ONE Summit 2024 - April 29 - May 1, San Jose, CA  LEARN MORE

Search

    Join
    Policies

    LFX Privacy Policy Addendum

    Last updated: November 7, 2023

    This addendum to the Privacy Policy of The Linux Foundation (the “Privacy Policy”) provides additional specific details regarding the LFX platform and its processing of personal information. It is subject to the other provisions set forth in the Privacy Policy.

    The LFX platform components described below include the applications that data subjects and users directly interact with, as well as underlying architectural components that power those applications.

    For each of the LFX platform’s components described below, this addendum describes:

    1. the category of data subjects whose personal information is processed;
    2. the types of personal information that is collected;
    3. the purposes and legal bases for which it is processed;
    4. the service providers who process it in connection with providing the component; and
    5. the other third parties with which it is shared.

    Please contact us at privacy@linuxfoundation.org or at the other addresses set forth in the Privacy Policy with any questions.

    LFX Crowdfunding

    1. Category of Data Subjects
    • Funding contributors: individuals who contribute funding to an open source project on Crowdfunding
    • Funding recipients: individuals who receive reimbursements or stipends from project funds via Crowdfunding, including mentees on LFX Mentorships who receive stipends for their mentorships
    2. Types of Personal Information Collected
    • Account information: name, email address, LF ID, unique path / slug, and image / avatar.
    • Funding contributor financial transaction data: ledger entry unique ID, Stripe customer and transaction IDs, contribution amount, and transaction date.
    • Funding recipient financial transaction data: ledger entry unique ID, bank account details (for US-based recipients), W-9 tax forms (for US-based stipend recipients for Mentorships), wire transfer details (for international recipients), reimbursement amount, and transaction date.
    • Some data is temporarily processed by Crowdfunding as a frontend to the Stripe user interface to enable user edit or deletion, but is not stored or cached by Crowdfunding: credit card name, type (e.g. Visa, Mastercard, American Express), and last 4 digits.
    3. Purposes and Legal Bases for Processing
    • Purposes: Enabling contribution and receipt of funds via an open source crowdfunding effort with a public ledger; ensuring compliance with laws applicable to the user’s contribution of funds and receipt of reimbursements and stipends; ensuring accurate accounting records; and preventing fraud.
    • Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Auth0: authentication and user access management
    • Bill.com: internal finance account management for payment reimbursement
    • DocuSign: signing, transfer and storage of W-9 tax forms and wire transfer forms
    • Elastic.co: caching of application database for performance
    • Expensify: processing reimbursements for funding recipients
    • Google: email and spreadsheet for communication and status tracking; analytics for insights into users’ interaction with the platform
    • Mailchimp: delivery of application notification emails
    • NetSuite: internal finance account management for payment reimbursement
    • Retool: data storage and processing for support staff dashboard access
    • Stripe: credit card transaction processing for funding contributors
    5. Other Third Parties
    • Contractors: Contractors providing development and operational services to manage the Crowdfunding application
    • End users: Public visibility of ledger with details about contributions and reimbursement / stipend payments.
    If you donate to or receive reimbursements from a project through LFX Crowdfunding, we make a record of your transaction publicly visible in that project’s funding ledger, for purposes of ensuring transparency and trust in the funding streams for that project.

     

    LFX EasyCLA

    1. Category of Data Subjects
    • Project administrators: LF staff members and other external community members who oversee the maintenance of contributor license agreement (CLA) configuration on behalf of their projects.
    • Contributors: individuals who, on their own behalf or on behalf of their employer, contribute content to projects utilizing EasyCLA for CLA management.
    • CLA Managers: individuals who, on behalf of their employer, manage the lists of their employer’s authorized contributors to projects utilizing EasyCLA for CLA management.
    • CLA Signatories: individuals who sign corporate CLAs (CCLAs) on behalf of their employer.
    2. Types of Personal Information Collected
    • CLA Signature data: name, email address, LF ID, signature and signing date; for CCLAs: company name, company address, and job title; for certain Projects: mailing address, country, and phone number.
    • CLA Manager data: name, email address, LF ID, employer, authorization activities for managed CCLAs.
    • Contributor data: name, email address; username for source code repository hosting service (e.g. GitHub handle, GitLab handle or LF ID); for CCLAs: employer and authorization records for contributions to managed projects.
    3. Purposes and Legal Bases for Processing
    • Purposes: retention and storage of executed intellectual property license agreements in the context of open source Projects to which the signatory and/or their company is contributing; management of lists of authorized contributors under signed CCLAs; maintaining provenance of contributions to Projects utilizing CLAs by ensuring that contributions are made under signed CLAs.
    • Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law.
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Auth0: authentication and user access management
    • Datadog: log information management and website / login monitoring and user behavior such as page navigation
    • Docraptor: conversion of CLA templates into PDF files
    • DocuSign: signing, transfer and storage of CLAs
    • GitHub: API integration to utilize EasyCLA for GitHub-hosted Projects
    • GitLab: API integration to utilize EasyCLA for GitLab-hosted Projects
    5. Other Third Parties
    • Project administrators: Visibility about the contributors, CLA Managers and CLA Signatories for the Projects they manage.
    • End users: Public visibility of CI/CD checks indicating that the CLA signature process has been completed or is still pending

