SECURITY & PRIVACY

Legal documents

In Picus, your privacy is protected in an open and transparent manner. Also, the use of our website and services are subject to terms and conditions, which are bounded by legal agreements. Below, you can find all related legal documents.

  • i. Privacy Policy Open or Close

    1. INTRODUCTION

    This Privacy Policy applies to Picus Security, Inc. and its Affiliates listed in Section 10 (“Picus,” “us,” “we,” or “our”).

    Picus is committed to protecting and respecting your personal information and privacy. This Policy ​​sets out and is only limited with the personal data processing practices carried out through the use of our Websites (www.picussecurity.com and app.picussecurity.com), our Services (as described below) and any other ​​electronic communications networks by Picus.

    Please read this Policy carefully to understand how and why we collect, process and use your information.

    By using our Website and Services, you agree to this Privacy Policy.

    2.  COLLECTION OF YOUR PERSONAL INFORMATION

    Personal Data is any information that directly or indirectly identifies a natural ​​person. We will ask for your consent when we need information that personally identifies you (personal ​​information) or allows us to contact you to provide a service or carry out a transaction that you ​​have requested such as receiving information about Picus Security products and services, ​​ordering email newsletters, joining a limited-access site or service, or when purchasing, ​​downloading and/or registering Picus Security products. 

    The channels and types of personal information we may collect including, without limitation, are listed below:  

    Information you directly provide to us:

    - Free-trial: Under your free-trial requests, we may collect your first name, last name, company email, company name and country information.

    - Account: We may collect our customer’s company email address when logging into our online platform.

    - Demo request: Under your demo requests, we may collect your first name, last name, company email address, company name, phone number and country information.

    - Contacting us: Under your inquiries such as scheduling a demo, learn about pricing and upgrading product, we may collect your first name, last name, company email, company name, job title, country, phone number (optional) information and the descriptive message you submitted to facilitate your inquiry.

    - Job application: We receive your job applications through a third-party platform. If you wish to apply for a job at Picus, we may collect your full name, email, resume/CV, phone (optional), current company (optional), LinkedIn Profile (optional) and any other optional information you submitted to us within your application.

    - Partner account & User application: Under our partner program, we may collect your corporate email address.

    - Picus Technology Alliances Partner Program application: Under our Technology Alliances Partner Program (TAP), we may collect your first name, last name, work email and role.

    - Picus Technology Alliances Team meeting request: For your meeting requests with Picus Technology Alliances Team, we may collect your first name, last name and email address.

    - Blog: If you wish to subscribe to our blog, we may collect your company email address.

    - Purple Academy by Picus: If you wish to obtain a service from Purple Academy, we may collect your full name, company email address, company, country and job title information.

    - Webinars, Case Studies & Reports: For your webinar, case studies, reports requests, we may collect your company email address.

    - Exclusive Reports: Under your exclusive report requests, we may collect your full name, company email address, title, company name, country information.

    We may also collect your personal data such as your first name, last name and email address when you follow us on social media, attend our events or correspond with us by phone, email, social media or otherwise. 

    Information from your visits to our website:

    Our website enables us to communicate with you about us, our products and services. Even if you do not login with an account, we may still automatically collect information each time you visit our website. We may collect certain information about your visit, such as the name of the Internet service ​​provider and the Internet Protocol (IP) address through which you access the Internet; the date ​​and time you access the site; browser type and version; time zone setting; operating system and platform; the pages that you access while at the website and the Internet ​​address of the website from which you linked directly to our website. This information is mainly used ​to provide you access to our website, improve the webpage view on your device and browser, and adapt to your settings and language. We also use this information to analyze trends, and to improve our website and online services.

    We process such personal data pursuant to Article 6(b) of the GDPR, as these data are ​necessary to answer your inquiry.

    For more details about the automatically collected information about your visit to our website, ​please see our Cookie Policy.

    Information from other resources:

    We may also collect your personal information indirectly from third party sources such as business partners, advertising networks, payment and delivery services as well as from public records such as social media platforms and industry associations. Please note that, in such cases, we do not have any liability or responsibility over the use, storage and disclosure of your personal information as it is governed by those sources own privacy policies.

    3. USE AND CONTROL OF YOUR PERSONAL INFORMATION

    The purposes and processes of processing personal data processed by Picus vary according to the category of the person (i.e. customer, potential customer, visitor, employee candidate etc.)  concerned and the type of personal data. 

    Consistent with applicable law and choices that may be available to you, we may use your personal information, without limitation, for the following purposes:

    • To perform our contractual obligations and provide you the requested information, products and services;

    • To personalize your experience on our website and services and customize content;

    • To carry out our marketing activities;

    • To deal with your inquiries and requests, and Data Capture Information;

    • To administer, operate, optimize and improve the quality of our website, products, services and operations;

    • To notify you about changes to our company, products or services, terms of use and conditions;

    • To communicate with you about products or services that you requested;

    • To maintain a secure environment by detecting, investigating and preventing fraudulent or illegal activities;

    • To comply with legal requirements and standards.

    We will send you information according to the preferences you submitted via our online forms​​, and in accordance with the consent you will have actively given us, where applicable. You may ​​change these preferences and/or withdraw your consent at anytime. 

    Based on your consent, ​​we may send out emails informing you of issues related to a product or ​​service you requested or confirming you requested a product or service, such as invoices and ​confirmations. We may also occasionally communicate with you regarding our products, services, news and events. You have the option to not receive this information. In case you want to unsubscribe information, instructions to remove an email address are located at the bottom of every promotional email.

    Except as otherwise described in this statement, the personal information you provide on the ​​Website will not be shared outside of Picus Security and its controlled subsidiaries and affiliates ​without your permission.

    4. COOKIES

    Cookies are text files placed on users' computers by websites visited by internet users. They can be used by web servers to identify and track users as they navigate different ​pages on a website and to identify users returning to a website.

    We collect personal data for different purposes via cookies through our Website ​www.picussecurity.com and app.picussecurity.com. It should also be noted that cookies are widely used not only on our website but also on almost all websites in order to effectively operate the websites for the preferences of the visitors and also to provide detailed information to the administrators of the relevant website.

    We use cookies to determine the preferences of our visitors, to determine requests for a specific page, to improve the experience of using our Website, to keep our services safe, and to conduct online behavioral advertising activities for our users.

    For more detailed information including the types, use and administration of the cookies that we use in our Website, please visit our Cookie Policy.

    5. SECURITY, STORAGE AND TRANSFER OF YOUR PERSONAL INFORMATION

    In Picus, we implement technical and administrative measures to protect your personal data and prevent any unauthorized access, disclosure, use, and modification. We use industry standard technologies, operational security methods and cyber security products for the protection of collected personal data. In this context, we also regularly review and validate the adequacy and effectiveness of our security controls, tools and procedures for building a stronger security posture. Please note, however, that no security measures are fully-secure or impenetrable. For more information, please see our Corporate Practices.

    All systems related to Picus products are cloud based. As a globally operated company, the destination where we store or transfer your personal information may be different from the country in which the data was collected. Regardless of the country that we transfer, store or process your data, we will take reasonable steps to ensure that your data is treated securely and in accordance with this Policy. 

    6. RETENTION OF YOUR PERSONAL INFORMATION

    We retain personal information only for the period necessary to fulfill the purpose for which they were collected. In this context, the retention periods for each type of personal data are determined and if there is no reason to keep the relevant personal data, personal data is destroyed in accordance with the current legislation.

    Adequate technical and administrative measures regarding the storage and destruction of personal information have been taken within the framework of the Information Security Management System.

    7. YOUR RIGHTS

    We respect your privacy. If you wish to exercise your privacy and data subject rights subject to applicable law such as GDPR, CCPA or KVKK, please fill out the initial request form here so that we can provide you the appropriate data subject request form depending on the legal source of your request.

    8. CHILDREN AND SENSITIVE DATA

    1. Children: Our Website, application and services are intended for business use and we do not expect them to be of any interest to minors. We do not, knowingly or intentionally, collect personal data from anyone under 16 years of age.

    2. Sensitive data: We do not collect or receive any sensitive categories of personal data. Also, we ask you to not send or disclose, any sensitive personal information to us directly or through our products and services.

    9. CONTACT US

    If you have questions or concerns about this Policy or its implementation, please contact us by email ​​at privacy@picussecurity.com

    10. AFFILIATES

    Picus Security, Inc.; Picus Bilişim Güvenlik Ticaret A.Ş.; Picus Security US, LLC.

    11. CHANGES TO THIS PRIVACY POLICY

    We regularly review this Privacy Policy and from time to time, we may change it to accommodate our products and services, corporate practices, regulatory requirements or for other purposes. 

    We encourage you to frequently check this page to see any updates or changes, as we always show the latest modification date on this Policy. When required under applicable law and/or the change is significant, we will also notify you by using other means, e.g. via email.

    Last Updated: 03.08.2023

  • ii. Cookie Policy Open or Close

    1. INTRODUCTION

    Picus Security Inc. and its affiliates Picus Bilişim Güvenlik Tic. A.Ş. and Picus Security US, LLC (“Picus Security” or “Company”) collect personal data for different purposes via cookies through our websites www.picussecurity.com and app.picussecurity.com (“Websites”). This Policy has been specifically created to enlighten our Website visitors about what cookies are and how we use them. For further information about how we collect, store and use your information, please see our Privacy Policy.

    This policy is effective as of February 3, 2023. Please note that as we make changes to our Websites, we may use different cookies. This Policy will be updated in any such changes or if deemed necessary according to the applicable laws, regulatory requirements and the practices of our Company.

    2. WHAT ARE COOKIES?

    Cookies are text files placed on users' computers by websites visited by internet users. They often include unique identifiers, that are sent by web servers to web browsers and which may then be sent back to the server each time the browser requests a page from the server. Cookies can be used by web servers to identify and track users as they navigate different pages on a website and to identify users returning to a website.

    They are widely used not only on our Website but also on almost all websites in order to effectively operate the websites for the preferences of the visitors and also to provide detailed information to the administrators of the relevant website.

    3. WHY DO WE USE COOKIES?

    Cookies do not contain any information that personally identifies you. Still, personal information that we store about you may be linked, by us, to the information stored in and obtained from cookies. We may use the information we obtain from your use of our cookies for the following main purposes:

    - To recognize your computer when you visit our websites and remember your preferences,

    - To facilitate and improve your experience of our websites

    - To analyze the use of our website and improve its usability

    - In the administration of our websites

    - To conduct online behavioral advertising activities.

    When you use our websites, you may also be sent third-party cookies. Our service providers may send you cookies. They may use the information they obtain from your use of their cookies for the following purposes:

    - To track your browser across multiple websites

    - Build a profile of your web surfing

    - To target advertisements that may be of particular interest to you.

    4. TYPES OF COOKIES AND THEIR USE PURPOSES

    Our Websites may place and access certain cookies on your web browser. We have carefully chosen these Cookies and have taken steps to ensure that your privacy and personal data is protected and respected at all times.

