Updated 3.3.26

Terms and Conditions of Site Use

1. General Terms

1.1 Introduction

The following are the Cyberspace Innovation Center, Inc. DBA Cyber Innovation Center (the “CIC” or “we”) Terms and Conditions of Use (the “Terms”) that govern the use of the CIC’s CYBER.ORG website, Content Management System or Learning Management System (Canvas or “LMS”), National Cyber Cup, and the CYBER.ORG Range (the “Range”), and all content contained within (hereinafter collectively referred to as the “Sites”). By visiting any of the Sites, you (the “User” or “you”) expressly agree to be bound by these Terms and follow all conditions of use governing the Sites. If the User violates these Terms, the CIC may terminate the User’s access to the Sites, bar the User from having future access to the Sites, and/or take appropriate legal action.

1.2 School Authorization

If the User agrees to these Terms on behalf of a company or other legal entity (including if the User is related to a school and entering on behalf of the User’s school), the User represents that the User has the authority to bind such entity to these Terms, in which case the words “you,” “your,” or “User” shall refer to such entity. If the User does not have such authority or if the User does not agree with these Terms, the User may not use the Sites.

1.3 Permitted Use

The User may use content from the Sites solely for educational purposes. The User represents and warrants that they are a K-12 educator, administrator, or official affiliated with an educational institution in the United States (“U.S.”) or U.S. Territories, or are authorized by a nonprofit organization, government entity, or other organization with a legitimate educational need or purpose. Such Users may be granted access to and use of the CIC’s content and curricula through the Sites, subject to compliance with these Terms.

1.4 Prohibited Use

Any reproduction, copying, or redistribution of any information, proprietary information, materials, or design elements on the Sites for commercial purposes or any purposes other than those outlined in any “Permitted Use” policies stated herein is strictly prohibited without the advance written permission of the CIC. Content from the Sites may not be sold or used by the User for any profit-making purposes. The User shall hold the CIC’s proprietary information in strict confidence and shall not disclose it to any third party other than to the intended K-12 students or as allowed in a separate executed agreement with the CIC. The User shall not use the CIC’s proprietary information for any purpose other than to fulfill its obligations herein.

In addition to the above, other prohibited uses of the CIC’s materials, curricula, and content include, but are not limited to, networking, piracy and counterfeiting, unauthorized digital display, and web use/web posting, all or any of which could be considered direct, contributory, or vicarious copyright infringement. Furthermore, the User shall not distribute or otherwise share login credentials to other persons or entities. The login credentials are issued based on unique User requests. To access the Sites, the User must follow all required registration procedures, which may include providing accurate personal or institutional information, agreeing to any applicable user agreements, and maintaining up-to-date account details. These procedures ensure that only authorized Users gain access and help the CIC protect its intellectual property and the privacy of its users.

1.5 Proprietary Rights

The User acknowledges and agrees that:

i. All intellectual property, curricula, content, and proprietary information available on the Sites or received directly from the CIC are protected by copyrights, trademarks, service marks, trade secrets, or other proprietary rights and laws.
ii. All rights, title, and interest in and to all such curricula, content, and proprietary information are owned and shall be retained by the CIC.

1.6 Platform Availability

The CIC will make reasonable efforts to maintain platform availability. For paid subscribers, technical support and issue resolution will be provided as outlined in their respective service agreements. For free access to the Sites, the CIC will make reasonable efforts to address technical issues; however, no guarantee of resolution or uninterrupted service is provided. All free offerings are provided on an “as is” basis without warranty. The CIC expressly disclaims responsibility for any unresolved technical issues or service interruptions experienced by free Users.

1.7 Links to Other Web Sites

The Sites may contain links to other websites and resources that are owned by other individuals and entities (“Third-Party Sites”). If you decide to visit any of the Third-Party Sites, you acknowledge and agree that:

i. You do so at your own risk.
ii. It is your responsibility to guard against computer programming routines that could alter, damage, expropriate, intercept, or interfere with your computer system.
iii. The CIC is not endorsing, nor is it responsible for, the information, advertising, or content contained on the Third-Party Sites or the products or services promoted, offered by, or sold on the Third-Party Sites.
iv. Your access to and use of the Third-Party Sites is subject to the Third-Party Sites’ terms and conditions of use (including their respective privacy policies).
v. The CIC is not making any representations or warranties regarding the accuracy, appropriateness, availability, completeness, freedom from viruses, performance, quality, security, or timeliness of the Third-Party Sites or their content.

1.8 Privacy Policy

In addition to the Terms, by visiting any of the Sites, you agree to be bound by the CIC’s Privacy Policy (the “Privacy Policy”) that governs the use of data collected via the Sites. The Privacy Policy can be viewed here.

