FAUST CTF is a competition organized by FAU Security Team ("the Organizing Team" or "we") on behalf of Fachschaft der Technischen Fakultät Erlangen e.V. Multiple operations before, during and after the competition involve the handling of personal data. This privacy notice informs you about the details of these data and how they are processed.

All data processing happens in compliance with the EU General Data Protection Regulation (EU-GDPR) and the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Please refer to Art. 4 EU-GDPR for definitions of the terms used throughout this text.

As a non-profit project, FAUST CTF is entirely run by volunteers. People involved in the data processing include the Organizing Team as well as other volunteers with or without a legal agreement to the controller named below. Nevertheless, everybody involved will respect the legal requirements and this privacy notice.

Except otherwise noted, we will not share personal data with third parties.

Responsibility

The controller of the data processing is:

Fachschaft der Technischen Fakultät Erlangen e.V.
For contact details, refer to our "Legal" page

The data protection officer is:
Mr. Jonny Schäfer
Email: datenschutz@techfak-verein.de
Phone: +49 151 54856688

Processing Operations

The following paragraphs give details on the different data processing operations.

Website

When using our website, your IP address is used by our web server to provide the requested contents. This is technologically necessary and inherent to every website. We generally do not store personally identifiable information in logs, except for data about your browser and operating system (HTTP User Agent). In case of errors (HTTP status codes 4XX and 5XX), more information, including your IP address, gets stored in logs together with the requested page and time of the request. This supports our error analysis, which is our legitimate interest within the meaning of Art. 6 Par. 1 Point (f) EU-GDPR.

Cookies are small pieces of text data that can get saved to your web browser by websites you visit. They may allow to uniquely identify your web browser over multiple visits to a site. We use a cookie ("sessionid") to maintain your login status when you log into our website, which gets deleted upon logout. That cookie links your web browser to your registered account. Another cookie ("csrftoken") is used to protect you from a certain kind of security attacks (CSRF attacks). Both cookies are necessary to provide the website securely, which is our legitimate interest within the meaning of Art. 6 Par. 1 Point (f) EU-GDPR.

In order to participate in the competition, you register an account on our website. The data you enter in the registration form gets stored on our servers. Each account is associated with a team, which may consist of an arbitrary number of individuals. Some of the account information, such as username and affiliation, will be displayed publicly on the competition scoreboard, the list of registered teams, and similar pages. This is our legitimate interest within the meaning of Art. 6 Par. 1 Point (f) EU-GDPR. Your email address is used to provide you with relevant information about the competition, alert you about problems, coordinate price pay-outs, and comparable purposes. That is necessary to run the competition, therefore Art. 6 Par. 1 Point (b) EU-GDPR applies.

YouTube Embeds

On some pages of our website, we embed videos hosted by the third-party platform YouTube. When opening such a page, YouTube will learn that you visit it and/or that you watch the embedded video. YouTube will also receive information about your IP address, browser and operating system and (at least) process your IP address to deliver the video. Improving the contents of our website by embedding videos is our legitimate interest within the meaning of Art. 6 Par. 1 Point (f) EU-GDPR.

To protect your data as good as possible, we use YouTube's so-called privacy-enhanced ("nocookie") mode. This means that YouTube promises not to use cookies to track your viewing behavior. However, we have no control over YouTube's data processing and data may be processed outside of the European Economic Area.

For residents of the European Economic Area, YouTube is run by:
Google Ireland Ltd.
Gordon House, Barrow Street
Dublin 4
Ireland

The privacy policy of Google and YouTube can be found at https://policies.google.com/privacy. You can control the information Google uses to show you advertisements on https://adssettings.google.com/.

Google Ireland Ltd. may share data with its parent company Google LLC in the United States. Google LLC is a participant in the Data Privacy Framework, which promises compliance with EU-GDPR for data processing under United States legislation.

Contact

Should you contact us as specified on our "Contact" page or using any other means, your message will be handled by members of the Organizing Team in order to fulfill your request. Besides the message text, this may e.g. involve your name, email address, and message metadata. The legal basis for this are Art. 6 Par. 1 Points (b) and (f) EU-GDPR in combination with our interest to be approachable by participants and the general public.

When contacting us via third-party platforms such as Discord and Twitter, what is stated under "Social Media" will apply additionally.

Social Media

We maintain presences on social media platforms to provide updates on the competition, as well as to stay in contact with participants and the general public. That is our legitimate interest within the meaning of Art. 6 Par. 1 Point (f) EU-GDPR.

Social media platforms are run by third parties. This means we do neither have control over what data they process, nor how they process it. Data may be processed outside of the European Economic Area and the scope of EU-GDPR. That may involve processing for advertising, market research, and profiling.

For details, including opt-out options, refer to the privacy notice of the respective platform. The best way to exercise your legal rights is in direct correspondence with the platform.

Discord

We maintain a Discord server. Please note that by design, all messages sent to channels on the aforementioned Discord server are public.

For residents of the European Economic Area, Discord is run by:
Discord Netherlands BV
Schiphol Boulevard 195
1118 BG Schiphol
Netherlands

Discord's privacy policy can be found here.