    Cookies, depending on whoever implements them, can be categorized as follows:

    a. First-party cookies: These cookies are issued by our website and only used in our domain for the purpose of providing a better user experience.

    b. Third-party cookies: These cookies are issued by third parties to provide services on our websites and they are placed from different domains.

    We use third-party cookies and our cookies to show you personalized ads on websites. This is called "retargeting" and aims to base your clicks on the pages you browse on our website, the products you display, and the advertising space shown to you. We also use cookies as part of our online marketing campaigns to see how users interact with our website after online ads are shown, including those on third-party websites. You can delete these cookies from your browser at any time.

    For more information on how these third-party companies collect and use information on our behalf, please refer to Table 1, which includes links to their privacy policies.

    5. COOKIES ON OUR WEBSITES

    The categories of cookies we use in our websites includes:

    Necessary: These cookies are necessary for the website to function and cannot be switched off in our systems.

    Analytics/Targeting: These are non-essential cookies, which help to understand how visitors engage with the website. These cookies are mainly used to collect information and report site usage statistic without personally identifying individual visitors.

    Advertisement: These cookies are used to make our ads more engaging and valuable to site visitors.

    Functionality: These cookies are optional for the website to function. They are usually only set in response to information provided to the website to personalize and optimize your experience as well as remember your chat history.

    When you visit our websites and/or login to our platform (app.picussecurity.com), we will send you cookies related to the following web analytics, targeting and advertisement services:

    Table 1: Advertisement, analytics, and targeting cookies sent by our websites

    Service Provider

    Website

    Purpose

    Type of cookie

    Privacy Policies and related links

    Google Analytics, Google Tag Manager

    www.picussecurity.com, app.picussecurity.com

    Analytics/

    Targeting

    First-party

    Google Privacy Policy

    Hubspot

    www.picussecurity.com

    Analytics/ Targeting

    First-party

    Hubspot Privacy Policy, Cookies set in a visitor's browser by HubSpot

    Hotjar

    www.picussecurity.com, app.picussecurity.com

    Analytics/ Targeting

    First-party

    Hotjar Privacy Policy

    Cookies set by the Hotjar Tracking Code

    Heap

    app.picussecurity.com

    Analytics/ Targeting

    First-party

    Heap Privacy Policy, Cookies set by Heap

    LinkedIn 

    www.picussecurity.com

    Advertisement, Analytics/ Targeting

    Third-party

    LinkedIn Privacy Policy

    Poptin

    www.picussecurity.com, app.picussecurity.com

    Analytics/ Targeting

    First-party

    Poptin Privacy Policy

    New Relic

    app.picussecurity.com

    Analytics/ Targeting

    Third-party

    New Relic Privacy Policy

    Sentry

    app.picussecurity.com

    Analytics/ Targeting

    Third-party

    Sentry Privacy Policy

    Youtube 

    www.picussecurity.com

    Advertisement

    Third-party

    Google Privacy Policy

    Google  

    www.picussecurity.com

    Advertisement

    Third-party

    Google Privacy Policy

    Visitor Queue

    www.picussecurity.com

    Analytics/ Targeting

    Third-party

    Visitor Queue Privacy Policy

    These cookies are not integral to the functioning of our site and your use and experience of our site will not be impaired by blocking or deleting them. However, certain features of our site may not function fully or as intended.

    Our website uses Google Analytics, an analysis service of Google Inc. ("Google"). On the other hand, Google Analytics uses “cookies,” that is, text files that are saved on your computer and enable the use of the website to be analyzed. The information generated by cookies about the use of the website is transmitted to and stored on a Google server in the USA. Upon the instruction of the operator of this website, Google uses this information to prepare reports to evaluate your use and to provide related services. The IP address transmitted from your browser within the framework of Google Analytics is not combined with other data from Google. If you do not want these cookies to be stored, you can make settings accordingly in your browser. In addition, our website (www.picussecurity.com) may also use Google AdWords and double-click cookies for statistical purposes.

    If you think we have missed a cookie, please let us know by sending an email at security@picussecurity.com.

    6. HOW TO CONTROL COOKIES

    When you visit our website, you will see a cookie consent banner, which gives you the right to opt-in or opt-out of the cookies. You can also opt-out of specific cookies as well. Please note that blocking specific types of cookies may negatively impact your experience on the site and limit the services we are able to provide.

    You can also change your browser settings so that existing cookies are removed and they are not placed on your device. However, when you delete or block cookies, you may not be able to use all functions and features on our websites completely.

    As also mentioned above, our Website uses Google Analytics. If you want to ban Google Analytics tracking, you can install and activate the plug-in provided by Google.

    7. INFORMATION ON COOKIES

    To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, you can visit the following websites: All About Cookies, About Cookies, Your Choices Online and Cookie Database.

    8. CONTACT

    If you have any questions about our use of cookies, please contact us at security@picussecurity.com.

  • iii. End-user License Agreement (EULA) Open or Close

    END-USER LICENSE AGREEMENT

    BY REGISTERING TO, ACCESSING OR USING, AND BY DOWNLOADING, INSTALLING, COPYING, ORDERING, OPERATING, OR OTHERWISE USING THE RELEVANT SOFTWARE COMPONENTS OF THE PICUS COMPLETE SECURITY CONTROL VALIDATION PLATFORM SERVICE (“SERVICE”), YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THE AGREEMENT AND AGREE TO THE TERMS OF THIS AGREEMENT. YOUR ACCEPTANCE OF THE TERMS MEANS SET FORTH IN THIS END USER LICENSE AGREEMENT (“EULA”) AND ANY ADDENDUM.

    ATTACHED HERETO FORMS A LEGALLY BINDING AGREEMENT BETWEEN YOU AND PICUS SECURITY. IF YOU ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR COMPANY, OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL ENTITY AND ITS AFFILIATES TO THESE TERMS AND TO THE EXTENT YOU DO NOT HAVE SUCH AUTHORITY YOU AGREE TO BE BOUND TO THESE TERMS AND TO ACCEPT LIABILITY FOR HARM CAUSED BY ANY WRONGFUL USE OF THE WEBSITE RESULTING FROM SUCH ACCESS OR USE. IN SUCH A SCENARIO, THE WORDS "YOU" AND "YOUR," WHEN USED IN THESE TERMS, WILL APPLY TO THE PERSON ON WHOSE BEHALF YOU ARE ACTING AS WELL AS YOU AS AN INDIVIDUAL AS APPROPRIATE.

    IF YOU DO NOT AGREE TO THESE TERMS: DO NOT REGISTER TO, ACCESS, OR USE, AND DO NOT DOWNLOAD, INSTALL, COPY, ORDER, OPERATE, OR OTHERWISE USE THE RELEVANT SOFTWARE OR SERVICE COMPONENTS AND ANY CONTENT OF THE “SERVICE” AND PROMPTLY UNINSTALL THE SOFTWARE OR SERVICE FROM YOUR SYSTEM.

    IF YOU DO NOT CLICK ​“ACCEPT" YOU DECLARE THAT YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, AND THIS SERVICE WILL NOT BE INITIATED ON YOUR COMPUTER, NETWORK, OR OTHER RELEVANT SYSTEMS.

    1. Definitions

    “You” ​means the individual (including the third person in case you accept this agreement on behalf of that person), company, Affiliates, or other legal entity that has registered to use the Service (including by downloading any updates or patches for the Complete Security Control Validation Platform System) and downloaded, installed, accessed, operated or otherwise used the software or service in any way.

    “Service” ​​means and covers all of The Complete Security Control Validation Platform currently shown on the official Picus Security or Picus Platform websites regardless of the available features or the service and relevant software, any future releases of the service, software, or any expansions, etc., are used.

    “Security Control Validation”, “Security Assessment,” ​or “​Security Test​” means the mechanism by which “The Complete Security Control Validation Platform” and the relevant features of the Service are applied to determine the defensive capabilities of the "Control Systems" against the cyber threats.

    “Control Systems” ​means cybersecurity prevention technologies such as endpoint protection software systems (such as endpoint antivirus, host-based intrusion prevention systems, endpoint detection and response, and other solutions that may be considered as endpoint protection software), secure email gateway, data-leakage or loss systems, network intrusion prevention systems, next-generation firewall systems, secure web gateway systems, and other similar prevention technologies.

    “Assessment Type” ​defines different security assessment categories or types such as vertical attacks, regional attacks, targeted attacks, and others offered by and with full discretion of Picus Security.

    “​Term​” defines the duration of the subscription granted for the Use of the Service.

    “Picus Agent” ​means the software component provided for the supported Operating Systems that is used to test the security level of the Control Systems when an assessment is executed.

    “Permitted Capacity” ​means the number of “Security Testing” delivered, term, Picus Agents, threat samples, or other license metrics set forth in the delivery of the service.

    “Use of Service” ​means a non-exclusive, personal, non-transferable, time-limited right to use the Picus Platform Products or Services in accordance with this Agreement.

    “Picus Security” ​means Picus Security Inc. (251 Little Falls Dr., Wilmington, DE 19808 USA) and its affiliates Picus Bilisim Guvenlik Tic. A.S. (Hacettepe Teknokent, Üniversiteler Mah. 1596. Cad. 1. Ar-Ge 97/12 Beytepe, Çankaya/ Ankara, Türkiye) and Picus Security US, LLC (3001 North Rocky Point Drive East Suite 200 Tampa, FL 33607 USA).

    2. Use of Service

    Upon your acceptance and subject to the terms outlined in this Agreement, Picus Security hereby authorizes you to use the Service to test the defensive capabilities of the Control Systems that this Service is designed to put under Security Validation. Service may not cover all the Control Systems listed in the definitions section, and Picus Security can add or remove different Control Systems categories provided in Service.

    By accepting these terms, You authorize Picus Security to perform Security Validation on Control Systems specified by You. Picus Security, through the Service, will provide You with the results of the Security Tests automatically. This Service aims at revealing which threats executed by the Service are blocked and not blocked by the Control Systems used in a different network or digital environments. In this respect, results may differ for the same security control technology in different environments. Picus Security cannot be held responsible if the Service fails to discover certain security or configuration shortcomings on the target Control Systems and shall not become subject to any claim and request (including but not limited to compensation, damage, loss, or reimbursement).

    You understand that Your right to use the Products or Services is limited by the Permitted Capacity purchased by paying the defined fee or granted free of charge by Picus Security. You and Your Affiliate's combined use may in no event exceed the Permitted Capacity authorized under the applicable Order. The Permitted Capacity may be defined during the registration to Service. You acknowledge that the fees paid for the service are non-refundable to the extent permitted by applicable laws. You acknowledge that Picus Security may decide to cease providing Service without any further notice. In the case of a paid Service, if Picus Security decides to cease providing Service, the fee paid for the remainder of the Service is reimbursed to You​.

