Return to Home PageISACA Logo at top of page
  • Credentialing
  • Membership
  • Enterprise
  • PARTNERSHIPS
  • Training & Events
  • Resources
  • Join
    • PROFESSIONAL JOIN
    • RECENT GRAD JOIN
    • STUDENT JOIN
  • About Us
    • ABOUT US HOME
    • WHO WE ARE
    • NEWSROOM
    • PARTICIPATE & VOLUNTEER
    • LEADERSHIP & GOVERNANCE
    • ADVOCACY
    • ISACA FOUNDATION
    • CONTACT US
    • CODE OF PROFESSIONAL ETHICS
    • Privacy Center
  • CAREERS
    • Career Journey
    • Career Center
    • Careers at ISACA
  • SUPPORT
  • Store
    Total
    View Cart Checkout

    No items have been added to your cart yet

    Browse Search
  • Cart (0)
  • Sign In
  • MEMBERSHIP
  • CERTIFICATIONS
  • CERTIFICATES
  • CPE CERTIFICATES
  • Engage
  • LEARNING ACCESS
  • RESOURCES
  • ORDER HISTORY
  • Redeemable Products
  • Sign Out
  • Sign In
  • Create an Account
  • CERTIFICATIONS
    • CISA—Certified Information Systems Auditor
    • CISM—Certified Information Security Manager
    • CRISC—Certified in Risk and Information Systems Control
    • CDPSE—Certified Data Privacy Solutions Engineer
    • CCOA—Certified Cybersecurity Operations Analyst
    • AAIA—Advanced in AI Audit
    • AAIR—Advanced in AI Risk
    • AAISM—Advanced in AI Security Management
    • CGEIT—Certified in the Governance of Enterprise IT
    • CCP—CMMC Certified Professional
    • CCA—CMMC Certified Assessor
    • LCCA—Lead CMMC Certified Assessor Designation
    • CCI—CMMC Credentialed Instructor
    • Retired Credentials
      • CSX-P—CSX Cybersecurity Practitioner Certification
      • CET—Certified in Emerging Technology Certification
      • ITCA—Information Technology Certified Associate
  • CERTIFICATES
    • AI Fundamentals
    • Blockchain Fundamentals
    • Cloud Fundamentals
    • COBIT
      • COBIT 2019 Foundation
      • COBIT 2019 Design & Implementation
      • COBIT 5 Certificates
    • Cybersecurity Audit
    • Cybersecurity Fundamentals
    • Data Science Fundamentals
    • Digital Trust Ecosystem Framework Foundation Certificate
    • IoT Fundamentals
    • IT Audit Fundamentals
    • IT Risk Fundamentals
  • WHICH CERTIFICATION IS RIGHT FOR YOU?
  • RENEW OR MAINTAIN A CERTIFICATION
  • VERIFY A CERTIFICATION
  • DIGITAL BADGES
  • Career Journey
  • Trusted Partner for the DoW’s CMMC Program
  • ISACA has been authorized as the official CAICO for the US DoW’s CMMC program
  • BECOME A MEMBER
    • Browse Chapters
    • Find Your Membership Type
    • Member Benefits
    • Student Hub
  • ENGAGE ONLINE COMMUNITY
  • GET INVOLVED
    • Advocacy
    • Author an Article
    • Chapter Events Calendar
    • ISACA Awards
    • SheLeadsTech
    • Speak at Conferences
    • Volunteer
  • MAXIMIZE YOUR MEMBERSHIP
    • Career Center
    • Discounts & Savings
    • Free CPE
    • Free Resources
    • Member Experience Leadership Series
    • Mentorship
  • Personalize Your Experience
  • RENEW TODAY
  • UPDATE YOUR PROFILE
  • CMMI PERFORMANCE IMPROVEMENT SOLUTIONS
    • CMMI Performance Solutions
    • CMMI Cybermaturity Platform
    • Voluntary Improvement Program
  • TEAM TRAINING
    • Skills & Credentials
    • CMMI Training
  • Licensed Enterprise Training
  • CMMI APPRAISALS (PARS)
  • ENTERPRISE SUPPORT
  • CONTACT US
  • Empower Your Team to Power Business Growth
  • CUSTOMIZE YOUR IT TEAM TRAINING
  • BECOME A TRAINING PARTNER
  • BECOME A CMMI PARTNER
  • BECOME AN ACADEMIC OR WORKFORCE PARTNER
  • Sponsorship
    • Become a Sponsor
    • Global Sponsors
  • FIND A TRAINING PARTNER
    • Certification Training Partners
      • Certification Training Partners
      • Americas
      • Asia and Oceania
      • China
      • EMEA
    • COBIT Training Partners
    • Academic & Workforce Partners
    • CMMI Performance Improvement Partners
  • Over 24,000 Exams Were Taken Through ISACA Enterprise Training in 2025
  • BECOME A PARTNER TO CAPITALIZE ON THIS HIGH DEMAND
  • CONFERENCES
    • GRC Conference
    • ISACA Europe Conference
    • ISACA North America Conference
    • ISACA Virtual Conference
    • Student Summit
    • CMMI's Capability Creates
    • Call for Speakers
  • CHAPTER EVENTS
  • Training Week
  • Virtual Workshops
  • TRAINING BY TYPE
    • Online Review Courses
    • Session Recordings
    • Webinars
    • Virtual Summits
  • GROUP/ENTERPRISE TRAINING
  • TRAINING FROM AN ACCREDITED PARTNER
  • TRAINING BY TOPIC
    • All Training Topics
    • Artificial Intelligence
    • Cybersecurity
    • IT Audit
    • Certification Exam Preparation
    • COBIT
  • On-Demand CPE Training
  • Featured Training:
  • 15% Off the IT Risk Online Review Course
  • DIGITAL TRUST
  • ISACA JOURNAL
  • INSIGHTS & EXPERTISE
  • NEWS & TRENDS
  • ENGAGE ONLINE COMMUNITIES
  • COBIT
  • RESOURCES BY TOPIC
    • Artificial Intelligence
    • Cybersecurity
    • Emerging Technology
    • Governance
    • IT Audit
    • IT Risk
    • Privacy
  • FRAMEWORKS, STANDARDS AND MODELS
  • ISACA NOW BLOG
  • ISACA VIDEOS
  • ISACA PODCAST
  • GLOSSARY
  • Announcing ISACA’s Digital Trust Ecosystem Framework and Portfolio
  • Advance Digital Trust
  • Credentialing