Discord Netherlands BV may share data with its parent company Discord Inc. in the United States. Discord Inc. is a participant in the Data Privacy Framework, which promises compliance with EU-GDPR for data processing under United States legislation.

X (formerly Twitter)

We run the X (formerly Twitter) profile @faustctf.

For residents of the European Economic Area, X is run by:
Twitter International Unlimited Company
One Cumberland Place, Fenian Street
Dublin 2, D02 AX07
Ireland

X's privacy policy can be found at https://x.com/en/privacy.

Twitter International Unlimited Company may share data with its parent company X Corp. in the United States. X Corp. is a participant in the Data Privacy Framework, which promises compliance with EU-GDPR for data processing under United States legislation.

VPN

Participants connect to the competition network through a Virtual Private Network (VPN). This section only concerns the VPN connection itself; for data transmitted within the VPN, see "Competition Network".

When joining the network, your IP address is used by our VPN server to establish and maintain the connection. This is necessary to run the competition, therefore Art. 6 Par. 1 Point (b) EU-GDPR applies.

Your IP address and other metadata such as the software client version are stored in logs for error analysis and to enforce the competition's rules. For the same purposes, we also collect statistics on the amount of traffic transferred over the VPN. The legal basis for these operations is our legitimate interest within the meaning of Art. 6 Par. 1 Point (f) EU-GDPR.

Since collection and storage of VPN connection data are necessary to keep the competition fair, you may not object to this processing or demand erasure of the data.

Competition Network

Within the competition network, all communication is based on internal IP addresses from a private range. Each of these addresses is associated with either the Organizing Team's infrastructure or a single team (consisting of an arbitrary number of individuals). Other teams may be able to trace such an address back to your team.

Since FAUST CTF is an IT security competition, services on the competition network deliberately have security vulnerabilities, which may undermine the confidentiality of personal data. The Organizing Team does not control the data processing by services on the competition network, which are run by individual teams, including ones outside of the European Economic Area. If services request personal information, we recommend entering fake data in general.

Our checker scripts regularly connect to services run by individual teams. For establishing and maintaining the connections, they process internal IP addresses. If (real or fake) personal data is contained in the responses from a service, that data may unintentionally get retrieved or stored temporarily. Because this is necessary to run the competition, Art. 6 Par. 1 Point (b) EU-GDPR applies.

We record all network traffic from the competition network for analysis and research purposes. The analysis is necessary to enforce the competition's rules, which is our legitimate interest within the meaning of Art. 6 Par. 1 Point (f) EU-GDPR. As this is necessary to keep the competition fair for everybody, you may not object to this processing or demand erasure of the data.

In the long term, we store the collected traffic for scientific research and may disclose it to third party scientists for this purpose. Research may be performed by ourselves, researchers at the Friedrich-Alexander University Erlangen-Nürnberg, or other scientific researchers. That is based on Art. 6 Par. 1 Point (e) and Art. 89 EU-GDPR. Your right of access, right to rectification, and right to object are limited by Art. 89 Par. 2 EU-GDPR in conjunction with § 27 Par. 2 BDSG. Your right to erasure is limited by Art. 17 Par. 3 Point (d) EU-GDPR.

On the competition network, we also run the service you connect to in order to hand in flag tokens and score points. That service processes your internal IP address to establish and maintain the connection, as well as identifying your team for scoring. This is necessary to run the competition, therefore Art. 6 Par. 1 Point (b) EU-GDPR applies.

Retention Period and Deletion

In general, data are stored as long as necessary for the specified purposes. After that, they get deleted.

In some cases, we are legally required to preserve some data. In those cases, the relevant data will only be deleted after that preservation period has expired. However, data processing will be restricted to the legal requirements.

Rights

Except otherwise noted, you are entitled to the following rights concerning the processing of your personal data:

  1. Right of access according to Art. 15 EU-GDPR: You may request information on whether we process your personal data. If that is the case, you have the right to receive information about these data, a copy of the data, as well as further information related to the processing.
  2. Right to rectification according to Art. 16 EU-GDPR: If personal data about you are not accurate (anymore) or incomplete, you may request them to be corrected or completed.
  3. Right to erasure (Art. 17 EU-GDPR) and right to restriction of processing (Art. 18 EU-GDPR): If the legal requirements are met, you may demand that your personal data get deleted or that the processing of the data gets restricted.
  4. Right to data portability according to Art. 20 EU-GDPR: You may request personal data you provided to us in a structured, commonly used and machine-readable format or demand the transmission to another controller, if the legal requirements are met.
  5. Right to object according to Art. 21 EU-GDPR: You may object to the processing of your personal data based on Art. 6 Par. 1 Points (e) and (f) at any time on grounds relating to your particular situation. In case of processing for direct marketing purposes, you may object unconditionally and without giving reasons.
  6. Withdrawal of consent according to Art. 7 Par. 3 EU-GDPR: If you have given your consent to data processing, you may withdraw it at any time. In this case, we will not continue the processing which was based on the consent.
  7. Right to lodge a complaint with a supervisory authority according to Art. 77 EU-GDPR: You have the right to complain to a supervisory authority if you think our data processing infringes EU-GDPR or other legal regulations. In particular, you may contact the authority at your place of residence, place of work, or the place of the alleged infringement.