    3. Service Level Commitments

    Picus Security endeavors to provide the best customer experience during the registration and execution stages of Service. As part of its commitment to meeting its customers’ needs, Picus Security has established the following Service Level Agreements (SLA) to outline the availability and support standards it maintains.

    3.1 Availability SLA

    Picus Security is dedicated to providing its users with a reliable, uninterrupted service experience. With the exception of any planned outage of maintenance, Picus Security does its best to maintain a minimum uptime of 99.9% for users logging in and utilizing the dashboard metrics.

    3.2 Support SLA

    During the Term, Picus Security offers comprehensive technical support for all incidents within the supported versions of the Service. To ensure efficient handling of incidents, Picus Security has established Service Level Agreements (SLAs) that outline response time commitments based on the severity levels of reported problems. The severity level for each incident submitted by a customer or partner will be determined by Picus Technical Assistance Center (TAC) engineers, considering the requested level and information provided by the customer or partner.

    Picus Security's Technical Assistance Center (TAC) is dedicated to promptly responding to and diligently resolving incidents in accordance with the initial response times as follows:

    Severity Level

    Definition

    Initial Response Time

    High

    An incident that is causing a significant loss of service and no workaround is available

    6 Business Hour

    Medium

    An incident that has a partial impact on mission-critical functionality

    8 Business Hour

    Low

    An incident that has no impact on Customer business functionality

    16 Business Hour

    Table: Severity Levels and Target Initial Response Times

    The Initial Response Time is the duration before a qualified TAC representative contacts the customer or partner.

    Please note that, Picus Security’s SLAs are subject to periodic review and may be updated to reflect the evolving needs of the customers and technological advancements. Your continued use of the Service indicates your acceptance of the SLAs in effect at that time.

    3.3. Service Commitment Exclusions

    You agree to take the necessary precautions to ensure that Use of Service does not harm the computer system on which a Picus Agent is installed and will run. Picus Security is not committed to providing services for interpreting the results of the Security Validation applied to the chosen Control System or Control Systems.

    Picus Security shall not be liable for any damage, outage, interruption of service, or similar outcomes, including associated costs, arising due to any of the following:

    a. Force majeure events, acts of nature, or actions of government activities

    b. Factors outside of PICUS Security’s reasonable control, including any third parties acting on PICUS Security’s behalf or any third-party equipment, software, or other technology not within PICUS Security’s control

    c. Downtime during planned outage and/or maintenance, or work undertaken as part of a request for a change

    d. Actions or inactions of the affected Customer, or any third party

    e. Failure or fault of Customer systems, equipment, software, or other technology

    f. Issues that result in account suspension or termination due to breach of the Customer agreement, including violation of Terms of Use, payment obligations or usage policies

    4. Security of The End User Account Formation

    Upon completing the registration to the Service, You will receive a password and account designation information by email. You are responsible for maintaining the confidentiality of the account information and the password. You agree to immediately notify Picus Security if the account has been accessed or used by an unauthorized individual or individuals. Picus Security cannot and will not be held responsible for any loss or damage arising from unauthorized access, use, or failure to notify Picus Security. If Picus Security detects such unauthorized use or any use that is not in accordance with the contract, You shall be notified immediately to stop the unauthorized use and given 3 (three) days for any such breach of the contractual obligations. In case the infringing use continues, Picus Security has a right of termination with immediate effect without any prior notice. Picus Security’s right to demand compensation is reserved.

    5. Control Systems Indemnity

    (a) You declare and warrant that You have the full right, power, and authority to consent to have the Service validate the Control Systems as set as target systems by You. You will indemnify and hold harmless Picus Security, its customers, Authorized Resellers, partners and sponsors, and their officers, directors, employees, and agents from and against any third-party claims, suits, liabilities, losses, damages, judgments, awards, fines, penalties, costs, and expenses (including reasonable attorneys' fees) incurred by or levied against the same resulting from or based on Your use of or inability to use the Service, including any claim resulting from Your breach of this Section.

    (b) You also agree that the Security Testing of Control Systems may expose vulnerabilities, security gaps, and configuration errors.

    6. Restrictions

    Subject to Your strict compliance with the terms of this EULA, Picus Security authorizes you with a non-exclusive, personal, non-transferable, revocable, and limited License Usage Right in accordance with this Agreement to access and use the service solely for Your personal use. To access and use the service, You must have legally obtained the license from Picus Security and its official website. You are responsible for paying all fees, taxes, and other costs.

    You agree not to decompile, disassemble, modify, sell, copy, or reverse-engineer the Picus Security owned software, platforms, modules, agents, and source code developed to run or enable the Service. In the same way, You agree not to decompile, disassemble, modify, sell, copy or reverse-engineer the third-party software or source code that may be used to enable the Service.

    You agree to use the Service as outlined exactly in the published or shared documentation and website provided by Picus Security.

    You are not allowed to publish the results provided by the Service. Under no circumstances results, in any form or shape, fully or partially, can be used to publicly compare or benchmark different technologies and Technology Providers.

    You are not entitled to use the intellectual properties of Picus Security, including but not limited to logos, names, trademarks, affiliates, etc., without prior written consent.

    For the execution of some of the Services, You may be required to deploy software components provided by Picus Security. Upon the termination of the Service, You are required to cease using these software components and remove them from the systems they were installed on immediately.

    Your license to the Service (or any Picus Security intellectual property associated therewith) does not include any license, right, power, or authority to (including but not limited to);

    - Copying the software, platform, or Service,

    - Selling, renting, leasing, licensing, sublicensing, distributing, or otherwise transferring or making the software available to any other person, in whole or in part;

    - Using the service and software or any part thereof in any commercial context - Reverse engineering, deriving source code, attack database, modifying, decompiling, disassembling, or creating derivative works of the software, platform and attach techniques, or any portion thereof, in whole or in part;

    - Removing, disabling, or circumventing any proprietary notices or labels contained on or in the Software or any Online Service thereof; or

    - Exporting or re-exporting or transmitting or extracting the Software or Service, or related documentation, attack techniques, and repositories and its database, and technical data or any copy or adaptation thereof,

    Picus Security shall terminate the agreement immediately without any prior notice. Picus Security’s right to demand compensation is reserved in case of any breach.

    Picus Security reserves all rights not expressly granted to You.

    7. Intellectual Property Rights

    The Service and all related intellectual property rights are the exclusive property of Picus Security or its licensors. All right, titles, and interests in and to the Service, any modifications, translations, or derivatives thereof, even if unauthorized, and all applicable rights in patents, copyrights, trade secrets, trademarks, and all intellectual property rights in the Service remain exclusively with Picus Security or its licensors. The Service and its Features are valuable, proprietary, and unique, and You agree to be bound by and observe the proprietary nature of the Service and its features. The Service contains material (including but not limited to any images, photographs, animations, codes, video, audio, music, text, and “applets” incorporated into the Service) that is protected by patent, copyright, license, and trade secret law. The Service and its Features may include software products licensed from third parties or open sources by international treaty provisions. In such cases, third parties have no obligations or liability to You under this Agreement but are third-party beneficiaries of this Agreement. All rights not granted to You in this Agreement are reserved for Picus Security. If You have subscribed to the Service, no ownership of the Service passes to You (The software/products/services/platform are being licensed, not sold. Picus Security retains all ownership rights in and to all software/products/services/platforms, including any intellectual property rights therein.). Picus Security may make changes to the Service at any time without notice. Picus Security grants no express or implied right under Picus Security patents, copyrights, trademarks, licenses, or other intellectual property rights except as otherwise expressly provided. You may not remove any proprietary notice of Picus Security or any third party from the Products or any copy of the Products without Picus Security’s prior written consent.

    8. Intellectual Property Indemnity

    Picus Security shall have the right, but not the obligation, to defend or settle, at its option, any action at law against You arising from a claim that Your authorized use of the Service under this Agreement infringes any patent, copyright, or other ownership rights of a third party. You agree to provide Picus Security with written notice of any such claim within 10 (ten) days of Your notice thereof and provide reasonable assistance in its defense. Picus Security has sole discretion and control over such defense and all negotiations for a settlement or compromise unless it declines to defend or settle, in which case, You are free to pursue any alternative You may have. In that case, you shall still have an obligation to act in good faith and loyally pursue and protect the interests of Picus Security and inform Picus Security in writing in a reasonable amount of time in the event of any situation that may affect Picus Security, this agreement, or any related process or procedures. You shall not assume or create any obligation, representation, warranty, or guarantee, express or implied, on behalf of Picus Security for any purpose whatsoever.

    9. Confidentiality and Limitation on Use

    (a) Confidential Information

    Each Party hereto acknowledges that because of its relationship with the other party hereunder, it may have access to confidential information and materials concerning the other party’s business, technology, and/or products that are confidential and of substantial value to the other Party, which value could be impaired if such information were disclosed to third parties (“Confidential Information”). Written or other tangible Confidential Information must, at the time of disclosure, be identified and labeled as Confidential Information belonging to the disclosing Party. When disclosed orally or visually, Confidential Information must be identified as confidential at the time of the disclosure, with subsequent confirmation in writing within 15 (fifteen) days after disclosure. Each Party agrees that it will not use in any way for its own account or the account of any third party, such Confidential Information, except as authorized under this Agreement, and will protect Confidential Information at least to the same extent as it protects its own Confidential Information and to the same extent that a reasonable person would protect such Confidential Information.

    Neither Party may use the other Party’s Confidential Information except to perform its duties under this Agreement.

    The Confidential Information restrictions will not apply to Confidential Information that is (i) already known to the receiving Party, (ii) becomes publicly available through no wrongful act of the receiving Party, (iii) independently developed by the receiving Party without the benefit of the disclosing Party’s Confidential Information, (iv) has been rightfully received from a third party, not under an obligation of confidentiality or (v) is required to be disclosed by law, provided the Party compelled to disclose the Confidential Information provides the Party owning the Confidential Information with prior written notice of disclosure adequate for the owning Party to take reasonable action to prevent such disclosure, where reasonably possible. Unless otherwise agreed to by both Parties, upon the termination of this Agreement or an applicable Addendum, each Party will return the other Party’s Confidential Information.

    (b) Use of Customer Data

    You agree that Picus Security collects, stores, processes, and tracks personal data entered by You during the registration stage of the Service. Picus Security can also be exposed to certain Customer Data ​, including but not limited to ​IP addresses, domain names, threat block or fail status, and others during the execution of the Services. Picus Security will take all the physical, technical, and operational precautionary measures to safeguard your data. By approving this contract, you give Picus Security your express consent to share your personal data and customer data with third parties that it has a relationship to enable the delivery of the service and to provide the platform needs of Picus Security and the promised service in a quality, secure and accurate manner. You can visit ​https://www.picussecurity.com/privacy ​for detailed information about our privacy policy.

    (c) Use of Accumulated Data

    You acknowledge that Picus Security can use the accumulated data of all Service users for statistical purposes and improve its products and services, provided that such data is fully anonymized and cannot be associated with You.