    • CREDENTIALING
    • CERTIFICATIONS
      • CERTIFICATIONS
      • CISA—Certified Information Systems Auditor
      • CISM—Certified Information Security Manager
      • CRISC—Certified in Risk and Information Systems Control
      • CDPSE—Certified Data Privacy Solutions Engineer
      • CCOA—Certified Cybersecurity Operations Analyst
      • AAIA—Advanced in AI Audit
      • AAIR—Advanced in AI Risk
      • AAISM—Advanced in AI Security Management
      • CGEIT—Certified in the Governance of Enterprise IT
      • CCP—CMMC Certified Professional
      • CCA—CMMC Certified Assessor
      • LCCA—Lead CMMC Certified Assessor Designation
      • CCI—CMMC Credentialed Instructor
      • Retired Credentials
        • CSX-P—CSX Cybersecurity Practitioner Certification
        • CET—Certified in Emerging Technology Certification
        • ITCA—Information Technology Certified Associate
    • CERTIFICATES
      • CERTIFICATES
      • AI Fundamentals
      • Blockchain Fundamentals
      • Cloud Fundamentals
      • COBIT
        • COBIT 2019 Foundation
        • COBIT 2019 Design & Implementation
        • COBIT 5 Certificates
      • Cybersecurity Audit
      • Cybersecurity Fundamentals
      • Data Science Fundamentals
      • Digital Trust Ecosystem Framework Foundation Certificate
      • IoT Fundamentals
      • IT Audit Fundamentals
      • IT Risk Fundamentals
    • WHICH CERTIFICATION IS RIGHT FOR YOU?
    • RENEW OR MAINTAIN A CERTIFICATION
    • VERIFY A CERTIFICATION
    • DIGITAL BADGES
    • Career Journey
    • ISACA has been authorized as the official CAICO for the US DoW’s CMMC program
  • Membership
    • MEMBERSHIP
    • BECOME A MEMBER
      • BECOME A MEMBER
      • Browse Chapters
      • Find Your Membership Type
      • Member Benefits
      • Student Hub
    • ENGAGE ONLINE COMMUNITY
    • MAXIMIZE YOUR MEMBERSHIP
      • MAXIMIZE YOUR MEMBERSHIP
      • Career Center
      • Discounts & Savings
      • Free CPE
      • Free Resources
      • Member Experience Leadership Series
      • Mentorship
    • GET INVOLVED
      • GET INVOLVED
      • Advocacy
      • Author an Article
      • Chapter Events Calendar
      • ISACA Awards
      • SheLeadsTech
      • Speak at Conferences
      • Volunteer
    • RENEW TODAY
    • UPDATE YOUR PROFILE
  • Enterprise
    • ENTERPRISE
    • CMMI PERFORMANCE IMPROVEMENT SOLUTIONS
      • CMMI PERFORMANCE IMPROVEMENT SOLUTIONS
      • CMMI Performance Solutions
      • CMMI Cybermaturity Platform
      • Voluntary Improvement Program
    • CUSTOMIZE YOUR IT TEAM TRAINING
    • TEAM TRAINING
      • Skills & Credentials
      • CMMI Training
    • Licensed Enterprise Training
    • CMMI APPRAISALS (PARS)
    • ENTERPRISE SUPPORT
    • CONTACT US
  • PARTNERSHIPS
    • PARTNERSHIPS
    • BECOME A TRAINING PARTNER
    • BECOME A CMMI PARTNER
    • BECOME AN ACADEMIC OR WORKFORCE PARTNER
    • Sponsorship
      • Become a Sponsor
      • Global Sponsors
    • FIND A TRAINING PARTNER
      • FIND A TRAINING PARTNER
      • Certification Training Partners
        • Certification Training Partners
        • Americas
        • Asia and Oceania
        • China
        • EMEA
      • COBIT Training Partners
      • Academic & Workforce Partners
      • CMMI Performance Improvement Partners
    • BECOME A PARTNER TO CAPITALIZE ON THIS HIGH DEMAND
  • Training & Events
    • TRAINING AND EVENTS
    • CONFERENCES
      • CONFERENCES
      • GRC Conference
      • ISACA Europe Conference
      • ISACA North America Conference
      • ISACA Virtual Conference
      • Student Summit
      • CMMI's Capability Creates
      • Call for Speakers
    • CHAPTER EVENTS
    • Training Week
    • Virtual Workshops
    • TRAINING BY TYPE
      • TRAINING BY TYPE
      • Online Review Courses
      • Session Recordings
      • Webinars
      • Virtual Summits
    • GROUP/ENTERPRISE TRAINING
    • TRAINING FROM AN ACCREDITED PARTNER
    • TRAINING BY TOPIC
      • Find Training by Topic
      • All Training Topics
      • Artificial Intelligence
      • Cybersecurity
      • IT Audit
      • Certification Exam Preparation
      • COBIT
    • On-Demand CPE Training
    • 15% Off the IT Risk Online Review Course
  • Resources
    • RESOURCES
    • DIGITAL TRUST
    • ISACA JOURNAL
    • INSIGHTS & EXPERTISE
    • NEWS & TRENDS
    • ENGAGE ONLINE COMMUNITIES
    • COBIT
    • RESOURCES BY TOPIC
      • Artificial Intelligence
      • Cybersecurity
      • Emerging Technology
      • Governance
      • IT Audit
      • IT Risk
      • Privacy
    • FRAMEWORKS, STANDARDS AND MODELS
    • ISACA NOW BLOG
    • ISACA VIDEOS
    • ISACA PODCAST
    • GLOSSARY
    • Advance Digital Trust
  • Join
    • PROFESSIONAL JOIN
    • RECENT GRAD JOIN
    • STUDENT JOIN
  • About Us
    • ABOUT US HOME
    • WHO WE ARE
    • NEWSROOM
    • PARTICIPATE & VOLUNTEER
    • LEADERSHIP & GOVERNANCE
    • ADVOCACY
    • ISACA FOUNDATION
    • CONTACT US
    • CODE OF PROFESSIONAL ETHICS
    • Privacy Center
  • CAREERS
    • Career Journey
    • Career Center
    • Careers at ISACA
  • SUPPORT
  • Store
  • Cart
Sign In
Home / Privacy Notice