1.9 Other Agreements

These Terms shall take precedence over any other legally binding agreement the User may have in place, currently or in the future, with the CIC.

1.10 Email Communications

By enrolling in any of the services offered on the Sites, you agree to receive email communications from the CIC.

2. National Cyber Cup Terms  

2.1 NCC 

The Terms found in this article (Article 2) apply to Users registered for, or participating in, the CIC’s National Cyber Cup by CYBER.ORG (“NCC”) and are in addition to the rest of thee Terms. 

2.2 NCC and Capture the Flag (CTF) Platform Acceptable Use 

Users may use the NCC platform solely for: 

i. Participating in official NCC events and competitions organized by the CIC. 
ii. Engaging with cybersecurity challenges to advance educational learning. 
iii. Practicing ethical cybersecurity skills within an approved learning environment. 

2.3 Prohibited Uses 

Users may not: 

i. Attempt to interfere with, disrupt, or harm the NCC platform or its services.
ii. Attempt to access or attack systems or networks outside of the authorized NCC platform.
iii. Attempt to gain unauthorized access to participant accounts, challenge answers, or platform resources.
iv. Manipulate or falsify scoring or outcomes.
v. Share or publicly post challenge answers, flags, or solutions.
vi. Violate any applicable local, state, or federal laws in connection with participation in the NCC. 

2.4 Monitoring & Enforcement 

The CIC reserves the right to monitor participant activity for integrity and compliance. Violations may result in, but are not limited to, the following: 

i. Disqualification from the event
ii. Revocation of NCC platform access
iii. Notification of the participant’s school or organization
iv. Prohibition from future events
v. Legal action where applicable 

2.5 Fair Play 

Participants must compete fairly and independently. Unauthorized collaboration is prohibited unless explicitly allowed by the official rules of a specific event communicated to the User by the CIC.

3. CYBER.ORG Range Terms

3.1 The Range 

The Terms found in this article (Article 3) apply to Users registered for use of the Range and are in addition to the rest of the Terms.

The Range houses all registration and Range access activities. All individuals seeking access to the Range must apply at the login page located at https://apps.cyber.org. Access will only be granted to  those individuals or entities that are:

i. K-12 Teachers in the U.S.
ii. Parents of homeschooled K-12 students

3.2 User Types

The following are user types for the Range:

i. Teachers: Responsible adults overseeing administration of student accounts and communications. They can create and access virtual classroom environments, assign environments to students, and access student virtual machines.
ii. Students: Use the Range to practice cybersecurity tools and leverage resources in virtual machines.

4. Changes to This Privacy Policy

We may update the Terms periodically. The effective date will be updated at the top of this page.

For significant changes, we will provide notice at least 30 days in advance through prominent posting on cyber.org and, where appropriate, by email to registered users.

By continuing to use our Sites after any revised Terms have become effective, you acknowledge and agree to the current version of these Terms.

We encourage users to review these Terms periodically to stay informed.

5. Contact Information

If you have questions, concerns, or requests related to these Terms, please contact us via email at [email protected].

We will respond to inquiries in a timely manner in accordance with applicable laws and our policies. 

CYBER.ORG Data Policy

1. Introduction

CYBER.ORG is the academic initiative of the Cyberspace Innovation Center, Inc. DBA Cyber Innovation Center (the “CIC” or “we”). CYBER.ORG’s mission is to ensure that every K-12 student gains foundational and technical cybersecurity knowledge and skills.

The following is the CIC’s Privacy Policy (“Privacy Policy”) that governs the use of data collected through use of the CIC’s websites including, but not limited to cyber.org, Content Management System or Learning Management System (Canvas or “LMS”), National Cyber Cup, and the CYBER.ORG Range (the “Range”) (hereinafter collectively referred to as the “Sites”). By visiting any of the Sites, you (the “User” or “you”) expressly agree to be bound by this Privacy Policy.

2. Why We Collect Data

We use collected data to:

i. Provide and operate our services (including account management, content delivery, and competition scoring)
ii. Improve user experience and platform functionality
iii. Analyze platform usage and educational outcomes
iv. Support reporting requirements for grants, partnerships, and educational program evaluation
v. Comply with applicable laws, grant conditions, and institutional policies.

3. What We Do Not Use Data For

We do not use or share data for advertising purposes, including displaying advertisements. We never sell data to anyone for any purpose.

