal Data Within MITRE, With Our Service Providers, and Other Third Parties
• International Transfers
• Retention of Personal Data
• Your Legal Rights (UK and EU)
• Data Security
• Changes to Our Privacy Policy

This Privacy Policy provides information on how The MITRE Corporation (MITRE, we, us) collects and processes personal data on this website, including any data you may provide to us through the website. 

What is The MITRE Corporation?

MITRE is a not-for-profit organization that works in the public interest across federal, state, and local governments, as well as industry and academia. MITRE operates federally funded research and development centers (FFRDCs), which are unique organizations that assist the U.S. government with scientific research and analysis, development and acquisition, and systems engineering and integration. MITRE is headquartered at the following two locations:

7515 Colshire Drive
McLean, VA 22103-7539
(703) 983-6000    

202 Burlington Road
Bedford, MA 01730-1420
(781) 271-2000

MITRE is the data controller responsible for this website, as defined under Regulation (EU) 2016/679, the General Data Protection Regulation (GDPR), and the United Kingdom GDPR (UK GDPR). This Privacy Policy includes specific information for individuals residing in the European Union (EU) and the United Kingdom (UK).

We have appointed a Chief Privacy Official (CPO) who is responsible for overseeing and administering MITRE’s privacy program. If you have any questions about this Privacy Policy or wish to exercise any of the privacy rights described in this policy, please contact our CPO.

Individuals may make a complaint by contacting us at privacy@mitre.org. In addition, individuals who reside in the EU or the UK have the right to make a complaint at any time to their respective supervisory authority. However, we would appreciate it if you would please reach out to us first. 

How We Collect Your Personal Data

Information You Provide Via Email, Web Forms, and Other Means  

Users may contact MITRE by postal mail, telephone, or electronically, using information found on the Contact Us page. Users may also complete web forms to request information and enroll in subscriptions.

Information You Provide to the MITRE Career Site

MITRE utilizes Phenom^® People (Phenom), a third-party cloud-based platform, to host the MITRE Career Site. MITRE provides you with the opportunity to register at the MITRE Career Site by creating a profile and submitting personal information, including contact information, career-related information, and resume. You may edit your profile at any time by accessing the site. This information is accessed by MITRE’s Talent Acquisition Team. Phenom also executes algorithms that match candidates against MITRE job openings to provide recommendations to candidates and MITRE’s Talent Acquisition Team.

When you register, any personal data, including sensitive data, you provide will be stored and processed by Phenom and may be processed by MITRE for recruitment-related activities. For additional information, please review the Career Site Cookie Settings for information on the cookies Phenom uses and Personal Information for instructions on how to view, download, or delete your information. 

MITRE also utilizes Workday^®, a third-party application hosted by a third-party cloud service provider, for its job openings submission process via the MITRE Career Site. By applying to an open position, any personal data, including sensitive data, you provide may be stored and processed through Workday for MITRE’s use for job opening evaluation activities.

If you have any questions regarding the privacy of the information you submit to the MITRE Career Site, please send a request to privacy@mitre.org.

Information Collected from Web Traffic Reporting Tools

When users visit the MITRE website, the website server logs basic information about each visit. We process this information via an automated software tool to identify any site performance issues, popular sections and content, and other important site characteristics. This information does not identify you directly. This information is used only as a source of statistical information. We may store such information ourselves, or it may be included in databases owned and maintained by our service providers.

MITRE employs cookies for collecting portions of this information. "Cookies" are data that may be sent to your web browser and stored on your computer. 

Please see our Cookie Notice for further details.

The Data We Collect About You, Purpose, and Legal Basis 

The table below sets out a description of all the ways we plan to use your personal data, the specific data that is collected, and the legal bases we rely on to collect this information. We have also identified our legitimate interests where appropriate.

“Legitimate interest” means MITRE’s need to process personal data to carry out tasks related to its normal business activities. Legitimate interest is distinct from other justifications for data collection, such as informed consent, fulfillment of a contract, or compliance with a legal obligation. MITRE may process personal data for more than one legal basis, depending on the specific purpose for which we use the data.  

We do not collect any Special Categories of Personal Data about you—such as race, ethnicity, and sexual orientation—and we encourage you not to share this type of information with us.

Marketing

We may use your Personal Data to offer services that are of interest to you.

You may receive marketing communications from us if you have requested information from us or received services—such as a newsletter subscription—from us and, in each case, you have not opted out of receiving that marketing.

You will have the ability to change your preferences or unsubscribe any time you receive an email from us. When you opt out of receiving a specific subscription or newsletter, this will not affect any other newsletters or subscriptions that you have requested. You can also ask us to stop sending you marketing messages at any time by contacting us at privacy@mitre.org.

We also use the Salesforce^® Marketing Cloud Ad Studio to support MITRE’s marketing and advertising on different platforms such as Facebook^®, Instagram^®, Twitter^®, and LinkedIn^®.

Third-Party Data Collection

When users visit the MITRE website, users may link to third party software when they link to another party's website. MITRE does not collect any information that may be collected by that third party; however, information you supply to that third party software may be collected and/or used by that party. For information about that third party's privacy policy, please see its respective website.

MITRE also uses Facebook, LinkedIn, Twitter, Instagram, and YouTube® as third-party media sites. MITRE does not collect any information that may be collected by that third party; however, information you supply to that third party software may be collected by that party. For information about that third party's Privacy Policy, please see its respective website.