ISACA Global Privacy Notice

Last Updated: 22 June 2026

DOWNLOAD DOCUMENT

TABLE OF CONTENTS

1. Overview and Scope
2. Personal Data We Collect
3. How We Use Your Personal Data
4. How We Disclose Your Personal Data
5. International Data Transfers
6. Data Subject Privacy Rights
7. How We Protect Your Data
8. Third Party Links
9. Data Retention
10. Marketing Choices
11. Contact Information and DPO
12. Updates to This Notice
13. Additional Notice for Specific Jurisdictions
14. No Use by Minors
Annex: Data Processing Activities

1. Overview and Scope

This ISACA® Global Privacy Notice (“Notice”) explains what personal data we collect, why we collect it, how we use it, and the rights you may have.

This Notice applies to all Information System Audit and Control Association, Inc., a California nonprofit mutual benefit corporation, and its respective subsidiaries and affiliated companies (“ISACA”) websites, platforms, mobile applications, and services that link to it (collectively, the “Services”). ISACA is the data controller of the personal data collected through our Services.

Residents in the European Economic Area ("EEA"), United Kingdom ("UK"), Switzerland, Colorado, Delaware, Maryland, Minnesota, Montana, Nevada, New Jersey, Oregon, Canada, Singapore, Turkey, Brazil, Japan, Australia, China, India, and South Korea should refer to the body of this Notice as well as the "Data Subject Privacy Rights and Choices" and the "Additional Notice for Specific Jurisdictions" sections below for additional information that may be applicable to them.

ISACA logo

ISACA
1700 E. Golf Road, Suite 400
Schaumburg, Illinois 60173, USA
+1-847-253-1545

2. Personal Data We Collect

We collect personal data that you provide directly to us, that is created during your interactions with ISACA, or that we receive from third-party partners. For more information about our lawful basis for processing personal data, see the Annex: Data Processing Activities at the bottom of this Notice.

General

We receive personal data directly from you, including:

  • Contact Information: name, email address, phone number, and mailing address, such as when you sign up for a newsletter or other publication.
  • Professional Information: job title, employer, certifications, education, and experience.
  • Payment Information: billing details and transaction metadata. ISACA does not store full payment card numbers.
  • Account Information: usernames, passwords, membership status, and activity within your ISACA account.
  • Communications: information included in emails, chats, forms, and support interactions.

Members or Registered Users

If you sign up to become a registered user or an ISACA Member, you will be required to provide certain personal data as part of the registration process. This information may include your first and last name, email address, and business or home address. We use this information to communicate with you, to design content and activities that we believe would be of interest to you, and to ensure that we will not violate any applicable U.S. sanctions in providing you access to our Services. We rely on fulfillment of contract as the lawful basis for processing your personal data.

We may also request that you voluntarily provide other profile information, such as your phone number, year of birth, a profile photograph, demographic information, educational background, work experience, information about your non-ISACA certifications, courses or areas of study in which you may be interested and information about your company as it relates to our Services and your membership. We rely on our legitimate interests as the lawful basis for processing your personal data in this way.

If you post personal data on public areas of the Services, that information may be collected and used by us, other users of the Services, and the public generally.

If you are a member or registered user and choose to participate in our professional networking features, which are provided by our third-party vendor and volunteer platform provider, your postings will be associated with the personal data in your public member profile (which includes your name, user name, and other optional information you may choose to include). ISACA may share personal data, to the extent you have provided it, with the volunteer platform provider and other ISACA platforms, including: your name, state, zip code, country, phone number, bio, email, job title, company, ISACA and non-ISACA certifications, education (university or school and degree), areas of interest, membership level, chapter membership, chapter leader role, chapter ID, work experience, date of birth, photo and staff membership.

If you decide to participate in our platforms and professional networking features, keep in mind that your personal data (for example, your name and online username), along with any substantive information you disclose in the communication you decide to post, will be publicly accessible and viewable by others who visit that area. In addition, we may highlight certain users’ postings or contributions to other members of the ISACA professional networking features. For example, users who participate actively in our social networking features, like contributing materials and engaging in certain online activities, will be listed as “active members” in a roster that is viewable by all other registered users, to the extent that they consent to being listed. It is possible that your posting may result in unsolicited messages from third parties. We strongly recommend that you do not post any information on the public areas of the Services that allows strangers to identify or locate you or that you otherwise do not want to share with the public.

Exams and Certifications

When you register for a certification exam, we collect your name, email address, phone number, and professional history on the basis of contractual necessity. If you request special accommodations, we will collect that information with your consent, where required by applicable law.

