Privacy Policy



When you use our online services or downloaded tools, as part of the service offering, we collect the personal information you give us such as your name, userid, IP address and email address.

EndPoint Scanning Tool: The EPST collects the hostname, internet address, internal IP address, running username, as well as metadata on any suspected malware activity. Sightings (the indicator name and metadata) and the contents of the epstresults.json or trace.log are uploaded back by default. Proximity hits: If malware is detected on disk the tool will report filenames, sizes and hashes of nearby files. URL Scanning: Version 1.3 and above will report malicious urls found in the internet history if available - only detected malicious URLS are reported. Event logs: Version 1.3 and above: add a -W to scan for indicators in event logs and to collect forensic events. Retention: All results are deleted after 90 days. File hits from hashes or Yara signatures may be uploaded if the file is less than 10 Mb in EPST tool version 1.1 or greater. A list of any suspected malware files uploaded to us will be recorded in detected.txt. Files are retained for 90 days. You may opt-out of automatic file content sharing by including an empty file .DoNotSendSamples in the same directory as the tool and signatures.. Version 1.3 and above can opt in to scan for indicators event logs and run additional commands to collect forensic events by adding a -W.

EndPoint Scanning Tool Communications: Version 1.3 and above will communicate with using SSL. Previous 32bit and 64bit versions will communicate with using SSL encryption and your authorized tool key. The XP/2003 version will download signatures and upload hits using plaintext HTTP and transmits your tool key over plaintext.

ZEEK Network Module: The Zeek/BRO Module collects packet header information for indicator hits and certain service status information:

When an indicator hit occurs in the Zeek intelligence Framework transmits the hit item and location of hit (Intel hit on bad at DNS::IN_REQUEST), Bro node, Bro session uid, source IP+port+method, destination IP+port+method, direction if known, and the session size of the originator and responder. HTTP hits include the full URL, method, and hostname. HTTPS include the SNI hostname requested by the client and the remote certificate issuer field. SMTP hits may include the Receipt-to addresses, From address and Subject envelope information. DNS hits include the record type requested. Retention: These results are deleted after 90 days.

Content Signature Framework matches also report up to 2000 bytes of the captured packet/session. Retention: These results are deleted after 90 days.

General status information included in indicator download requests: External IP address, Zeek version, CanCyber module version, and packet statistics such as dropped packets, packets received, packets on the link, and bytes received.

Zeek/BRO Network Module Communications: will communicate with using SSL encryption and your authorized tool key.

Slack: Use of, and messages posted on our private member-only Slack team are under the terms and conditions provided by Slack and outside of CanCyber Foundation control.

Deletion requests: We will honour any deletion requests from member organizations for any reason or 3rd parties that feel their data may have been inadvertently recorded by our scanning tools. All scanning and network monitoring results are deleted after 90 days.

When you browse our site, we also automatically receive your computer’s internet protocol (IP) address in order to provide us with information that helps us learn about your browser and operating system.

Email marketing (if applicable): With your permission, we may send you emails about our services, news and other updates. We use Constant Contact for regular email communications and MISP by default emails alerts when new events are published which can be opted out of.


How do you get my consent?

When you provide us with personal information we imply that you consent to our collecting it and using it for that specific reason only.

If we ask for your personal information for a secondary reason, like marketing, we will either ask you directly for your expressed consent, or provide you with an opportunity to say no.

How do I withdraw my consent?

If after you opt-in, you change your mind, you may withdraw your consent for us to contact you, for the continued collection, use or disclosure of your information, at anytime, by contacting us at the address below.


We may disclose your personal information if we are required by law to do so or if you violate our Terms of Service.

Anonymized usage (without victim identifiers except Country, Province, and Sector) from sightings or from usage of the CanCyber tools may be shared with other members to provide top hits, a snapshot of recent activity, or feedback/validation of indicators and signatures provided. Malware samples may be shared anonymously with our partners for analysis.


Our online services are hosted at Amazon, Inc. They provide us with the online platform that allows us to offer our products and services to you.

Your data is stored in Amazon’s data storage, databases and other services. while we make every effort to use Canadian storage, some services may store or transmit your data through the United States or other countries.


In general, the third-party providers used by us will only collect, use and disclose your information to the extent necessary to allow them to perform the services they provide to us.


When you click on links on our store, they may direct you away from our site. We are not responsible for the privacy practices of other sites and encourage you to read their privacy statements.


To protect your personal information, we take reasonable precautions and follow industry best practices to make sure it is not inappropriately lost, misused, accessed, disclosed, altered or destroyed.


Here is a list of cookies that we use. We’ve listed them here so you can choose if you want to opt-out of cookies or not.

_session_id, unique token, sessional, Allows us store information about your session

_CAKE_PHP, unique token, sessional, used by MISP


By using this site, you represent that you are at least the age of majority in your state or province of residence, or that you are the age of majority in your state or province of residence and you have given us your consent to allow any of your minor dependents to use this site.


We reserve the right to modify this privacy policy at any time, so please review it frequently. Changes and clarifications will take effect immediately upon their posting on the website. If we make material changes to this policy, we will notify you here that it has been updated, so that you are aware of what information we collect, how we use it, and under what circumstances, if any, we use and/or disclose it.

If our store is acquired or merged with another company, your information may be transferred to the new owners so that we may continue to offer products and services to you.


If you would like to: access, correct, amend or delete any personal information we have about you, register a complaint, or simply want more information contact our Privacy Compliance Officer at the general contact address.