     

    LFX Individual Dashboard

    1. Category of Data Subjects
    • LF ID holders: Individuals who have created a Linux Foundation ID account.
    2. Types of Personal Information Collected
    • Essential Account data: name, email addresses, LF ID, phone number, employer / affiliated organizations, job title.
    • Optional Profile data: profile public visibility settings (including visibility of your TLF-related activities), badges for TLF-related activities and contributions to open collaboration projects, user-defined biography, technical skills, photo URL, personal pronoun, social media IDs / links (GitHub, LinkedIn, Google, Facebook).
    • Open Collaboration Project Participation data:
      • project committee roles
      • conference and webinar attendance
      • affiliation with employers, including employer name, job title, start / end date, and data obtained from LinkedIn APIs (location, industry, number of connections, professional summary, and employment positions); and
      • Project contribution information, including name, email address, username, relevant Project tool, and counts of contributions.
    • TLF Offering Fulfillment data:
      • event and conference information:
        • T-shirt size
        • previously-attended and currently scheduled events
        • presentation and speaking experience: title, slides URLs and recording URLs
        • travel fund request information: name, email address, LF ID, availability of employer assistance, details about the user’s diversity and membership in an underrepresented group, if applicable and solely where provided by the data subject
        • visa letter application information: name, email address, LF ID, passport information, date and country of birth, phone number, mailing address, employer, job title, and travel details
      • training and certification exam information: training enrollments and status; issued certifications; coupon codes
      • Individual Supporter and Enrollment purchases: linux.com email alias / forwarding address; individual supporter enrollments for The Linux Foundation and OpenJS Foundation; auto-renewal status
      • internal business contact information
      • list of purchases and transactions
    • Technical Operations data: password reset details; log information from Individual Dashboard interactions
    3. Purposes and Legal Bases for Processing
    • Purposes: Enabling control of a data subject’s own personal profile regarding their participation in Linux Foundation offerings such as events, trainings and certification exams, and contributions to open collaboration projects hosted by the Linux Foundation, including profile visibility settings; maintaining accurate contact information in connection with Linux Foundation offerings and operations; and (with regards to special categories of data where voluntarily disclosed in connection with travel fund requests) enabling and increasing attendance at LF events by participants from diverse and underrepresented communities.
    • Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law; explicit consent (with regards to special categories of data where voluntarily disclosed in connection with travel fund requests).
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Auth0: authentication and user access management
    • ClearBit (APIHub, Inc.): enrichment data source for data subjects
    • Credly: badging for user accomplishments and activities
    • Datadog: log information management and website / login monitoring and user behavior such as page navigation
    • FullStory: real user monitoring of user activity and user behavior such as page navigation
    • HubSpot: real user monitoring of user activity
    • Nubela (ProxyCurl): enrichment data source for data subjects
    • SalesForce: database for contact information and related data
    5. Other Third Parties
    • Contractors: Contractors providing development and operational services to manage the LFX platform
    • Company administrators: Access to certain data by designated administrator for user’s employer
    • End users: Public visibility of user profiles where user elects to make their profile public

     