To ensure exam integrity, we partner with third-party testing centers. These centers act as independent data controllers. When you arrive at a testing center, they will collect your name, photograph, and government-issued identification. This information is collected, maintained, and used by the third-party testing centers, including to verify your identity and prevent fraud. We do not have access to or control over this data and you should review the privacy policies of the third-party testing centers you use.

We also collect your exam results and continuing professional education (CPE) records to maintain your certification status, which is processed for contractual necessity.

Events and Conferences

When you attend one of our events, we may receive your personal data from event partners, co-sponsors, badge sponsors, badge‑scanning vendors, and other vendors and partners related to the event. The types of personal data we may receive may vary based on whether you are a registrant, speaker, or exhibitor:

  • For Registrants :When you register for an event, we collect your name, email address, company information, and job role to provide event services like badge printing, and to ensure you receive CPE credits. If you have an existing account, we access your account data to streamline registration. Optional demographic data is used to tailor content. If you provide dietary restrictions or disability information, which may be considered sensitive data under certain laws, you do so with your consent, where required by applicable law, which is processed to ensure appropriate accommodations.
  • For Presenters: If you are a presenter, we collect your name, employer, contact information, and a photograph. We may also make and store recordings of your voice and likeness for event promotion and archival purposes with your consent, where required by applicable law.
  • For Exhibitors: At events, exhibitors may offer to scan your badge to obtain your contact information. By allowing your badge to be scanned, you are giving your consent for our third-party badge scanning service to share your data with that exhibitor for follow-up communication. Please be aware that exhibitors are independent data controllers for the information they collect from badge scans. We have no responsibility for their privacy practices and encourage you to review their privacy policies directly. You are in complete control of this process and can communicate with the exhibitor directly to withdraw consent.

ISACA Chapters and Professional Organizations

When you join an ISACA chapter or ISACA-affiliated professional organization, we collect certain personal data from the chapter and/or organization, such as your name, contact information, and membership coordination data (lawful basis: legitimate interests or contractual necessity). We have a legitimate interest in knowing who our members are to provide more relevant products and Services.

Purchase of Goods or Services - Processing Payments

When you purchase goods or services, your payment information is processed directly by our payment processing service(s). We do not directly process or store your full payment card details. Occasionally, our staff may be requested to enter your payment card information on your behalf. For your security, you should not submit payment card information via email. If we receive payment card information through non-secure channels, our staff will enter it into the payment system as instructed and immediately delete or securely destroy the original information. We receive certain personal data from our payment processors, such as transaction confirmation data, and process such data based on our legitimate interests or contractual necessity.

Business Contacts

We may receive your contact information, such as your name, telephone number, and email address, and/or professional or business-related information (including your business address), through our online or offline interactions with you, such as when we work together on a project or discuss opportunities to work together (lawful basis: legitimate interests or contractual necessity). We may send you emails or call you with information about our business dealings, news, or marketing information to communicate with you for business purposes.

Social Media Information

If you post information on a webpage we establish on a social media platform, we may use the information to respond, to promote our business and services, and in the normal course of our business operations. We may collect personal identifiers, such as your social media username, and other personal characteristics that you have made publicly available on the social media website (lawful basis: legitimate interests). Note that the third-party operators of social media websites also receive such information, and their use of your personal data is governed by their own privacy policies.

Automated Data Collection – Cookies and Similar Technologies

As is true of most other websites, our websites collect certain information automatically and store it in log files. This data includes your Internet Protocol (IP) address, region or general location, browser type, operating system, activity logs, and other usage information about your interaction with our websites. We also may collect approximate geolocation data, such as through your IP address. We use this information to help us design our website and mobile applications to better suit our users' needs, diagnose server problems, analyze trends, and track visitor movements. We have a legitimate interest in understanding how members, customers, and potential customers use our website to provide more relevant products and services, and to provide appropriate staffing to meet member and customer needs.

We also use cookies and other tracking technologies on our sites. We make available a comprehensive Cookie Notice that describes the specific cookies used and provides information on how you can accept or reject them.

Third-Party Data Sources

We also receive personal data about you from other sources, including:

  • Testing centers and exam vendors
  • Event partners, cosponsors, badge sponsors, and badge‑scanning vendors
  • ISACA chapters and professional organizations
  • Payment processors
  • Employers, such as when your employer pays and registers you for training, certification, or membership

These third parties may act as either controllers or processors depending on their role.

Our Approach to Consent

Where our processing activities rely on your consent, we are committed to upholding the highest standards. In alignment with global regulations, consent must be:

  • Freely Given: Without coercion or imbalance of power.
  • Specific: For clearly defined purposes.
  • Informed: You receive full details about the processing and the controller's identity.
  • Unambiguous: Demonstrated by a clear, affirmative action, such as ticking an opt-in box.

Individuals can withdraw consent for the processing of sensitive data, such as dietary restrictions or disability information, at any time via the Privacy Rights Portal.

3. How We Use Your Personal Data

We use personal data to:

  • provide and manage ISACA memberships, credentials, events, and digital services;
  • authorize access to our websites and Services;
  • process transactions and deliver purchased Services;
  • personalize your experience by recommending relevant content and opportunities;
  • communicate service updates, security alerts, and administrative messages;
  • send marketing and promotional emails and advise you of other services;
  • post testimonials;
  • provide recognition if you assisted with an initiative or project;
  • conduct analytics, improve offerings, and maintain system security;
  • present, operate or improve the Services, including analysis of website activity;
  • inform you about Services and products available from ISACA;
  • provide and improve our customer service, conduct customer satisfaction, market research, and quality assurance reviews;
  • investigate possible fraud or other violations of our terms or this Notice and/or attempts to harm our members or website visitors; and
  • comply with legal obligations and respond to lawful requests.

