CHAOSS Data Policies

Last updated: August 2021

Community Data Policy

As an open source community, we detail here our approach to providing privacy and managing personal identifiable data.

  1. CHAOSS is an open source project and your messages sent to the community are often visible to all and archived long-term, including the git log, issues, pull-requests, Google docs, meeting recordings, Slack, and mailing lists.
  2. Project contributors may be recognized publicly through the creation of contributor lists, referenced in publications, and mentioned in social media.
  3. Data collected through submission forms will be used solely for the purpose stated on the form. Examples include conference registrations, D&I Badging, and community report requests.
  4. We analyze data about the CHAOSS community, for example on the community dashboard which is hosted and provided by Bitergia. Bitergia does not use or analyze the community data for any purposes other than provide the dashboard.
  5. You may get messages about CHAOSS on a variety of different channels, including notifications on GitHub, Google docs, email list messages, and conference communications. We do not have a central system for opting out of communications, so we ask you to please configure each of the sources of messages to only send you notifications you want to receive. See the Participate page for overview of communication channels.
  6. All documented communication in the CHAOSS Project is licensed under the MIT License.

Some of CHAOSS’s activities, such as our mailing lists, make use of infrastructure provided by the Linux Foundation or other third party service providers such as GitHub, Google, and Bitergia. For those activities, please consult the privacy policy of the Linux Foundation or of those third parties, as applicable. The Community Data Policy stated in this document describes the intentions for how the CHAOSS community participants intend to handle personal identifiable data for operations managed by the community participants themselves.

Personally Identifiable Information (PII) Handling

As an open source community, we detail here our approach to how we handle PII data that we may collect as the result of various CHAOSS initiatives.

  1. PII that in our community data is part of our public history and will not be removed, anonymized, or redacted to preserve the authenticity of our community data. Much of the CHAOSS community data that is publicly available exists in our GitHub work, Google docs, and email list messages. This community data, as mentioned, is freely available and licensed under the MIT License.
  2. PII data that is not publicly available (e.g., conference registration data, community health report data) is inline with NIST’s low impact level:
    1. “The potential impact is LOW if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might (i) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (ii) result in minor damage to organizational assets; (iii) result in minor financial loss; or (iv) result in minor harm to individuals.” From: https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-122.pdf
    2. In response, the CHAOSS project provides operational safeguards to protect non-public PII, such that this information is:
      1. Only available to specific team members. For example, only CHAOSS conference committee members are able to see private data collected via conference registrations;
      2. Stored in secured locations;
      3. Deleted within two months after the reason for collecting the data ceased to exist.
    3. Incidences concerning private information can be reported to Elizabeth Barron, CHAOSS Community Manager: elizabeth@chaoss.community.
  3. All CHAOSS community members who have access to PII are made aware of these procedures.

Jurisdiction

The CHAOSS Project is a Linux Foundation Project and subject to laws in the USA and California. Data is stored, to our best ability, in the USA.

You may be subject to laws that give you rights to your own data. As an open source project, you provided your data with the understanding that your data will be public and archived for the long-term. There may be other systems where we could have your data (e.g., from conference registrations) and we are happy to remove you there, please let us know.

Metrics and Software Policy

The CHAOSS project produces metrics and software with the aim of helping people and organizations gain a better understanding of the health of open source projects. This aim is articulated in the CHAOSS Project Charter and the About CHAOSS page. The metrics and software produced in the CHAOSS project are intended to help improve how we understand open source projects.

All work on metrics and software is done in the open, primarily on GitHub, via mailing lists, and through in-person meetings. This work is subject to the aforementioned Community Data Policy. The use of metrics and software by specific companies, projects, or organizations is subject to the policies of their respective settings. The CHAOSS project is not responsible for the use of the metrics or software in these specific settings.

All CHAOSS-related documentation associated with the development of metrics and software is under the MIT License. CHAOSS software is under the respective licenses:

For questions about our data, metrics, and software policies and to make requests to be anonymized or removed from our data, please email Elizabeth Barron, CHAOSS Community Manager, at elizabeth@chaoss.community

Comments and suggestions on this page can be made here: https://github.com/chaoss/community/blob/main/governance/data-policies.md.