Children

MITRE websites do not knowingly collect or use data from children (natural persons under thirteen (13), sixteen (16), or eighteen (18) years of age, depending on the jurisdiction). If such data is collected, or if MITRE is notified of such data (privacy@mitre.org), we will delete it.

Sharing Personal Data Within MITRE, With Our Service Providers, and Other Third Parties

We share your information in the manner and for the purposes described below:

1. We share with our affiliates.
2. We may share with third parties who help manage our business and deliver services. These third parties have agreed to confidentiality restrictions and use any personal data we share with them or which they collect on our behalf solely for the purpose of providing the contracted service to us. These include IT service providers who help manage our IT and back-office systems. 
3. We may share with our regulators to comply with all applicable laws, regulations and rules, and requests of law enforcement, regulatory and other governmental agencies. Where we receive requests for information from law enforcement or regulators, we will carefully validate these requests before personal data is shared.
4. We may share in aggregate, statistical form, non-personal data regarding the visitors to our website, traffic patterns, and website usage with our affiliates or advertisers. 
5. If, in the future, we sell or transfer some or all of our business or assets to a third party, we may disclose information to a potential or actual third-party purchaser of our business or assets.

For EU or UK users, you have a right to contact privacy@mitre.org for more information about the safeguards we have put in place (including a copy of relevant contractual commitments) to ensure the adequate protection of your personal data when this is transferred as mentioned above.

International Transfers

Your personal data may be transferred to and stored outside your place of residence in locations that may be subject to different standards of data protection. We will take appropriate steps to ensure that transfers of personal data are in accordance with applicable law and carefully managed to protect your privacy rights and interests and that transfers are limited to countries that are recognized as providing an adequate level of legal protection or where we are satisfied that alternative arrangements are in place to protect your privacy rights.

Retention of Personal Data

MITRE retains your personal data only as long as is necessary and only for the purpose for which MITRE obtained the personal data. MITRE’s retention periods are based on business needs and once your personal data is no longer needed, it is either irreversibly anonymized or securely destroyed.

You can request details of retention periods for your personal data by contacting us at privacy@mitre.org.

Your Legal Rights (UK and EU)

We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your personal data.

Under certain circumstances, you have rights under data protection laws in relation to your personal data. You have the right to:

1. request that we provide you with a copy of your personal data that we hold and to be informed of: (a) the source of your personal data; (b) the purposes, legal basis and methods of processing; (c) the data controller's identity; and (d) the entities or categories of entity to whom your personal data may be transferred.
2. access, update or to delete the information we have about you. Note, however, that we may not always be able to comply with your deletion request for specific legal reasons, which will be provided to you, if applicable, at the time of your request.
3. have your information rectified if that information is inaccurate or incomplete.
4. object to our processing of your personal data that we have justified on the basis of a legitimate interest.
5. restrict our use of your personal data where: (a) the accuracy of the personal data is contested; (b) the processing is lawful but you object to the processing of the personal data; (c) we no longer require the personal data for the purposes for which it was collected, but it is required for the establishment, exercise or defense of a legal claim;.
6. data portability and to be provided with a copy of your personal data in a structured, machine-readable and commonly used format. Note that this right only applies to automated information that you initially provided consent for us to use or where we used the information to perform a contract with you.
7. withdraw your consent at any time where we rely on your consent to process your personal data.
8. request that we not transfer your personal data to unaffiliated third parties for the purposes of direct marketing or any other purposes.
9. request that we change the manner in which we contact you for marketing purposes.
10. obtain a copy of the safeguards under which your personal data is transferred outside the EU.

Before responding to such requests, we may ask you to verify your identity. Please note that we may not be able to act on your request without this additional data. This is a security measure to ensure that personal data is not disclosed to any person who is not authorized to receive it. We may also contact you to ask you for further information to facilitate our response to your request. We reserve the right to charge a fee where permitted by law.

We try to respond to all legitimate requests as required by applicable laws. Occasionally it may take us longer than 30 days if your request is particularly complex or you have made a number of requests. In this case, we will notify you and keep you updated. 

Data Security

The security of your data is important to us, but remember that no method of transmission over the Internet or method of electronic storage is 100 percent secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee its absolute security.

To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect. Steps we take include placing confidentiality requirements on our staff and service providers, and destroying or permanently anonymizing personal data if it is no longer needed for the purposes for which it was collected. MITRE will comply with applicable laws in the event of any breach of the security, confidentiality or integrity of your personal data and, where we consider appropriate or where required by applicable law, notify you in the most expedient time possible and without unreasonable delay, in so far as it is consistent with (i) the legitimate needs of law enforcement, or (ii) any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.

However, the security of your personal data depends in part on the security of the device used to communicate with us, the security you use to protect your account information, and the security provided by your internet access service provider. We make commercially reasonable efforts to make the collection and security of information consistent with this Privacy Policy and all applicable laws and regulations. Where you have a MITRE username or password, you are responsible for keeping this information confidential. We ask that you not share your username or password with anyone. Please immediately notify MITRE at the Contact Us link, of any unauthorized use of your username and/or password.

Changes to Our Privacy Policy

The MITRE website may change from time to time. As a result, it may be necessary for us to make changes to this Privacy Policy. Accordingly, MITRE reserves the right to update or modify this Privacy Policy at any time without prior notice. Please review this policy periodically, especially before you provide any information. Your continued use of the MITRE website after any changes or revisions to this Privacy Policy shall indicate your agreement with the terms of the revised Privacy Policy.