ISACA uses automated tools and AI for personalization, analytics, fraud prevention, and service improvement and as a result, certain personal data may be processed using automated means.

We do not “sell” personal data, as this term is used under certain U.S. state privacy laws, except in relation to certain cookies and similar technologies that we use as set forth in our cookie disclosures. See the "Additional Notice for Specific Jurisdictions" section below for more information.

Do Not Track Signals

Our systems do not respond to Do Not Track (DNT) browser signals, unless required by applicable law.

4. How We Disclose Your Personal Data

We may disclose personal data to the following categories of entities and under the following circumstances:

  • Service Providers and Processors: such as IT hosting, payment processors, email services, learning platforms, and other vendors acting under contract that provide services related to the operation of our business and/or the Services, the processing and fulfillment of your orders, and making certain functionalities available to our website visitors. As the Controller, we engage various third-party companies to process personal data on our behalf. These companies, known as Processors, are contractually obligated to handle your data in accordance with our instructions and security standards. A list of our third-party processors can be found on our Processors Page.
  • Affiliates and subsidiaries: such as our affiliates and subsidiaries that provide services and support to us or our foundation One in Tech.
  • Business Partners & Sponsors: such as partners and sponsors of co‑hosted events or programs (where permitted by law). For example, if you are an event attendee, speaker, or sponsor, certain personal data about you may be included in the event roster, which may also be shared with third-party event sponsors and exhibitors and publicly disclosed.
  • Other Third Parties: such as if you use ISACA’s Career Center services, the personal data you include in your profile will be shared with the third-party Career Center provider and will be subject to the third-party privacy policies. Please note, when you provide information in the Career Center, your information may be accessible to potential employers or recruiters.
  • Employers: such as when your employer participates in our enterprise programming, your personal data, particularly with respect to the goods and/or services your company has purchased from ISACA for your benefit, will be shared with your organization’s program coordinator.
  • ISACA Entities and Chapters: to deliver membership services and chapter programming.
  • Legal Requirements: when necessary to comply with any applicable law, regulation, legal process or enforceable governmental request; enforce agreements, including investigations of potential violations; detect, prevent, or otherwise address fraud, security or technical issues; or protect the rights, property, assets or safety of ISACA or others, or to protect the Services from unauthorized use or misuse, as required or permitted by law.
  • Business Transactions: in connection with a business transfer, such as a merger, acquisitions, consolidation, divestiture, change in control, dissolution or other sale or transfer of assets, including whether as a part of bankruptcy, liquidation or similar proceeding.
  • With Consent: when you provide explicit consent for specific disclosures.

5. International Data Transfers

As a global organization with headquarters in the United States, your personal data may be transferred to, stored, and processed in the U.S. and other countries where we or our third-party processors operate. When these transfers occur, we implement legal safeguards to ensure a high level of security and compliance, such as Standard Contractual Clauses and data processing agreements. You can view the specific geographic locations where your data may be held by visiting our Processors Page.

We implement appropriate safeguards to ensure your data remains protected. These safeguards include:

  • Standard Contractual Clauses (SCCs): For transfers from Europe to countries without an adequacy decision, we use the SCCs approved by the European Commission.
  • UK International Data Transfer Agreement or International Data Transfer Agreement: For transfers from the United Kingdom to countries without an adequacy decision, we use the UK International Data Transfer Agreement or International Data Transfer Agreement, as applicable.
  • Derogations: In certain situations, we may rely on specific derogations as set forth in Article 49 of the GDPR, such as the transfer being necessary for the performance of a contract.
  • Data Processing Agreements (DPAs): We enter into DPAs with our third-party processors and service providers to ensure they adhere to strict data protection standards.

6. Data Subject Privacy Rights

Certain jurisdictions have specific legal requirements and grant privacy rights with respect to personal data, and we will comply with restrictions and any requests you submit as required by applicable law. Depending on your location, you may have the following data protection rights:

  • Access: The right to request a copy of the personal data we hold about you to verify the lawfulness of our processing.
  • Correction: The right to correct any inaccurate or incomplete personal data we hold about you.
  • Deletion: The right to request the deletion of your personal data under certain conditions, such as when the data is no longer necessary for the purposes for which it was collected, subject to certain exceptions.
  • Object: The right to object to our processing of your personal data based on legitimate interests or for direct marketing.
  • Restriction: The right to ask us to limit the use of your personal data in certain circumstances.
  • Portability: The right to receive your personal data in a structured, commonly used, and machine-readable format to transmit it to another data controller.
  • Withdraw Consent: Where we rely on your consent to process your personal data, you have the right to withdraw that consent at any time.

Additional information for U.S. Residents

Nevada residents have the right to opt out of the sale of certain pieces of their information to third parties who will license or sell their information to others. However, ISACA does not sell personal data as contemplated by Nevada law.

Residents of certain U.S. states may also have the right to opt out of the processing of personal data for the purpose of “profiling” in furtherance of decisions that produce legal or similarly significant effects and to opt out of the “sale” or “sharing”, as such terms are defined under U.S. state privacy laws, of personal data.

Please note, ISACA sells personal data and shares personal data/engages in “targeted advertising”. For a description of the categories of personal data that are sold or shared/used for targeted advertising and for a description of the categories of third parties that such personal data is sold to or shared with, see the chart below. ISACA does not engage in profiling in furtherance of decisions that produce legal or similarly significant effects. Residents of certain U.S. states may also have the right to not be discriminated against for exercising their privacy rights.