    10. Limitation of Remedies and Damages

    NOTWITHSTANDING ANYTHING IN THIS AGREEMENT TO THE CONTRARY, PICUS SECURITY, ITS AFFILIATES, ITS LICENSORS, OR AUTHORIZED PARTNERS WILL NOT BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR INCIDENTAL DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, ARISING OUT OF OR RELATED TO THIS AGREEMENT INCLUDING, BUT NOT LIMITED TO CLAIMS FOR LOSS OF DATA, GOODWILL, OPPORTUNITY, REVENUE, PROFITS, OR USE OF THE PRODUCTS, INTERRUPTION IN USE OR AVAILABILITY OF DATA, STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS, PRIVACY, ACCESS TO OR USE OF ANY ADDRESSES, EXECUTABLES OR FILES THAT SHOULD HAVE BEEN LOCATED OR BLOCKED, NEGLIGENCE, BREACH OF CONTRACT, TORT OR OTHERWISE AND THIRD PARTY CLAIMS, EVEN IF PICUS SECURITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL PICUS SECURITY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE LESSER OF: (A) THE TOTAL AMOUNT RECEIVED BY PICUS SECURITY FOR THE APPLICABLE PRODUCTS OVER THE ONE-YEAR PERIOD PRIOR TO THE EVENT OUT OF WHICH THE CLAIM AROSE FOR THE PRODUCTS THAT DIRECTLY CAUSED THE LIABILITY, OR (B) TEN THOUSAND USD.

    11. Warranty Disclaimer

    THE SERVICE, ITS SOFTWARE COMPONENTS, ITS REPORTS, AND ALL OTHER DELIVERABLES ARE PROVIDED “AS IS,” AND PICUS SECURITY MAKES NO WARRANTY OR GUARANTEE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY, ACCURACY, AND NON INFRINGEMENT OF THIRD-PARTY RIGHTS, AND AS TO ITS USE OR PERFORMANCE AND DOES NOT WARRANT OR GUARANTEE THAT THE OPERATION OF THE SOFTWARE WILL BE FAIL-SAFE, UNINTERRUPTED OR FREE FROM ERRORS OR DEFECTS OR THAT THE SOFTWARE WILL PROTECT AGAINST ALL POSSIBLE THREATS OR IDENTIFY ALL POSSIBLE CYBER ATTACKS A SECURITY DEVICE MAY OR MAY NOT PROTECT AGAINST.

    12. Export Controls

    You acknowledge that the Service and relevant software components are subject to the United States, the United Kingdom, the Republic of Türkiye, and, when applicable, European Union export regulations. You shall comply with applicable export and import laws and regulations for the jurisdiction in which the Software will be imported and/or exported. You shall not export the Software to any individual, entity, or country prohibited by applicable law or regulation. You are responsible, at your own expense, for any local government permits, licenses, or approvals required for importing and/or exporting the Software.

    You warrant and agree that You are not: (i) located in, under the control of, or a national or resident of Cuba, North Korea, Iran, Syria, Sudan and etc. (Please visit to see the full list of countries restricted for assets and trade operations: https://ofac.treasury.gov/sanctions-programs-and-country-information), and, or (ii) on the U.S Treasury Department list of Specially Designated Nationals or the U.S. Commerce Department’s Table of Deny Orders.

    13. Cancellation of Services and Termination of the Contract by Picus Security

    Picus Security may terminate this Agreement with immediate effect and without prior notice in the following cases and cease Service and Use of Services: (i) Without giving a reason at any time it deems necessary, and/or (ii) You Violating the Agreement, and/or (iii) You failing to fully or partially fulfill any of the terms and conditions of this Agreement.

    No termination or expiration of this Agreement shall affect any rights of Picus Security, including but not limited to demanding compensation, that shall have accrued or prior to the date of such termination or expiration. Nothing in this Agreement shall constitute a waiver or limitation of any rights that Picus Security may have under applicable law.

    You may only use paid software/products during the period for which you have paid the subscription fee.

    Upon termination or expiration, You must immediately cease using the software/products and delete all copies of any related software found on Your computer and systems. Upon termination, Picus Security may disable further use of the software/products without further notice and delete any account information.

    14. Governing Law and Jurisdiction

    For the USA, This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, USA. The parties irrevocably submit to the non-exclusive jurisdiction of the Delaware courts. Exclusive jurisdiction for litigation of any dispute, controversy, or claim arising out of or in connection with this Agreement or the breach thereof shall be only in Delaware courts with competent jurisdiction in the State of Delaware.

    For all other Countries except the USA, This Agreement shall be governed by and construed in accordance with the laws of the Republic of Türkiye. The parties irrevocably submit to the non-exclusive jurisdiction of the Ankara courts. Exclusive jurisdiction for litigation of any dispute, controversy, or claim arising out of or in connection with this Agreement or the breach thereof shall be only in the Republic of Türkiye courts with competent jurisdiction in Ankara.

    15. Miscellaneous

    This Agreement may not be modified except by a written addendum issued by a duly authorized representative of Picus Security. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by Picus Security. If any provision of this Agreement is invalid, the remainder shall continue in full force and effect.

    Each party will comply with all applicable laws and regulations, including those of other jurisdictions that may apply concerning the protection of personal data, disclosure, and anti-bribery. You must obtain any required employee consent addressing the interception, reading, copying, or filtering of emails and their attachments. Neither party will use any data obtained via the Products or Service for any unlawful purpose.

    All notices, requests, demands, and determinations for Picus Security under this Agreement (other than routine operational communications) shall be sent to: the applicable entity address on the first page of this Agreement addressed to “Attention: Legal Department.”

    Either party may change its contact person for notices and/or address for notice by means of notice to the other party given in accordance with this paragraph. Neither party will be liable for any delay or failure in performance to the extent the delay or failure is caused by events beyond the party’s reasonable control, including fire, flood, natural disasters, pandemic diseases, explosion, war, or the engagement of hostilities, strike, embargo, labor dispute, government requirement, civil disturbances, civil or military authority, disturbances to the Internet or cloud services, delay or failure caused by an interruption or failure of telecommunication or digital transmission links, Internet slow-downs or failures, or other such transmission failures, hardware failure beyond the reasonable control of Picus Security, and inability to secure materials or transportation facilities. This Agreement constitutes the agreement between the parties regarding the subject matter herein. The parties have not relied on any promise, representation, or warranty, express or implied, that is not in this Agreement. Any waiver or modification of this Agreement is only effective if it is in writing and signed by both parties or posted by Picus Security at terms or policies on http://www.picussecurity.com/. All pre-printed or standard terms of your purchase orders or other business processing documents have no effect.

    In the event of a conflict between the terms of this Agreement and the terms of an Order, the terms of this Agreement prevail. If any part of this Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this Agreement shall be interpreted reasonably to affect the parties' intention. Picus Security is not obligated under any other agreements unless they are in writing and signed by an authorized representative of Picus Security.

    All provisions relating to confidentiality, proprietary rights, indemnification, and limitations of liability survive the termination of the agreement.

    Last Updated: 03.08.2023

  • iv. Terms of Use Open or Close

    1. AGREEMENT TO TERMS

    Definition

    For the purposes of these Terms of Use:  

        -Affiliate means an entity that controls is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for the election of directors or other managing authority.

        -Country refers to the United States of America.

        -Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Picus Security Inc.

        -Device means any device that can access the Service, such as a computer, a cellphone, or a digital tablet.

        -Service refers to the Website.

        -Terms of Use (also referred to as "Terms") mean these Terms of Use that form the entire agreement between You and the Company regarding the use of the Service.

        -Third-party Social Media Service means any services or content (including data, information, products, or services) provided by a third party that may be displayed, included, or made available by the Service.

        -Website refers to PICUS, accessible from (www. picussecurity.com) and (picus.io)

    You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

    These Terms of Use constitute a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and Picus Security Inc., doing business as PICUS ("PICUS," “we," “us," or “our”), concerning your access to and use of the http://www.picussecurity.com website as well as any other media form, media channel, mobile website or mobile application related, linked, or otherwise connected thereto (collectively, the “Site”). We are registered in California, United States, and have our registered office at 160 Spear Street, #1000, San Francisco, CA 94105. You agree that by accessing the Site, you have read, understood, and agreed to be bound by all of these Terms of Use. IF YOU DO NOT AGREE WITH ALL OF THESE TERMS OF USE, THEN YOU ARE EXPRESSLY PROHIBITED FROM USING THE SITE AND YOU MUST DISCONTINUE USE IMMEDIATELY.

    Supplemental terms and conditions or documents that may be posted on the Site from time to time are hereby expressly incorporated herein by reference. We reserve the right, in our sole discretion, to make changes or modifications to these Terms of Use from time to time. We will alert you about any changes by updating the “Last Updated” date of these Terms of Use, and you waive any right to receive specific notice of each such change. Please ensure that you check the applicable Terms every time you use our Site so that you understand which Terms apply. You will be subject to and will be deemed to have been made aware of and to have accepted the changes in any revised Terms of Use by your continued use of the Site after the date such revised Terms of Use are posted.

    The information provided on the Site is not intended for distribution to or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation or which would subject us to any registration requirement within such jurisdiction or country. Accordingly, those persons who choose to access the Site from other locations do so on their own initiative and are solely responsible for compliance with local laws, if and to the extent local laws are applicable.

    The Site is not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use this Site. You may not use the Site in a way that would violate the Gramm- Leach-Bliley Act (GLBA).

    The Site is intended for users who are at least 18 years old. Persons under the age of 18 are not permitted to use or register for the Site.

    2. INTELLECTUAL PROPERTY RIGHTS

    Unless otherwise indicated, the Site is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, and graphics on the Site (collectively, the “Content”) and the trademarks, service marks, and logos contained therein (the “Marks”) are owned or controlled by us or licensed to us, and are protected by copyright and trademark laws and various other intellectual property rights and unfair competition laws of the United States, international copyright laws, and international conventions. The Content and the Marks are provided on the Site “AS IS” for your information and personal use only. Except as expressly provided in these Terms of Use, no part of the Site and no Content or Marks may be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our express prior written permission.

    Provided that you are eligible to use the Site, you are granted a limited license to access and use the Site and to download or print a copy of any portion of the Content to which you have properly gained access solely for your personal, non-commercial use. We reserve all rights not expressly granted to you in and to the Site, the Content, and the Marks.

    3. USER REPRESENTATIONS

    By using the Site, you represent and warrant that: (1) all registration information you submit will be true, accurate, current, and complete; (2) you will maintain the accuracy of such information and promptly update such registration information as necessary; (3) you have the legal capacity and you agree to comply with these Terms of Use; (4) you are not a minor in the jurisdiction in which you reside; (5) you will not access the Site through automated or non-human means, whether through a bot, script, or otherwise; (6) you will not use the Site for any illegal or unauthorized purpose; and (7) your use of the Site will not violate any applicable law or regulation.

    If you provide any information that is untrue, inaccurate, not current, or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future use of the Site (or any portion thereof).