4. What Data We Collect

4.1 Free Subscription Accounts.

Free subscription accounts are created manually by teachers or CIC staff (“Admins”). No personally identifiable information (“PII”), as defined in 34 CFR Part 99, for school-aged individuals (“Students” as defined in 34 CFR Part 99) is ever collected under free subscription accounts. Usernames, passwords, and nicknames are randomly generated and 100% anonymized for Students. Students cannot change nicknames or passwords. Admins may update passwords and nicknames as needed while maintaining compliance with the Children’s Online Privacy Protection Rule (16 CFR Part 312 or “COPPA”) and Family Education Rights and Privacy (34 CFR Part 99 or “FERPA”).

Under free subscriptions, we collect different types of data depending on the Sites and services you use. This data may include some or all of the following data types.

i. Account Registration Data:
   a. First and last name
   b. Email address
   c. Name of school or organization and school district
   d. Type of Education Organization (public, private, charter, homeschool, college or university, information education provider)
   e. Education System Level (school, district, state, federal, other)
   f. Role (educator, parent, coach, subscriber, Student)
   g. Grade level (for applicable Sites)
   h. Age or date of birth (for applicable Sites)
   i. Location (city, state \ territory, zip code)
   j. Citizenship status
   k. Teaching experience
   l. Additional free text information about the educational organization
ii. Usage Data
   a. Pages visited and features used
   b. Account Activity (logins, logouts, failed attempts, password resets)
   c. Event participation (e.g., National Cyber Cup scoring, Range activity)
   c. Activity logs:
          i. Virtual machine and instance activity (start, pause, resume, terminate)
          ii. Duration of use and associated course, lab, or exercise
          iii. Resource utilization data (CPU, memory, network usage)
          iv. Audit and security logs for compliance and misuse detection
   d. Site analytics data (collected through tools such as Google Analytics, IPinfo, or similar, and processed through internal platforms)
iii. Technical Data
   a. IP address
   b. Browser type
   c. Device information
   d. Approximate geographic location (based on IP)
iv. Communications Data
   a. Support inquiries
   b. Messages submitted through forms
v. Aggregate / Reporting Data
   a. Participation rates
   b. Geographic trends
   c. Performance metrics for reporting to funding partners (in aggregate, without personal identifiers)

5. Data Sharing

5.1 Third-Party Service Providers

To operate our Sites and services, we use trusted third-party service providers, including, but not limited to, the following:

Heroku (Salesforce)
Purpose: Hosts CYBER.ORG websites and APIs
Address: Salesforce Tower, 415 Mission St, 3rd Floor, San Francisco, CA 94105
Phone: (415) 901-7000
Email: [email protected]
Website: https://www.heroku.com 

Vercel
Purpose: Hosts databases for CYBER.ORG applications
Address: 340 S Lemon Ave #4133, Walnut, CA 91789
Phone: Not publicly listed
Email: [email protected]
Website: https://vercel.com

Amazon Web Services (AWS)
Purpose: Cloud compute, storage, and security infrastructure
Address: 410 Terry Ave North, Seattle, WA 98109
Phone: (206) 266-1000
Email: [email protected]
Website: https://aws.amazon.com 

GoDaddy
Purpose: Domain registration and DNS routing
Address: 2155 E. GoDaddy Way, Tempe, AZ 85284
Phone: (480) 505-8877
Email: [email protected] 
Website: https://www.godaddy.com 

Cloudflare
Purpose: Network optimization, DNS, and security services
Address: 101 Townsend St, San Francisco, CA 94107
Phone: (888) 993-5273
Email: [email protected]
Website: https://www.cloudflare.com

IPinfo
Purpose: IP-based geolocation services
Address: 340 S Lemon Ave #7165, Walnut, CA 91789
Phone: Not publicly listed
Email: [email protected]
Website: https://ipinfo.io 

Google Analytics (Google LLC)
Purpose: Site usage analytics
Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043
Phone: (650) 253-0000
Email: [email protected]
Website: https://policies.google.com/privacy 

Databricks
Purpose: Data processing, analytics, and reporting
Address: 160 Spear St, 13th Floor, San Francisco, CA 94105
Phone: (866) 330-0121
Email: [email protected]
Website: https://databricks.com 

Instructure (Canvas)
Purpose: Learning Management System (LMS)
Address: 6330 South 3000 East, Suite 700, Salt Lake City, UT 84121
Phone: (800) 203-6755
Email: [email protected]
Website: https://www.instructure.com 

These third-party service providers are permitted to process data solely to provide services that support Cyber.org’s operations and educational programs. Cyber.org takes all reasonable measures to protect personal and sensitive information shared with these providers, including applying data minimization and deidentification practices wherever possible.

Cyber.org periodically reviews its relationships with third-party service providers to ensure alignment with its privacy, security, and compliance standards. The list of providers may change from time to time as Cyber.org’s technology and services evolve.