Category
(* may constitute "sensitive personal information" under certain laws)
Type of Identifiers We Collect Sold or Shared Disclosed to
Identifiers First and last name, unique personal identifier, online identifier, Internet Protocol address, email address, account name, username, mailing address, telephone number. Certain information automatically collected through our websites may be sold or shared, including to advertising and marketing partners and analytics providers Service providers, partners, commercial providers, advertising and marketing partners, and analytics providers
Commercial and financial information Records of products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies. Not sold or shared Service providers, partners, and commercial providers
Professional or employment-related information Company name, job role, company contact information. Not sold or shared Service providers, partners, commercial providers, and others you choose to provide such information to, including at our events
Internet or other similar network activity. Browsing history, search history, information on a consumer's interaction with a website, application, or advertisement. Sold and shared Service providers, partners, commercial providers, advertising and marketing partners, and analytics providers
Geolocation data Approximate geolocation data through an IP address. Certain information automatically collected through our websites may be sold or shared, including to advertising and marketing partners and analytics providers Service providers, partners, commercial providers, advertising and marketing partners, and analytics providers
Sensory Data Audio (such as voice recordings, visual, or similar information) Not sold or shared Service providers, partners, and commercial providers
Personal details* Dietary restrictions, disability information Not sold or shared. Service providers and partners


If you are a resident of one of the following U.S. states, you have one or more of these rights:

Map of the United States

  • Colorado
  • Delaware
  • Maryland
  • Minnesota
  • Montana
  • New Jersey
  • Oregon

If you are located outside that jurisdiction and seek to exercise your rights under the law of another jurisdiction, please contact us by emailing DPO@isaca.org.

You or, depending on your state of residence, your authorized agent may submit a request regarding your personal data by:

  • Visiting our Privacy Rights Portal or
  • Contacting us using the information in Section 11.

To opt out of selling or sharing, click on the “Cookie Settings” link in the footer of our websites.

To help protect your privacy and maintain security, we will take steps to verify your identity before granting you access to the information. We may need to request specific information from you to help us confirm your identity. This is a security measure to ensure that personal data is not disclosed to any person who has no right to receive it. When you make a request, we may require that you provide information and follow procedures so that we can verify your identity (and the applicable jurisdiction). The verification steps we take may differ depending on your jurisdiction and the request. Where possible, we will attempt to match the information that you provide in your request to information we already have on file to verify your identity. If we are able to verify your request, we will process it. If we cannot verify your request, we may ask you for additional information to help us do so.

We will respond to your request within the time period required by applicable law and in accordance with applicable law. However, we may not always be able or required to comply with your request, in whole or in part, and we will notify you in that event.

7. How We Protect Your Data

We implement technical, organizational, and physical safeguards designed to protect personal data, including encryption, access controls, secure storage, monitoring, and regular audits. While no system is completely secure, including certain aspects of Internet communications, we work to protect your information and encourage you to use strong passwords and protect your account credentials.

8. Third Party Links

Our websites may contain links to webpages operated by parties other than ISACA. We do not control such websites and are not responsible for their contents or the privacy policies or other practices of such websites. Our inclusion of links to such websites does not imply any endorsement of the material on such websites or any association with their operators. These websites and services may have their own privacy policies, which you may be subject to upon linking to the third party's website. ISACA strongly recommends that you review the third party's terms and policies.

9. Data Retention

We retain personal data only as long as necessary for the purposes described in this Notice or as required by law. When data is no longer needed, we securely delete or anonymize it.

Retention Periods by Data Category

Data Category Retention Period Purpose / Notes
Certification & Exam Records Permanent To verify credential status and maintain historical records
Event Registration & Attendance Event Date + 1 Year For CPE verification and operational reporting
Payment & Billing Information Fiscal Year End + 7 Years Required for financial and tax compliance
Dietary & Disability Information Deleted within 30 days post-event Only retained for accommodation purposes with explicit consent, where required by applicable law
CPE Submissions Account Closure or Creation + 4 Years Accommodates 3-year certification cycle + 1-year audit buffer
Transactional Purchase Records Account Closure or SOLEV (Statute of Limitations for Contract) Typically 7 years, jurisdictions may vary


10. Marketing Choices

If you receive commercial electronic communications from us, you can unsubscribe from the receipt of future commercial electronic communications from us by clicking on the “unsubscribe link” provided in such communications, or by going to your MyISACA Profile, navigating to the Unsubscribe section and selecting your opt-out preference. Please note that even though you have opted out of receiving marketing-related communications from us, we may still send you important administrative messages, and you cannot opt out from receiving these messages.

You may manage your subscriptions by subscribing or unsubscribing at any time. Please navigate to your MyISACA Profile, go to the Unsubscribe section and select your opt-out preference to cancel such subscriptions.

11. Contact Information and DPO

To ask questions or exercise your privacy rights, contact:

Data Protection Officer: DPO@isaca.org
Address: ISACA, 1700 E. Golf Road, Suite 400, Schaumburg, IL 60173
Privacy Rights Portal: https://www.isaca.org/privacy-rights

UK Representative

As ISACA does not have a physical presence in the UK, we have appointed DataRep as our UK representative in accordance with Art. 27, UK-GDPR. If you want to raise a question to ISACA or otherwise exercise your rights in respect of your personal data, you may do so by:

  • Sending an email to DataRep at datarequest@datarep.com quoting “ISACA” in the subject line.
  • Contacting us on our online webform at www.datarep.com/data-request.
  • Mailing your inquiry to DataRep at: DataRep BPM 335368, 372 Old Street, EC1V 9AU London, United Kingdom

Please note that when mailing inquiries, it is ESSENTIAL that you mark your letters for “DataRep” and not “ISACA” or your inquiry may not reach us. Please refer clearly to ISACA in your correspondence. On receiving your correspondence, we may verify your identity to ensure your personal data and information connected with it is not provided to anyone other than you. If you have any concerns over how DataRep will handle the personal data we will require to undertake our services, please refer to their privacy notice at www.datarep.com/privacy-policy.