    4. USER REGISTRATION

    You may be required to register with the Site. You agree to keep your password confidential and will be responsible for all use of your account and password. We reserve the right to remove, reclaim, or change a username you select if we determine, in our sole discretion, that such username is inappropriate, obscene, or otherwise objectionable.

    5. PROHIBITED ACTIVITIES

    You may not access or use the Site for any purpose other than that for which we make the Site available. The Site may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved by us.

    As a user of the Site, you agree not to:

        -Systematically retrieve data or other content from the Site to create or compile, directly or indirectly, a collection, compilation, database, or directory without written permission from us.

        -Trick, defraud, or mislead us and other users, especially in any attempt to learn sensitive account information such as user passwords.

        -Circumvent, disable, or otherwise interfere with security-related features of the Site, including features that prevent or restrict the use or copying of any Content or enforce limitations on the use of the Site and/or the Content contained therein.

        -Disparage, tarnish, or otherwise harm, in our opinion, us and/or the Site. 

        -Use any information obtained from the Site in order to harass, abuse, or harm another person.

        -Make improper use of our support services or submit false reports of abuse or misconduct.

        -Use the Site in a manner inconsistent with any applicable laws or regulations. 

        -Engage in unauthorized framing of or linking to the Site.

        -Upload or transmit (or attempt to upload or to transmit) viruses, Trojan horses, or other material, including excessive use of capital letters and spamming (continuous posting of repetitive text), that interferes with any party’s uninterrupted use and enjoyment of the Site or modifies, impairs, disrupts, alters, or interferes with the use, features, functions, operation, or maintenance of the Site.

        -Engage in any automated use of the system, such as using scripts to send comments or messages, or using any data mining, robots, or similar data gathering and extraction tools.

        -Delete the copyright or other proprietary rights notice from any Content. 

        -Attempt to impersonate another user or person or use the username of another user.

        -Upload or transmit (or attempt to upload or to transmit) any material that acts as a passive or active information collection or transmission mechanism, including without limitation, clear graphics interchange formats (“gifs”), 1×1 pixels, web bugs, cookies, or other similar devices (sometimes referred to as “spyware” or “passive collection mechanisms” or “pcms”).

        -Interfere with, disrupt, or create an undue burden on the Site or the networks or services connected to the Site.

        -Harass, annoy, intimidate, or threaten any of our employees or agents engaged in providing any portion of the Site to you.

        -Attempt to bypass any measures of the Site designed to prevent or restrict access to the Site, or any portion of the Site.

        -Copy or adapt the Site’s software, including but not limited to Flash, PHP, HTML, JavaScript, or other code.

        -Except as permitted by applicable law, decipher, decompile, disassemble, or reverse engineer any of the software comprising or in any way making up a part of the Site.

        -Except as may be the result of the standard search engine or Internet browser usage, use, launch, develop, or distribute any automated system, including without limitation, any spider, robot, cheat utility, scraper, or offline reader that accesses the Site, or using or launching any unauthorized script or other software.

        -Use a buying agent or purchasing agent to make purchases on the Site.

        -Make any unauthorized use of the Site, including collecting usernames and/or email addresses of users by electronic or other means for the purpose of sending unsolicited email, or creating user accounts by automated means or under false pretenses.

        -Use the Site as part of any effort to compete with us or otherwise use the Site and/or the Content for any revenue-generating endeavor or commercial enterprise.

        -Use the Site to advertise or offer to sell goods and services. 

        -Sell or otherwise transfer your profile.

    6. USER GENERATED CONTRIBUTIONS

    The Site does not offer users to submit or post content. We may provide you with the opportunity to create, submit, post, display, transmit, perform, publish, distribute, or broadcast content and materials to us or on the Site, including but not limited to text, writings, video, audio, photographs, graphics, comments, suggestions, or personal information or other material (collectively, "Contributions"). Contributions may be viewable by other users of the Site and through third-party websites. As such, any Contributions you transmit may be treated in accordance with the Site Privacy Policy. When you create or make available any Contributions, you thereby represent and warrant that:

        -The creation, distribution, transmission, public display, or performance, and the accessing, downloading, or copying of your Contributions do not and will not infringe the proprietary rights, including but not limited to the copyright, patent, trademark, trade secret, or moral rights of any third party.

        -You are the creator and owner of or have the necessary licenses, rights, consents, releases, and permissions to use and to authorize us, the Site, and other users of the Site to use your Contributions in any manner contemplated by the Site and these Terms of Use.

        -You have the written consent, release, and/or permission of each and every identifiable individual person in your Contributions to use the name or likeness of each and every such identifiable individual person to enable inclusion and use of your Contributions in any manner contemplated by the Site and these Terms of Use.

        -Your Contributions are not false, inaccurate, or misleading.

        -Your Contributions are not unsolicited or unauthorized advertising, promotional materials, pyramid schemes, chain letters, spam, mass mailings, or other forms of solicitation.

        -Your Contributions are not obscene, lewd, lascivious, filthy, violent, harassing, libelous, slanderous, or otherwise objectionable (as determined by us). Your Contributions do not ridicule, mock, disparage, intimidate, or abuse anyone.

        -Your Contributions are not used to harass or threaten (in the legal sense of those terms) any other person and to promote violence against a specific person or class of people.

        -Your Contributions do not violate any applicable law, regulation, or rule. 

        -Your Contributions do not violate the privacy or publicity rights of any third party.

        -Your Contributions do not violate any applicable law concerning child pornography or otherwise intended to protect the health or well-being of minors.

        -Your Contributions do not include any offensive comments that are connected to race, national origin, gender, sexual preference, or physical handicap.

    Any use of the Site in violation of the foregoing violates these Terms of Use and may result in, among other things, termination or suspension of your rights to use the Site.

    7. CONTRIBUTION LICENSE

    You and the Site agree that we may access, store, process, and use any information and personal data that you provide following the terms of the Privacy Policy and your choices (including settings).

    By submitting suggestions or other feedback regarding the Site, you agree that we can use and share such feedback for any purpose without compensation to you.

    We do not assert any ownership over your Contributions. You retain full ownership of all of your Contributions and any intellectual property rights or other proprietary rights associated with your Contributions. We are not liable for any statements or representations in your Contributions provided by you in any area on the Site. You are solely responsible for your Contributions to the Site and you expressly agree to exonerate us from any and all responsibility and to refrain from any legal action against us regarding your Contributions.

    8. SUBMISSIONS

    You acknowledge and agree that any questions, comments, suggestions, ideas, feedback, or other information regarding the Site ("Submissions") provided by you to us are non-confidential and shall become our sole property. We shall own exclusive rights, including all intellectual property rights, and shall be entitled to the unrestricted use and dissemination of these Submissions for any lawful purpose, commercial or otherwise, without acknowledgment or compensation to you. You hereby waive all moral rights to any such Submissions, and you hereby warrant that any such Submissions are original with you or that you have the right to submit such Submissions. You agree there shall be no recourse against us for any alleged or actual infringement or misappropriation of any proprietary right in your Submissions.

    9. SITE MANAGEMENT

    We reserve the right, but not the obligation, to: (1) monitor the Site for violations of these Terms of Use; (2) take appropriate legal action against anyone who, in our sole discretion, violates the law or these Terms of Use, including without limitation, reporting such user to law enforcement authorities; (3) in our sole discretion and without limitation, refuse, restrict access to, limit the availability of, or disable (to the extent technologically feasible) any of your Contributions or any portion thereof; (4) in our sole discretion and without limitation, notice, or liability, to remove from the Site or otherwise disable all files and content that are excessive in size or are in any way burdensome to our systems; and (5) otherwise manage the Site in a manner designed to protect our rights and property and to facilitate the proper functioning of the Site.

    10. PRIVACY POLICY

    We care about data privacy and security. Please review our Privacy

    Policy: https://www.picussecurity.com/privacy. By using the Site, you agree to be bound by our Privacy Policy, which is incorporated into these Terms of Use. Please be advised the Site is hosted in the United States. If you access the Site from any other region of the world with laws or other requirements governing personal data collection, use, or disclosure that differ from applicable laws in the United States, then through your continued use of the Site, you are transferring your data to the United States, and you agree to have your data transferred to and processed in the United States.

    11TERM AND TERMINATION

    These Terms of Use shall remain in full force and effect while you use the Site. WITHOUT LIMITING ANY OTHER PROVISION OF THESE TERMS OF USE, WE RESERVE THE RIGHT TO, IN OUR SOLE DISCRETION AND WITHOUT NOTICE OR LIABILITY, DENY ACCESS TO AND USE OF THE SITE (INCLUDING BLOCKING CERTAIN IP ADDRESSES), TO ANY PERSON FOR ANY REASON OR FOR NO REASON, INCLUDING WITHOUT LIMITATION FOR BREACH OF ANY REPRESENTATION, WARRANTY, OR COVENANT CONTAINED IN THESE TERMS OF USE OR OF ANY APPLICABLE LAW OR REGULATION. WE MAY TERMINATE YOUR USE OR PARTICIPATION IN THE SITE OR DELETE YOUR ACCOUNT AND ANY CONTENT OR INFORMATION THAT YOU POSTED AT ANY TIME, WITHOUT WARNING, AT OUR SOLE DISCRETION.

    If we terminate or suspend your account for any reason, you are prohibited from registering and creating a new account under your name, a fake or borrowed name, or the name of any third party, even if you may be acting on behalf of the third party. In addition to terminating or suspending your account, we reserve the right to take appropriate legal action, including without limitation pursuing civil, criminal, and injunctive redress.

    12. MODIFICATIONS AND INTERRUPTIONS

    We reserve the right to change, modify, or remove the contents of the Site at any time or for any reason at our sole discretion without notice. However, we have no obligation to update any information on our Site. We also reserve the right to modify or discontinue all or part of the Site without notice at any time. We will not be liable to you or any third party for any modification, price change, suspension, or discontinuance of the Site.

    We cannot guarantee the Site will be available at all times. We may experience hardware, software, or other problems or need to perform maintenance related to the Site, resulting in interruptions, delays, or errors. We reserve the right to change, revise, update, suspend, discontinue, or otherwise modify the Site at any time or for any reason without notice to you. You agree that we have no liability whatsoever for any loss, damage, or inconvenience caused by your inability to access or use the Site during any downtime or discontinuance of the Site. Nothing in these Terms of Use will be construed to obligate us to maintain and support the Site or to supply any corrections, updates, or releases in connection therewith.

    13. GOVERNING LAW

    These Terms of Use and your use of the Site are governed by and construed in accordance with the laws of the State of California applicable to agreements made and to be entirely performed within the State of California, without regard to its conflict of law principles.

    14. DISPUTE RESOLUTION

    Informal Negotiations

    To expedite resolution and control the cost of any dispute, controversy or claim related to these Terms of Use (each "Dispute" and collectively, the “Disputes”) brought by either you or us (individually, a “Party” and collectively, the “Parties”), the Parties agree to first attempt to negotiate any Dispute (except those Disputes expressly provided below) informally for at least thirty (30) days before initiating the arbitration. Such informal negotiations commence upon written notice from one Party to the other Party.