    LFX Insights

    1. Category of Data Subjects
    • Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation.
    • Recipients of LF Offerings: Individuals who have participated in or received Linux Foundation offerings, such as events, trainings or certification exams.
    • LF ID holders: Individuals who have created a Linux Foundation ID account.
    2. Types of Personal Information Collected
    • Data processed internally as analytics for aggregate, anonymized dashboard displays:
      • Details regarding personal traits: current and past company affiliation and industry; job function and level; location by country; and gender
      • Details regarding contributions of source code, documentation and other content to projects, including date and time of contributions
      • Details regarding other project contribution-related activities, such as Issue and PR submissions, reviews and related matters
      • Data regarding participation in LF Offerings:
        • Events: Attendance; whether the data subject was a speaker
        • Webinars: Attendance; whether the data subject registered
        • Training: Enrollment in training courses
        • Certification exams: Enrollment and successful passage of certification exams
    • Data processed for profile and affiliation matching: name, email address, LF ID, application user IDs (e.g. GitHub, Gerrit), application from which user identity information was gathered, user’s role for project repositories, whether a user’s identity information was gathered using a bot and/or has been verified, user profile picture avatar
    • Data displayed publicly via dashboard displays:
      • Name and user profile picture avatar
      • Contributor data: LF ID, application user IDs (e.g. GitHub, Gerrit), project contribution activity counts (e.g. # of commits authored, lines of code added / deleted, # of Issues and PRs)
    • Data displayed publicly via “top 10” leaderboards:
      • name, company affiliation, user profile picture avatar
      • Contributor data: LF ID, application user IDs (e.g. GitHub, Gerrit), last project activity date, project contribution activity counts (e.g. # of commits authored, lines of code added / deleted, # of Issues and PRs), “drifting away” status
      • Event data: # of LF events attended, date of last event attended
      • Webinar attendee data: # of webinars attended, % of webinar registrations actually attended
      • Training data: # of training course enrollments
      • Certification exam data: # of certification exams passed, date of last certification exam passed
    • Log data: API access log details
    3. Purposes and Legal Bases for Processing
    • Purposes: Providing transparency into details about the collective participation in Linux Foundation offerings and contributions to Linux Foundation projects; maintaining and providing accurate and updated data regarding affiliation between contributors and their employers, in connection with corporate contributions to projects.
    • Lawful bases: our legitimate business interests.
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Crowd.dev: enrichment data source for data subjects
    • Cube.js: application layer for data processing
    • SalesForce: database for contact information and related data
    • Snowflake: engagement and activity data source for data subjects and organizations
    5. Other Third Parties
    • Contractors: Contractors providing development and operational services to manage the LFX platform
    • Community Managers: Project maintainers and administrators reviewing and curating data on behalf of their project community
    • End users: Public visibility of “top 10” leaderboards for users with LF IDs

     

    LFX Mentorships

    1. Category of Data Subjects
    • Project administrators: LF staff members and other external community members who oversee the enrollment and maintenance process on behalf of their projects
    • Mentors: LF staff members and other external community members who participate in selecting, advising and evaluating mentees during their mentorships
    • Mentees: external community members who are in the early stages of participating in open source development, and who apply to participate in one or more LFX Mentorships
    2. Types of Personal Information Collected
    • User Account and Mentorship Activity Information: name, email address, LF ID, external profile links (LinkedIn, GitHub), unique path / slug, image / avatar, mailing address, phone number, mentorship application status, mentorship and task completion status, and IP address.
    • Programming Experience: Biography / user description, skills, and resume.
    • Financial Information: bank account details, tax form information, and stipend payment amount details, in connection with payment of stipends via LFX Crowdfunding (see above).
    • Optional User Demographics data: age, racial / ethnic identity, gender, socioeconomic class, and education level.
    3. Purposes and Legal Bases for Processing
    • Purposes: Enabling participation in a community-operated open source mentorship program; ensuring compliance with laws applicable to the user’s receipt of stipends; ensuring accurate accounting records; preventing fraud; and (with regards to Optional User Demographics data) compiling, analyzing and disclosing aggregate statistics regarding diversity of participation in open source projects, to help track progress towards meeting the Linux Foundation’s commitment to diversity initiatives.
    • Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law; explicit consent (with regards to Optional User Demographics Data).
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Auth0: authentication and user access management
    • Bill.com: internal finance account management for stipend payments
    • DocuSign: signing, transfer and storage of offer letters, stipend payment instructions, W-9 tax forms and wire transfer forms
    • Elastic.co: caching of application database for performance
    • Expensify: processing stipend payments
    • Google: email and spreadsheet for communication and status tracking; analytics for insights into users’ interaction with the platform
    • Mailchimp: delivery of application notification emails
    • NetSuite: internal finance account management for stipend payments
    • Retool: data storage and processing for support staff dashboard access
    5. Other Third Parties
    • Contractors: Contractors providing development and operational services to manage the Crowdfunding application
    • Mentors: Evaluation of applicants and conducting of mentorships for accepted mentees
    • End users: Public visibility of prospective and actual mentee and mentor profile pages, and (via LFX Crowdfunding) of ledger with details about stipend payments
    If you register with LFX Mentorship as a potential mentee or mentor, we make certain of your information available to mentees, mentors and/or projects as part of the evaluation for your participation in a mentorship, as well as enabling public visibility of your profile page.If you are accepted to participate in a mentorship through LFX Mentorship, we may make information related to your participation publicly available on LFX Mentorship pages related to that project.If you graduate from a mentorship and choose to have your information shared as part of a connection with one or more potential third-party employers through LFX Mentorship, we may enable sharing of that information accordingly.