5.2 Government Reporting

Certain aggregated, non-personally identifiable data may be provided to Government agencies as required by the CIC’s federal grant programs or other legal obligations.

6. Data Security

We use industry-standard security measures to safeguard data and protect against unauthorized access, loss, misuse, or alteration. These measures include:

i. Encryption of data in transit and at rest
ii. Access controls and user authentication
iii. Use of secure data centers and hosting platforms
iv. Regular monitoring and review of data practices.

6.1 Security as to Personally Identifiable Information

The security of your data, including personally identifiable information, is important to CYBER.ORG. User accounts are protected by a password, and users are required to protect the confidentiality of their passwords.

CYBER.ORG will endeavor, in accordance with applicable rules, regulations, and laws, to maintain appropriate electronic and managerial policies and procedures to ensure that your data, including personally identifiable information, is kept secure in accordance with commercially reasonable information technology standards.

If CYBER.ORG becomes aware of a system security breach by an unauthorized party or determines that any user data has been accessed, acquired, or used for an unauthorized purpose, we will comply with all applicable state and federal data breach laws. CYBER.ORG will notify affected users of any breach resulting in the unauthorized release of data electronically, at minimum, and without unreasonable delay so that you can take appropriate steps. The notification will include the date or estimated date of the breach, the types of information involved, a general description of what occurred, and the steps CYBER.ORG is taking to address and mitigate the incident.

7. Data Retention and Deletion

You may request deletion of your data by contacting [email protected]. We will respond via email to verified requests and confirm deletion, subject to any legal or reporting obligations.

In addition, certain data processed by third-party service providers is subject to those providers’ own data retention and deletion policies.

8. Children’s Privacy

The CIC is committed to compliance with COPPA and FERPA. Where required by law, verifiable parental consent is obtained prior to account creation.

The CIC participates in the iKeepSafe Safe Harbor program for the Range and the National Cyber Cup. If you have any questions or need to file a complaint related to this Privacy Policy and practices for those Sites, please do not hesitate to contact iKeepSafe Safe Harbor program at [email protected].

9. User Rights and Choices

Individuals have the right to:
i. Request access to collected data
ii. Request correction or deletion of data
iii. Withdraw consent (where consent was required).

Requests for the above may be submitted to [email protected]. We will respond via email to verified requests in accordance with applicable laws and program requirements.

10. Cookies, Tokens, and Session Tracking

We use cookies, session tokens, and browser storage to support key functionality on our platforms, including:
i. Securing login and user authentication
ii. Maintaining active sessions while navigating between pages
iii. Enabling educators and students to resume work without re-authenticating frequently (within a limited window).

We do not use cookies or tokens for advertising, third-party behavioral tracking, or profiling.

Sessions may automatically expire after periods of inactivity to protect user data and comply with our security policies. Users may need to log in again after session expiration.

Users can manage cookie preferences via browser settings. Disabling cookies may impact access to some features.

11. Change of Control

CYBER.ORG may grow, reorganize, or engage in corporate transactions over time. We may share your information, including personal information, with affiliates such as a parent company, subsidiaries, joint venture partners, or other entities under common control with CYBER.ORG. In such cases, these entities will be required to use your personal information only in ways consistent with this Privacy Policy.

If all or a portion of CYBER.ORG or its assets are acquired by, merged with, or transferred to a third party, personal information collected through our Sites may be included among the transferred assets. This Privacy Policy will continue to apply to your information, and the acquiring organization will be permitted to handle your personal information only as described in this policy unless you consent to a new policy.

CYBER.ORG will provide notice of any such acquisition or merger within thirty (30) days of the transaction by posting a notice on our homepage and, where feasible, by sending an email to the address associated with your account. If you do not consent to the use of your personal information by a successor entity, you may request deletion of your information in accordance with applicable law.

In the unlikely event that CYBER.ORG ceases operations, dissolves, or files for bankruptcy, we will continue to protect your personal information and will not sell it to any third party.

12. Changes to This Privacy Policy

We may update this Privacy Policy periodically. The effective date will be updated at the top of this page.

For significant changes, we will provide notice at least 30 days in advance through prominent posting on cyber.org and, where appropriate, by email to registered users.

By continuing to use our Sites after any revised Privacy Policy has become effective, you acknowledge and agree to the current version of this Privacy Policy.

We encourage users to review this Privacy Policy periodically to stay informed about our data practices.

13. Contact Information

If you have questions, concerns, or requests related to this Privacy Policy or our data practices, please contact us via email at [email protected]. 

We will respond to inquiries in a timely manner in accordance with applicable laws and our policies.