For individuals located in Europe, you can also contact our Data Protection Officer via our Privacy Rights Portal.

12. Updates to This Notice

We may update this Notice to reflect changes in our practices or legal requirements. The “Last Updated” date will reflect the latest revision. Material changes will be communicated through a more prominent notice on our website or by email where required. Nevertheless, you should review this Notice from time to time to be sure you are aware of the most recent version.

13. Additional Notice for Specific Jurisdictions

Depending on your location, additional rights or disclosures may apply under:

A global map

  • European Economic Area
  • United Kingdom
  • Turkey
  • India
  • Canada
  • Singapore
  • Brazil
  • South Korea
  • Japan
  • Australia
  • China
  • Saudi Arabia


This section provides additional information to individuals located in or whose personal data is processed under the laws of the following jurisdictions.

  • European Economic Area (GDPR)

    Under the GDPR, in addition to the rights set forth in the “Data Subject Privacy Rights” section above, EEA residents also have the right to file a complaint by contacting their local supervisory authority for data protection. A list of EU Supervisory Authorities is available here: www.ec.europa.eu/justice/data-protection/bodies/authorities/index_en.htm.

  • United Kingdom (UK GDPR)

    Under the UK GDPR, in addition to the rights set forth in the “Data Subject Privacy Rights” section above, UK residents also have the right to file a complaint by contacting the Information Commissioner’s Office (ICO), the UK regulator for data protection issues (www.ico.org.uk).

  • Canada (Personal Information Protection and Electronic Documents Act - PIPEDA)

    We process your personal data with your consent to fulfill your requests for our products and services. You have the right to access and request corrections to your personal data. If you have concerns about our privacy practices, you may contact our Privacy Officer. If you are not satisfied with our response, you may contact the Office of the Privacy Commissioner of Canada: 1-800-282-1376 (toll-free) or priv.gc.ca.

    Cross-Border Transfer Notice (PIPEDA): Personal data processed in Canada may be transferred to the United States and other jurisdictions for the purposes outlined in this Notice. While located outside Canada, the information may be accessible to foreign courts, law enforcement, and national security authorities. ISACA uses contractual and organizational safeguards to protect transferred personal data.

  • Singapore (Personal Data Protection Act - PDPA)

    We will obtain your consent before collecting, using, or disclosing your personal data, unless permitted or required by the PDPA. You have the right to access and correct your personal data and to be notified in the event of a data breach that is likely to cause you significant harm. We will also implement reasonable security arrangements to protect your personal data and will only retain it for as long as necessary.

  • Turkey (Law on the Protection of Personal Data - KVKK)

    Our data processing activities are based on the legal grounds outlined in Article 5 of the KVKK. We will inform you about the purposes of processing, the identity of the data controller, and your rights under the law. We will also take all necessary technical and administrative measures to protect your personal data from unlawful processing and unauthorized access. Cross-border transfers of your personal data are made pursuant to adequacy decisions, or appropriate safeguards, including standard contractual clauses, or binding corporate rules approved by the Personal Data Protection Authority, in accordance with the amended Article 9 of the KVKK (effective 1 June 2024).

  • Brazil (Lei Geral de Proteção de Dados - LGPD)

    This Section provides additional information to individuals located in Brazil at the time their personal data is collected by ISACA.

    • Data Controller: The controller for the processing described in this Notice is: ISACA, 1700 E. Golf Road, Suite 400, Schaumburg, Illinois 60173, USA.
    • Legal Bases: We process your personal data on one or more of the following legal bases:
      • As necessary to enter into a contract with you, to perform our contractual obligations, to provide our Services, to respond to requests from you, or to provide customer support;
      • Where we have a legitimate interest, as described in this Notice;
      • As necessary to comply with relevant law and legal obligations, including to respond to lawful requests and orders; or
      • With your consent.
    • You can also file a complaint with Brazil’s National Data Protection Authority (ANPD) through its official channels.
    • Transfers outside of Brazil: When we transfer your personal data outside Brazil, we do so in accordance with the terms of this Notice and applicable data protection law.
  • Japan (Act on the Protection of Personal Information - APPI)

    We will not handle your personal data beyond the extent necessary to achieve the stated purposes of use. We will also take appropriate security measures to protect your data and will comply with all legal requirements regarding cross-border transfers. You have the right to request access, correction, or deletion of your personal data or request suspension of use or erasure in certain circumstances.

  • Australia (Privacy Act 1988)

    We adhere to the Australian Privacy Principles (APPs). We will ensure your personal data is handled in an open and transparent manner. You have the right to request access to and correction of your personal data we hold about you. You may also make a complaint if you believe we have breached the APPs.

  • China (Personal Information Protection Law - PIPL)

    We process your personal data in accordance with the PIPL. We will obtain your separate consent for the cross-border transfer of your personal data to our headquarters in the United States. We will also implement all necessary security measures to protect your data. You have the right to access, copy, and correct your personal data, and to request its deletion under certain circumstances.

    For individuals located in China, your personal data will be transferred to ISACA in the United States for the purposes described in this Notice. In accordance with the PIPL, we provide the following details:

    • Data Recipient: ISACA, 1700 E. Golf Road, Suite 400, Schaumburg, Illinois 60173, USA.
    • Categories of Personal Data Transferred: Contact information, account and membership data, event registration data, certification and exam information, and transaction details.
    • Purpose of Transfer: Membership administration, event delivery, exam services, account management, customer support, and fulfillment of contractual obligations.
    • Retention Period: As set forth in Section 9 of this Notice.
    • Rights: You may exercise your rights of access, correction, deletion, and consent withdrawal through the Privacy Rights Portal.