     

    LFX Organization Dashboard

    1. Category of Data Subjects
    • Corporate Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation or participated in other TLF-related activities, where such contributions are noted as being affiliated with a company rather than on their own individual behalf.
    • Company Administrators: Individuals who have been designated by their employer as having “administrator” rights to manage their company’s account on the LFX platform.
    2. Types of Personal Information Collected
    • User LF account and profile data:
      • Employee information: name, email address, GitHub username, photo / avatar URL, social media links
      • Information for aggregate company statistics: industry, geographical location by country, job level, gender
      • List of users believed to be associated with the company
      • Company Administrator status details
    • User interactions with LF Projects and Offerings:
      • Count of numbers of code contributions per project, events attended, total/breakdown activities, sponsorship approved won count (submitter name), training courses taken and certification exams passed
      • Lists and corresponding dates of events attended, training courses taken and certification exams passed
      • Social media interactions and followers
    • Additional Organization-related data: Contact and identity details for organization account owner, Company Administrator contact, billing contacts, committee members and other organizational contacts
    3. Purposes and Legal Bases for Processing
    • Purposes: Enabling association between individual LF accounts and their employer’s organizational accounts for purposes of providing visibility into employee use of LF offerings and project participation, including activities performed on behalf of their employer (such as committee participation).
    • Lawful bases: our legitimate business interests.
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Auth0: authentication and user access management
    • Datadog: log information management and website / login monitoring and user behavior such as page navigation
    • FullStory: real user monitoring of user activity and user behavior such as page navigation
    5. Other Third Parties
    • Company administrators: Access to certain data by designated administrator for user’s employer
    • Contractors: Contractors providing development and operational services to manage the LFX platform

     

    LFX Project Control Center

    1. Category of Data Subjects
    • Project Committee members: Individuals who participate as members of committees, boards and other governance roles for open collaboration projects hosted by the Linux Foundation.
    • Project mailing list subscribers: Individuals who subscribe to technical mailing lists for open collaboration projects hosted by the Linux Foundation.
    • Project meeting participants: Individuals who join meetings facilitated by the Program Managers
    2. Types of Personal Information Collected
    • Project Committee member data: name, email address, employer, job title, address, phone number, t-shirt size
    • Project mailing list subscriber data: name, email address, employer, job title, delivery mode, moderator status
    • Project Meeting participant data: meetings joined, join time, leave time, frequency joined, name used in Zoom account, email address, employer, job title 
    3. Purposes and Legal Bases for Processing
    • Purposes: Enabling management of open collaboration project community activities, including maintenance of project committees, governance and technical mailing lists, including activities performed on behalf of their employer (such as committee participation).
    • Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available).
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Atlassian: connection to support ticketing service and wiki
    • Auth0: authentication and user access management
    • Crowd.dev: enrichment data source for data subjects
    • Datadog: log information management and website / login monitoring and user behavior such as page navigation
    • FullStory: real user monitoring of user activity and user behavior such as page navigation
    • GitHub: syncing data regarding repositories and organizations
    • GitLab: syncing data regarding repositories and organizations
    • Groups.io: syncing data regarding mailing lists
    • Snowflake: engagement and activity data source for data subjects and organizations
    • SurveyMonkey: create, send and analyze surveys
    • Zoom: manage meetings and retrieve meeting statistics
    5. Other Third Parties
    • Contractors: Contractors providing development and operational services to manage the LFX platform
    • Community Managers: Project maintainers and administrators managing their project community