    Binding Arbitration

    Any dispute arising from the relationships between the Parties to this contract shall be determined by one arbitrator who will be chosen in accordance with the Arbitration and Internal Rules of the European Court of Arbitration being part of the European Centre of Arbitration having its seat in Strasbourg, and which are in force at the time the application for arbitration is filed, and of which adoption of this clause constitutes acceptance. The seat of arbitration shall be London, United Kingdom. The language of the proceedings shall be English. Applicable rules of substantive law shall be the law of the United Kingdom.

    Restrictions

    The Parties agree that any arbitration shall be limited to the Dispute between the Parties individually. To the full extent permitted by law, (a) no arbitration shall be joined with any other proceeding; (b) there is no right or authority for any Dispute to be arbitrated on a class-action basis or to utilize class action procedures, and (c) there is no right or authority for any Dispute to be brought in a purported representative capacity on behalf of the general public or any other persons.

    Exceptions to Informal Negotiations and Arbitration

    The Parties agree that the following Disputes are not subject to the above provisions concerning informal negotiations and binding arbitration: (a) any Disputes seeking to enforce or protect, or concerning the validity of, any of the intellectual property rights of a Party; (b) any Dispute related to or arising from, allegations of theft, piracy, invasion of privacy, or unauthorized use; and (c) any claim for injunctive relief. If this provision is found to be illegal or unenforceable, then neither Party will elect to arbitrate any Dispute falling within that portion of this provision found to be illegal or unenforceable, and such Dispute shall be decided by a court of competent jurisdiction within the courts listed for jurisdiction above, and the Parties agree to submit to the personal jurisdiction of that court.

    15. CORRECTIONS

    There may be information on the Site that contains typographical errors, inaccuracies, or omissions, including descriptions, pricing, availability, and various other information. We reserve the right to correct any errors, inaccuracies, or omissions and to change or update the information on the Site at any time, without prior notice.

    16. DISCLAIMER

    The Service is provided to You "AS IS" and "AS AVAILABLE" and with all faults and defects without warranty of any kind. To the maximum extent permitted under applicable law, the Company, on its own behalf and on behalf of its Affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Service, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice. Without limitation to the foregoing, the Company provides no warranty or undertaking, and makes no representation of any kind that the Service will meet Your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.

    Without limiting the foregoing, neither the Company nor any of the company's provider makes any representation or warranty of any kind, express or implied: (i) as to the operation or availability of the Service, or the information, content, and materials or products included thereon; (ii) that the Service will be uninterrupted or error-free; (iii) as to the accuracy, reliability, or currency of any information or content provided through the Service; or (iv) that the Service, its servers, the content, or e-mails sent from or on behalf of the Company are free of viruses, scripts, trojan horses, worms, malware, timebombs or other harmful components.

    Some jurisdictions do not allow the exclusion of certain types of warranties or limitations on applicable statutory rights of a consumer, so some or all of the above exclusions and limitations may not apply to You. But in such a case the exclusions and limitations set forth in this section shall be applied to the greatest extent enforceable under applicable law.

    17. LIMITATIONS OF LIABILITY

    IN NO EVENT WILL WE OR OUR DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFIT, LOST REVENUE, LOSS OF DATA, OR OTHER DAMAGES ARISING FROM YOUR USE OF THE SITE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

    18. INDEMNIFICATION

    You agree to defend, indemnify, and hold us harmless, including our subsidiaries, affiliates, and all of our respective officers, agents, partners, and employees, from and against any loss, damage, liability, claim, or demand, including reasonable attorneys’ fees and expenses, made by any third party due to or arising out of: (1) use of the Site; (2) breach of these Terms of Use; (3) any breach of your representations and warranties set forth in these Terms of Use; (4) your violation of the rights of a third party, including but not limited to intellectual property rights; or (5) any overt harmful act toward any other user of the Site with whom you connected via the Site. Notwithstanding the foregoing, we reserve the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate, at your expense, with our defense of such claims. We will use reasonable efforts to notify you of any such claim, action, or proceeding which is subject to this indemnification upon becoming aware of it.

    19. USER DATA

    We will maintain certain data that you transmit to the Site for the purpose of managing the performance of the Site, as well as data relating to your use of the Site. Although we perform regular routine backups of data, you are solely responsible for all data that you transmit or that relates to any activity you have undertaken using the Site. You agree that we shall have no liability to you for any loss or corruption of any such data, and you hereby waive any right of action against us arising from any such loss or corruption of such data.

    20. ELECTRONIC COMMUNICATIONS, TRANSACTIONS, AND SIGNATURES

    Visiting the Site, sending us emails, and completing online forms constitute electronic communications. You consent to receive electronic communications, and you agree that all agreements, notices, disclosures, and other communications we provide to you electronically, via email, and on the Site, satisfy any legal requirement that such communication be in writing. YOU HEREBY AGREE TO THE USE OF ELECTRONIC SIGNATURES, CONTRACTS, ORDERS, AND OTHER RECORDS, AND TO ELECTRONIC DELIVERY OF NOTICES, POLICIES, AND RECORDS OF TRANSACTIONS INITIATED OR COMPLETED BY US OR VIA THE SITE. You hereby waive any rights or requirements under any statutes, regulations, rules, ordinances, or other laws in any jurisdiction which require an original signature or delivery or retention of non-electronic records, or to payments or the granting of credits by any means other than electronic means.

    21. FOR EUROPEAN UNION (EU) USERS

    If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in.

    22. UNITED STATES LEGAL COMPLIANCE

    You represent and warrant that (i) You are not located in a country that is subject to the United States government embargo, or that has been designated by the United States government as a "terrorist supporting" country, and (ii) You are not listed on any United States government list of prohibited or restricted parties.

    23. CALIFORNIA USERS AND RESIDENTS

    If any complaint with us is not satisfactorily resolved, you can contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs in writing at 1625 North Market Blvd., Suite N 112, Sacramento, California 95834 or by telephone at (800) 952-5210 or (916) 445-1254.

    24. MISCELLANEOUS

    These Terms of Use and any policies or operating rules posted by us on the Site or in respect to the Site constitute the entire agreement and understanding between you and us. Our failure to exercise or enforce any right or provision of these Terms of Use shall not operate as a waiver of such right or provision. These Terms of Use operate to the fullest extent permissible by law. We may assign any or all of our rights and obligations to others at any time. We shall not be responsible or liable for any loss, damage, delay, or failure to act caused by any cause beyond our reasonable control. If any provision or part of a provision of these Terms of Use is determined to be unlawful, void, or unenforceable, that provision or part of the provision is deemed severable from these Terms of Use and does not affect the validity and enforceability of any remaining provisions. There is no joint venture, partnership, employment, or agency relationship created between you and us as a result of these Terms of Use or use of the Site. You agree that these Terms of Use will not be construed against us by virtue of having drafted them. You hereby waive any and all defenses you may have based on the electronic form of these Terms of Use and the lack of signing by the parties hereto to execute these Terms of Use.

    25. CONTACT US

    In order to resolve a complaint regarding the Site or to receive further information regarding the use of the Site, please contact us at:

    Picus Security Inc.

    160 Spear Street, #1000

    San Francisco, CA 94105 USA 

    +1 (415) 8905105

    info@picussecurity.com

    Last updated November 21, 2021

  • v. Clarification Text for the Protection and Processing of Personal Data Open or Close

    Picus Security Inc. (“Picus” or “Company”), which is a pioneer in violation and attack  simulation technologies, serves many institutions and organizations domestically and abroad  with its new and integrated approach in the field of information technologies. For the Picus,  which works on security services in the field of information technologies, protecting personal  data is extremely important.  

    Picus has set a target to act in accordance with the Personal Data Protection Law ("PDPL")  numbered 6698 that is in force in Turkey and with other legal practices accepted in the  international arena as well. In this context, this Clarification Text for the Protection and  Processing of Personal Data (“Clarification Text”) has been prepared in order to enlighten the  relevant persons regarding general conditions regarding how and for what purpose the  Personal Data is processed, how they are protected and how long they are stored by Picus,  from its customers, potential customers, suppliers, business partners and their employees  and officials, visitors, employees, ex-employees and candidate employees, and also to third  parties whose personal data is processed for business transactions while maintaining their  business relations with Picus.  

    All the concepts and expressions in this Clarification Text will express the meaning ascribed  to them in PDPL and other legislation.  

    In the event of inconsistency between the KVKK and other relevant legislative provisions and  this Clarification Text, the KVKK and other relevant legislative provisions will be applied first.  Our company takes the necessary technical and administrative measures to ensure the  security of personal data. This text can be changed if deemed necessary according to the  current legislation and the practices of our Company. You can access the final version of the  text from our website www.picussecurity.com ("Website").  

    1. THE CONDITIONS OF PROCESSING PERSONAL DATA 

    All personal data processed by Picus are processed in accordance with PDPL and related  legislation. In accordance with Article 4 of PDPL, the basic principles to be applied in the  processing of your personal data are listed.  

    The personal data are processed by Picus;  

    - With the purchase of Picus products and / or services;  

    - When you offer products or services to Picus;  

    - When you contact Picus by any means;  

    - When you request or choose to receive commercial electronic messages we send for  marketing;  

    - When you apply for a job at Picus and / or start working at Picus;  

    - When you attend our events and organizations organized by Picus and  - When you visit our Website  

    in accordance with the rules determined in this Clarification Text and / or its annexes.  Picus complies with the rules stated in the scope of PDPL and the following basic principles: 

        -Processing in accordance with the law and honesty rule. 

        -Ensuring that personal data are accurate and up to date when necessary. 

        -Operation for specific, clear and legitimate purposes. 

        -Being connected, limited and restrained for the purpose for which they are processed.

        -Storage for the period required by the relevant legislation or for the purpose for which  they are processed.  

    Within the scope of the services it provides, Picus processes some commercial, legal and /  or personal data regarding its customers, potential customers, suppliers, business partners  and their employees and officials, visitors, employees, ex-employees and employee  candidates, as well as third parties whose personal data are processed in accordance with  their business processes. This data will be protected as the same care that Picus apply to its  own data, even if Picus does not specified as a trade secret in accordance with a contract or  the applicable legislation, unless it is required by Picus to share with third parties within the  scope of the service provided under the contractual relationship, unless otherwise specified  in the applicable legislation.  

    The e-mail addresses, names and surnames, Turkish ID no, identification information,  addresses or phone numbers of customers, potential customers, suppliers, business  partners and their employees and officials, visitors, employees, ex-employees and employee  candidates as well as third parties whose personal data are processed in accordance with  their business processes, can be processed by Picus. In addition, via the website, your IP  address, the start and end information about your use, the type and scope of your use, and  the type of your browser and operating system are also recorded.  