    We obtain separate consent for this transfer as required under PIPL Articles 38–40. ISACA conducts cross-border transfers in accordance with PIPL Article 38 using the appropriate legal mechanism applicable at the time of transfer.

    These mechanisms may include:

    • China SCC-based contracts filed with the CAC,
    • CAC security assessments (if triggered by volume thresholds), or
    • Certified cross-border schemes as permitted by PIPL.

    ISACA will identify the applicable mechanism upon request.

  • India (Digital Personal Data Protection Act - DPDP)

    We process your personal data as a data fiduciary under the DPDP. We will obtain your clear and informed consent for the processing of your data. We will also implement all necessary technical and organizational measures to protect your data and ensure its secure transfer. You have the right to access, correct, and erase your personal data, to withdraw consent as well as the right to grievance redressal.

  • South Korea (Personal Information Protection Act - PIPA)

    We process your personal data in compliance with PIPA. We will obtain your specific consent before collecting your personal data. We will also ensure the secure management of your data, including implementing appropriate technical and administrative safeguards. You have the right to access and request corrections to your personal data, and to request a suspension of processing.

  • Saudi Arabia (Personal Data Protection Law (Royal Decree No M/19, as amended))

    You have the right to access, correct and request erasure of your personal data, and to withdraw consent at any time.

14. No Use by Minors

ISACA’s services are intended for adults. We do not knowingly collect personal data from persons under the age of 18. If you are a parent or guardian of a child under 18 years of age, and you believe that your child has provided us with information, please contact us via the information in the “Contact Information and DPO” section above.

Annex: Data Processing Activities

To ensure full transparency, the following table provides a comprehensive summary of our personal data processing activities.

Processing Activity Category of Personal Data Purpose of Processing Lawful Basis for Processing
Membership and Registered User Basic Contact Information; Professional and Personal Biographical Information To provide membership and account services, including website access, content delivery, and subscription fulfillment. Contractual Necessity (GDPR Art. 6(1)(b))
Digital Membership Card Basic Contact Information; Membership Information To generate and provide digital membership cards. Contractual Necessity (GDPR Art. 6(1)(b))
Events and Conferences Basic Contact Information; Professional and Personal Biographical Information; Dietary Restrictions; Disability Information; Event Recordings To manage event logistics, provide attendee services, and make accommodations. Contractual Necessity (GDPR Art. 6(1)(b)); Explicit Consent (GDPR Art. 9(2)(a)); Legitimate Interests (GDPR Art. 6(1)(f)); Consent (GDPR Art. 6(1)(a))
Learning and Development Basic Contact Information; Professional and Personal Biographical Information; CPE Data & Exam Information To deliver online courses and training, track completion, and report CPE credits. Contractual Necessity (GDPR Art. 6(1)(b))
Physical Mailings & Fulfillment Basic Contact Information; Membership Information To print and mail physical items like journals and membership packets. Contractual Necessity (GDPR Art. 6(1)(b))
Exams and Certifications Basic Contact Information; Professional and Personal Biographical Information; CPE Data & Exam Information To provide certification services, manage your CPE credits, and verify your certification status. Contractual Necessity (GDPR Art. 6(1)(b))
Payments and Purchases Basic Contact Information; Payment, Billing, and Shipping Information To process payments for goods and services and to fulfill orders. Contractual Necessity (GDPR Art. 6(1)(b))
Sponsorships and Lead Generation Basic Contact Information; Professional and Personal Biographical Information To generate and manage sales leads for sponsorships and other services. Legitimate Interests (GDPR Art. 6(1)(f))
Customer Support Basic Contact Information; Communication Content To respond to your inquiries, provide assistance, and maintain records of communications. Legitimate Interests (GDPR Art. 6(1)(f)); Contractual Necessity (GDPR Art. 6(1)(b))
Quality & Compliance Audits Basic Contact Information; Professional and Personal Biographical Information To perform quality checks, monitor compliance with CMMI models, and investigate reported violations. Legal Obligation (GDPR Art. 6(1)(c)); Legitimate Interests (GDPR Art. 6(1)(f))
Third-Party Service Provision Basic Contact Information; Professional and Personal Biographical Information; Online Identifiers & Usage Data; Communication Content To provide services on our behalf (e.g., cloud hosting, email delivery, IT support). Legitimate Interests (GDPR Art. 6(1)(f))
Third-Party Data Collection Social Media Data; Third-Party Provided Information To provide our services when you interact with us through third-party platforms. Legitimate Interests (GDPR Art. 6(1)(f))
Public Forums and Blogs Publicly Posted Information; Professional and Personal Biographical Information To facilitate public interaction and communication on our Sites. Consent (GDPR Art. 6(1)(a))
Website Analytics Online Identifiers & Usage Data To measure website traffic and improve our services. Legitimate Interests (GDPR Art. 6(1)(f))
Surveys & Market Research Basic Contact Information; Professional and Personal Biographical Information To gather feedback about products and services and inform business decisions. Consent (GDPR Art. 6(1)(a)); Legitimate Interests (GDPR Art. 6(1)(f))
Artificial Intelligence & Automated Processing Online Identifiers & Usage Data; Communication Content; Professional Information To personalize services, prevent fraud, and enhance business operations. Legitimate Interests (GDPR Art. 6(1)(f))
Sensitive Data for Event Accommodations Personal Details To provide accommodations during conferences and events. Explicit Consent (GDPR Art. 9(2)(a))
  • LinkedIn
  • Facebook
  • Instagram
  • YouTube
  • Contact Us
  • Terms
  • Privacy
  • Cookie Notice
  • Cookie Settings
  • Fraud Reporting
  • Bug Reporting

1700 E. Golf Road, Suite 400, Schaumburg, Illinois 60173, USA  |  +1-847-660-5505  |  ©2026 ISACA. All rights reserved.