     

    LFX Security

    1. Category of Data Subjects
    • Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation.
    2. Types of Personal Information Collected
    • Code secret and non-inclusive language committer data: name, email address, GitHub username, details about commit findings
    3. Purposes and Legal Bases for Processing
    • Purposes: Enabling open collaboration project maintainers to receive information about security vulnerabilities, code secrets and non-inclusive language contributed to their projects, and to facilitate communications with contributors to address findings.
    • Lawful bases: our legitimate business interests.
    4. Service Providers
    • Amazon Web Services (AWS): cloud infrastructure and storage
    • Auth0: authentication and user access management
    • Datadog: log information management and website / login monitoring and user behavior such as page navigation
    • GitHub, Snyk and Blubracket (HashiCorp) are used as third-party sources of data for the processing purposes described above.
    5. Other Third Parties
    • Contractors: Contractors providing development and operational services to manage the LFX platform
    • Project maintainers: Project maintainers managing contributions to their project

     

    Additional details regarding LFX Platform Infrastructure

    1. Category of Data Subjects
    • Contributors: Individuals who have contributed to open collaboration projects supported or hosted by the Linux Foundation.
    • Recipients of LF Offerings: Individuals who have participated in or received Linux Foundation offerings, such as events, trainings or certification exams.
    • Other community participants: Individuals who have publicly interacted with Linux Foundation projects, such as by posting about a project or reacting to messages on mailing lists or social media platforms.
    • LF ID holders: Individuals who have created a Linux Foundation ID account.
    2. Types of Personal Information Collected In addition to the specific data described herein, personal information in the following general categories may be collected:
    • Essential Account data
    • Optional Profile data
    • Open Collaboration Project Participation data
    • Project Ecosystem Involvement data
    • Offering Fulfillment data
    • Technical Operations data
    • Diversity and Inclusion data
    • Marketing and Communications data
    • Business and Legal Operations data
    3. Purposes and Legal Bases for Processing
    • Purposes
      • Essential Account data: Enabling an individual to operate their LF ID and LFX user account.
      • Optional Profile data: Enabling an individual to fill in details about their LF ID and LFX user account profiles, including determining whether to make their LF ID and LFX user account profiles publicly visible.
      • Open Collaboration Project Participation data: Enabling the relation of an individual to their activities and involvement in open collaboration projects hosted by the Linux Foundation, including their contributions and governance roles relating to projects and their related affiliation with employers and similar organizations.
      • Project Ecosystem Involvement data: Enabling the Linux Foundation to correlate information about other community participants’ public postings, contributions to LF projects, and engagement with LF projects and offerings, to use such data to better understand LF project communities; to contact key participants in those communities; and to make certain of such information available publicly and/or to individuals’ employers.
      • Offering Fulfillment data: Enabling the Linux Foundation to make available and provide its offerings to participants, such as events and conferences; training courses; certification exams; project corporate memberships; and project individual supporter enrollments; and making information about use of such offerings available to individuals’ employers.
      • Technical Operations data: Providing the backend technical infrastructure that operates the LFX services, enabling user personalization and interaction with LFX, and preventing misuse.
      • Diversity and Inclusion data: Compiling, analyzing and disclosing de-identified, aggregate statistics regarding diversity of participation in open source projects and communities, to help track progress towards meeting the Linux Foundation’s commitment to diversity initiatives.
      • Marketing and Communications data: Enabling delivery of marketing and promotional information regarding projects, the Linux Foundation and its offerings, and enabling user control over subscriptions and communications.
      • Business and Legal Operations data: Enabling the Linux Foundation to conduct its legitimate internal business operations and protect its legal interests.
    • Lawful bases: our legitimate business interests; where necessary to enter into or perform a contract with you (upon your request, or as necessary to make the Services available); compliance with law; explicit consent (with regards to special categories of data where voluntarily disclosed for the diversity and inclusion purposes described above).
    4. Service Providers In addition to the service providers listed above:
    • Census
    • Fivetran
    • FontAwesome (Fonticons, Inc.)
    • Stop Forum Spam
    5. Other Third Parties
    • Contractors: Contractors providing development and operational services to manage the LFX platform

    Stay Connected with the Linux Foundation