    In addition to these, if you upload your name and surname, title, phone number, e-mail  address, personal messages and similar information to the website through forms available  at various locations on the Website, and thus share this information with Picus, we process  this information you provide in accordance with your request and for the purposes of the  services offered by Picus.  

    Our website uses Google Analytics, an analysis service of Google Inc. ("Google"). On the  other hand, Google Analytics uses “cookies”, that is, text files that are saved on your  computer and enable the use of the website to be analyzed. The information generated by  cookies about the use of the website is transmitted to and stored on a Google server in the  USA. Upon the instruction of the operator of this website, Google uses this information to  prepare reports to evaluate your use and to provide related services. The IP address  transmitted from your browser within the framework of Google Analytics is not combined with  other data of Google. If you do not want these cookies to be stored, you can make settings  accordingly in your browser. In addition, our website uses AdWords and double-click-Cookies  for statistical purposes. If you do not want these tools to be used, you can disable them by  setting them in your browser. However, we would like to state that in this case, you may not  be able to use all the functions on the website completely.  

    We use third-party cookies and our own cookies to show you personalized ads on websites.  This is called "retargeting" and aims to base your clicks on the pages you browse on our  website, the products you display, and the advertising space shown to you. We also use  cookies as part of our online marketing campaigns to see how users interact with our website  after online ads are shown, including those on third-party websites. You can delete these  cookies from your browser at any time.  

    Special c personal data is not processed by Picus without the informed explicit consent of the  relevant person.  

    The personal data processed may differ in relation to the products and / or services offered  by Picus. Personal data collected orally, in writing or electronically via online or offline  means, during the period of use of the products and services offered by Picus, are processed  with the consent of the person's before the effective date of Personal Data Protection Law  no. 6698 or explicit consent after the effective date of the law, or within the framework of the  rules and conditions specified in the Personal Data Protection Law. 

    BASIC PRINCIPLES FOR PROCESSING OF THE PERSONAL DATA  

    Personal data is processed on condition that it is required to obtain open consent in  accordance with the applicable legislation or without explicit consent, unless explicit consent  is required under the applicable legislation, in line with the objectives of the services provided  by Picus, in order Picus to continue its activities, to provide better service, to measure and  improve the quality of its service, to determine the preferences and needs of our dealers,  suppliers, customers and employees, to process and evaluate job applications, to provide  communication with people who have a business relationship with our company, to comply  with the current legislation, to send bulletins by e-mail and to make notifications.  

    The personal data will only be collected within the scope of Picus activities, will be used in  connection with the purposes of collection, will be stored for the periods required by the  processing purposes, will not be processed in excess of the rules and exceptions specified in  the current legislation, and in cases where the reasons requiring its processing disappear,  with the exception of situations arising from other legislation in force, will be deleted,  destroyed or anonymized.  

    Keeping the personal data accurate and up-to-date is one of our primary goals. For this  reason, our Company meets the technical and administrative requirements required to keep  personal data accurate and up-to-date.  

    Only authorized persons can access personal data and unauthorized persons working in our  Company and / or having a contractual relationship with our Company are prohibited from  accessing personal data. In this context, we would like to state that; Our company takes the  necessary measures to ensure the security and confidentiality of personal data.  

    1. TRANSFER OF THE PERSONAL DATA 

    Transfer of the Personal Data Domestically  

    Picus is under the responsibility of acting in accordance with primarily art. 8 of PDPL and the  decisions and related regulations envisaged in the PDPL and taken by the Board. As a rule,  personal data and special categories of data cannot be transferred to other real persons or  legal entities by Picus without the explicit consent of the relevant person.  

    However, in cases foreseen in Articles 5 and 6 of PDPL, transfer is possible without the  explicit consent of the relevant person. Picus, in accordance with the conditions stipulated in  PDPL and other relevant legislation and by taking the security measures specified in the  legislation; can transfer the personal data to third parties unless otherwise arranged in law or  other relevant legislation in Turkey.  

    Transfer of the Personal Data Abroad 

    Picus can transfer the personal data abroad by processing the personal data in Turkey or to  be processed and stored outside of Turkey, in accordance with the conditions foreseen in  PDPL and by taking security measures specified in the legislation.  

    We transfer your personal data abroad by taking the necessary technical and administrative  measures, through cloud informatics technology, to take advantage of the opportunities of  technology in order to carry out our company activities in the most efficient way and to  provide services at world standards.  

    We work with the above mentioned service providers for the purposes of developing our  websites and platforms, increasing the variety of products and services and measuring the  user experience according to the preferences of our customers and users. We would like to  point out that you should also review the policies of the relevant service providers, as Picus  has no responsibility for the policies of the respective service providers for processing  personal data. 

    1. RIGHTS OF THE RELEVANT PERSON 

    Regarding the processing of personal data, according to the definition specified in the  legislation, the data controller is Picus Informatics Security trade INC.  

    In accordance with Article 11 of PDPL, the relevant persons have the right of, by applying to  Picus; Learning whether your personal data is processed, requesting information if it is  processed, requesting the purpose of processing your personal data and whether it is used  in accordance with its purpose, knowing the third party people that the person data is  transferred, requesting correction of personal data if it is incomplete or incorrectly processed,  requesting the deletion or removal of your personal data, requesting a notification for the  third parties to whom their personal data are transferred about the deletion or removal  process, objecting to the emergence of a result against you by analyzing your processed  personal data exclusively with automated systems, and requesting the compensation of your  loss if you are harmed due to illegal processing of personal data.  

    To use these specified rights arising from the current legislation, you need make a written  application to address of the company given below or fill in the Application Form with the  registered electronic mail (REM) address, secure electronic signature or mobile signature by  adding the following information and documents according to Article 13 of PDPL; Your name  and your last name and the signature, if you are a citizen of the Republic of Turkey, your  Turkish ID number, if you are not a citizen of Republic of Turkey, your nationality, passport  number, if you have, your ID number, your location, or workplace address that is set for  notifications, main e-mail address and telephone number that are set for notifications and  your demand issues, and other necessary information and documents to be used for  identification.  

    The application made by you or representative authorized person will be evaluated by our  Company and concluded free of charge within thirty days.  

    Application methods and addresses are as follows: 

    Application methods 

    The addresses where  application can be made

    The applicant, can apply by filling out the Application  Form with the necessary information and documents  that is required to determine his/her identity by coming  to the address of Picus Security Inc..

    www.picussecurity.com

    The applicant, him/herself or by a Proxy who is  authorized to represent, can apply by filling out the  Application Form and sending it to the address of Picus  Informatics Security trade INC. through notary or  certified mail.

    Üniversiteler Mah. 1596  Cad. Arge 1 No:12  

    Beytepe 06800 Çankaya/ ANKARA

    The applicant can apply with an electronic mail  registered with a secure electronic signature. 

    picusbilisim@hs01.kep.tr

     

DATA SUBJECT REQUESTS

In Picus, we respect your data privacy rights. If you want to exercise your data subject rights, please fill out the form here. Upon your submission, we will share the related data subject request form with you, depending on the legal source of your request.

 

CORPORATE SECURITY PRACTICES

In Picus, we believe that security should primarily be internalized in our company culture. Below, you can find some of our, but not limited to, corporate documents and practices, which helps us building a strong and regularly validated security posture.

Corporate Security Documents

  • i. Business Continuity Policy Open or Close

    The Business Continuity policy has been established in order to operate, manage, measure, and continuously improve the business continuity management system within PICUS, in line with and support the corporate business objectives of PICUS. It refers to definitions, rules, practices, responsibilities, and workflows based on business needs and regulated by relevant laws and standards. This policy is in an active relationship with ISMS and IT SMS and aims to progress through common values ​​in necessary process management.

    This policy will guide all activities of PICUS related to business continuity and will provide the following basic requirements:

    a) Supporting business strategy and corporate objectives

    b) Complying with laws, standards, and contracts

    c) Managing existing and anticipated business continuity processes, risks, and threat environment

    d) To ensure the continuity of all assets and processes within the scope of PICUS' BCMS, especially information assets and processes.

    While PICUS meets business continuity requirements, it has planned, implemented, and regularly controlled the processes necessary to carry out activities that address risks and opportunities. It implements determined plans and exercises to achieve these goals. It retains written information to the point where it is certain that these processes are carried out as planned, reviews the results of undesired changes by controlling the testing and exercises processes, as well as planned changes, and can take new actions if necessary to mitigate negative effects.

    The business continuity policy is reviewed at regular intervals or when significant changes occur by Senior Management in order to measure the operability of the system and is updated as needed to ensure continuous suitability, accuracy, and effectiveness.

    This policy is intended to be accessible and understandable to all employees and the target audience, including relevant external parties. All employees and external parties defined in the BCMS are obliged to comply with this policy and the processes supporting this policy.

    Published: 06.07.2022 - v2

  • ii. IT Service Management Policy Open or Close

    PICUS, business processes, and customer services are in full compliance with the IT Service Management principle and policy; It is a leading company in its sector, operating effectively against its Stakeholders, Customers, and Employees.

    The Service Management Policy has been established to operate, manage, measure, and continuously improve the information technology service management system within PICUS and has been approved by the highest level of management. With this policy, PICUS will provide the following basic requirements to manage its service management purposes and achieve the determined business objectives:

    a) Supporting business strategy and corporate goals

    b) To comply with laws, standards, and contracts

    c) To manage the objectives, processes, and risks of current and anticipated service management,

    d) Keeping information technology services operational, managing changes, and using information technology services according to business needs

    e) To ensure the success, performance, and quality of all services and processes within the scope of PICUS's IT SMS, in line with the targets

    f) Ensuring that all services determined by service catalogs within the scope of IT SMS are provided in accordance with the Service Level Agreements (SLA), their performance is measured and reported; To increase customer satisfaction by providing continuous improvement in line with technological changes and business requirements

    g) To manage accessibility and capacity by making the necessary monitoring and to reduce costs by making the right financial and resource management.

    The service management policy is reviewed at regular intervals or when significant changes occur in order to measure the operability of the system and services, in order to ensure continuous suitability, accuracy, and effectiveness, and is approved by the Senior Management.

    Published: 06.07.2022 - v2

  • iii. Information Systems Acceptable Usage Policy Open or Close

    The purpose of this policy is to explain the basics of use necessary to ensure that all employees pay due attention and care to PICUS Information Security policies and procedures in the processes of using all kinds of communication and information networks and services within the scope of the Management System.

    PICUS communication and information network, software, enterprise applications, processes, information assets, and hardware (including the Internet, e-mail, telephone, pagers, fax, computers, mobile devices, IoT, video-conferencing and mobile phones, etc.) should be used for PICUS and for employees to run their corporate business. Any use of these systems that is illegal, inconveniencing other users, contrary to other policies, standards and rules of PICUS, or harming the company, its stakeholders or customers means a violation of this policy.

    This policy requires that:

    - Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.

    - Employees, contractors, and third-party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.

    - Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures PICUS has in place. Employees will also have ongoing security awareness training that is audited.

    - Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any PICUS systems has been removed, as well as ensuring that all company owned assets are returned.

    - PICUS and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets.

    - PICUS will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.

    - A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc., PICUS reserves the right to terminate employees in the case of serious cases of misconduct.

    PICUS requires all workforce members to comply with the following general acceptable usage requirements and procedures, such that:

    - All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.

    - The use of PICUS computing systems is subject to monitoring by PICUS Security teams.

    - Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.

    - Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.

    - All email messages containing sensitive or confidential data will be encrypted.

    - Employees may not post any sensitive or confidential data in public forums, social media, or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.

    - All data storage devices and media must be managed according to the PICUS Data Classification specifications and Data Handling procedures.

    - Employees may only use photocopiers and other reproduction technology for authorized use.

    - Media containing sensitive/classified information should be removed from printers immediately.

    - The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.

    The processes within the scope of this policy are followed by the Information Security Director with the support of the relevant process owners. It is reviewed annually by the Information Security Committee, and necessary updates are made and announced to the employees.

    Published: 09.11.2021 - v3

  • iv. Personal Data Management Policy Open or Close

    The Personal Data Management Policy has been established to define the personal data collection, processing, protection, storage, and destruction rules, management, and practices approved by the Senior Management, and to announce to the employees and relevant external parties.

    Protection of personal data is extremely important for PICUS, which provides services to many companies and organizations at home and abroad and works on security services in the field of information technologies.

    PICUS has set itself the goal of acting in accordance with other legal practices both in force in Turkey and accepted in the international arena regarding the protection of personal data. This policy covers the general conditions regarding how and for what purpose PICUS processes, protects, and for how long the personal data of its customers, suppliers, business partners, and their employees and officials, as well as third parties whose personal data are processed in accordance with business processes while maintaining business relations prepared for the determination. PICUS takes the confidentiality and integrity of its customer data very seriously and strives to assure data is protected from unauthorized access and is available when needed.

    Processing of Personal Data

    All personal data processed by PICUS are processed in accordance with national and international law. Personal data by PICUS;

    - With the purchase of PICUS products and/or services;

    - When products or services are offered to PICUS;

    - When communicating with PICUS by any means;

    - When it is requested or preferred to receive commercial electronic messages sent for marketing;

    - When applying for a job at PICUS and/or starting to work at PICUS;

    - Production systems that create, receive, store, or transmit PICUS customer data

    - Participating in events and organizations organized by PICUS and

    - When visiting the website www.picussecurity.com


    PICUS complies with the rules specified within the scope of personal data, within the framework of the following basic principles:

    - Legal and Integrity Processing: PICUS; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, PICUS takes into account the proportionality requirements in the processing of personal data and does not use personal data other than as required for the purpose.

    - Ensuring Personal Data Are Accurate and Up-to-Date: PICUS; It ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of the persons concerned and their own legitimate interests.

    - Processing for Specific, Explicit, and Legitimate Purposes: PICUS clearly and precisely determines the legitimate and lawful purpose of processing personal data. Picus processes personal data as much as necessary and in connection with the products and services it offers.

    - Being Related to the Purpose for which they are Processed, Limited and Measured: PICUS processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.

    - Retaining Personal Data for the Period Envisioned in the Relevant Legislation or Required for the Purpose of Processing: PICUS retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, PICUS first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period. Personal data is deleted, destroyed, or anonymized by Picus in the event that the period expires or the reasons for its processing disappear.

    - Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.

    - Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.

    - Employees shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery.

    - All access to Production Systems must be logged.

    - All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.

    Personal Data Processing Purposes and Legal Reasons

    The purposes and processes of processing personal data processed by PICUS vary according to the category of the person concerned and the type of personal data.

    The purposes of processing personal data processed by PICUS are as follows:

    - Establishment and management of customer relations: 

    - Management of contract processes with our suppliers and business partners

    - Execution of direct marketing processes

    - Compliance with legal obligations

    - Protection and security of company interests

    - Within the scope of marketing activities

    - Cookies

    - Visitors and closed-circuit camera system (CCTV)

    - Employee candidates

    Data Protection Implementation and Processes

    Customer Data Protection: PICUS cloud products host on AWS by default. Data is replicated across multiple regions for redundancy and disaster recovery. On PICUS products, only customer email addresses and Customer attack simulation results are kept and all customer data at rest and in motion are encrypted. Picus only analyze system usage data anonymously to monitor and improve the quality of the threat library.

    Access: PICUS employee access to production is guarded by an approval process and by default is disabled. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the DevOps team on a case-by-case basis.

    Separation: Customer data is logically separated at the database/datastore level using a unique identifier for the customer. All database/datastore queries then include the account identifier.

    Monitoring: PICUS uses AWS tools to monitor the entire cloud service operation. If a system failure and alarm is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action.

    Confidentiality/Non-Disclosure Agreement (NDA): PICUS uses confidentiality or non-disclosure agreements to protect confidential information using legally enforceable terms. NDAs are applicable to both internal and external parties.

    Data At Rest: All databases, data stores, and file systems are encrypted according to PICUS’s Encryption Policy.

    Data In Transit: Data will only be transferred where strictly necessary for effective business processes. To ensure the safety of data in transit:

    - All external data transmission must be encrypted end-to-end using encryption keys managed by PICUS. This includes, but is not limited to, cloud infrastructure and third-party vendors and applications.

    - All internet and intranet connections are encrypted and authenticated using a strong protocol, a strong key exchange, and a strong cipher.

    Security of Personal Data

    PICUS takes the necessary administrative and technical measures in line with the Personal Data Security Guide published by the Personal Data Protection Authority in order to protect personal data and prevent unlawful access. In this context, procedures and policies are prepared by Picus within the scope of ISO 27001, necessary illumination and explicit consent texts are prepared, and necessary inspections are made or made.

    The personal data management policy is reviewed at regular intervals or when significant changes occur and is approved by the Senior Management.

    Published: 13.11.2021 - v3

  • v. Clear Desk and Clear Screen Policy Open or Close

    The purpose of this policy is to determine the rules that PICUS employees must comply with and pay attention to while working inside or outside the company, in the use of computer and peripheral devices, network resources, cloud services, workspaces, and information access environments, including desks, cabinets, drawers and screens.

    PICUS employees:

    - They should never keep documents and information assets that should not be seen by anyone other than themselves in open areas (on desks, open drawers and cabinets, screens, etc.).

    - When he leaves the desk or work areas during the day, he must remove or close the documents he works in safe places.

    - They must keep critical documents, materials and any media carrying information for themselves or their units in locked drawers or cabinets.

    - User access information and passwords that they use to access cloud services, services, computer and peripheral devices, network resources, and workspaces should not be written on places that others can see, such as desktop, notebook, or on-screen notes.

    - They should not leave confidential documents on their computers on the screen or the desktop.

    - When staying away from computers, even for short breaks from the desk, they should press the screen lock (ctrl+alt+delete; Ctrl-Command-Q, etc.) keys at the same time and lock the computer with the lock the computer option.

    - They should not leave CD/DVD, USB memory or disk and similar portable storage devices unattended on desks, open drawers and cabinets. If possible, portable disks/media containing confidential information should be encrypted and kept in a safe place.

    - After printing from in-house fax or network printers, it should directly take the printout on the printer itself. Paper printouts should not be kept on the printers; they should be taken as soon as possible.

    - It should not print confidential and classified information from remote network printers. If printing from remote printers is required, password-protected printing must be used.

    - User access information (user name, access codes, password keys, defined account login information, etc.) and passwords should not be kept in written form on paper, sticky paper and notebook.

    - Instead of throwing the paper printouts that contain valuable and confidential information for PICUS, they should be trimmed and destroyed in paper shredders. Unclaimed printouts left on or around printers or fax machines should be destroyed as soon as possible.

    - For hard disk, CD/DVD, USB etc. portable media that will not be used again, the information on them should not be processed as scrap or garbage without making them irreversible and unusable by using appropriate techniques.

    - In case of loss/theft of media containing confidential information assets, PICUS Management should be contacted immediately.

    - They should not consume foods (bagels, cakes, sweets, etc.) and beverages (water, tea, coffee, etc.) that may cause physical damage to computers on and around the desktop.

    - Working rooms where confidential information and documents can be found in the open should be kept locked when there is no employee in the room.

    - Keys to study rooms, cabinets, desk drawers; private keys such as house and car; safe keys; wallets, ID cards, etc.

    Clear Table and Clear Screen rules apply in different offices within the company, meeting rooms or in any environment where you work remotely and in the employees' work areas.

    In addition, the content of this policy is re-transmitted to the company's users through awareness training at regular intervals throughout the year.

    Published: 17.05.2021 - v2

  • vi. Environmental and Energy Policy Open or Close

    The purpose of this policy is to reveal PICUS's approaches to environmental and energy issues and its management perspective.

    As a company that is aware of its responsibility towards environmental values, PICUS believes that it is necessary to leave a livable world to future generations. In order to minimize the consumption of natural resources and to prevent environmental pollution, it takes care to work by setting targets within the framework of continuous improvement.

    The PICUS working ecosystem and environment do not require a large infrastructure and energy consumption. Our employees generally work remotely and independently of the location. Within the framework of our activities, processes with waste generation and environmental impact are at a very low level. There is no fixed server room within the PICUS campus and all business activities are carried out through cloud systems. For these reasons, the working environment of PICUS has low energy consumption and very low environmental impacts.

    As PICUS, we base all of our activities on reducing waste at its source and recycling as much as possible. In this context, there are separate boxes for the separation of all wastes in the office areas, providing an important gain for our strategy to prevent pollution at its source. These wastes are collected by Hacettepe Teknokent management and processed with the same sensitivity.

    All energy-consuming devices and equipment used in the PICUS campus are selected from types and models that comply with the principles of low consumption and energy efficiency and are regularly monitored.

    Training and informing our employees about environmental and energy issues is also part of our awareness activities. We expect and encourage all of our employees to act with this awareness on the company campus and in the environments where they work.

    With the same approach, PICUS asks its suppliers and service providers to meet their sensitivities in environmental and energy issues. In this context, we adopt as a principle to work with third parties with the lowest environmental impact and closest to green energy principles.

    Within the scope of our sustainability strategies, we consider the protection of natural resources and the realization of our activities with minimum environmental impact as one of our main responsibilities. We evaluate our services from a life-long perspective and manage the positive or negative effects we create. 

    All related processes, including this policy, are regularly updated annually and monitored by the senior management.

    Published: 07.10.2021 - v1

  • vii. Anti-Bribery and Corruption Policy Open or Close

    The Anti-Bribery and Corruption Policy has been established to define the anti-bribery and corruption management, and practices approved by the Senior Management, and to announce to the employees and relevant external parties.

    This policy applies to all PICUS employees (full and part-time) and temporary workers (such as consultants or contractors) (together referred to as “employees” in this document) across the company no matter where they are located or what they do. Every person concerned can send their complaints and notifications directly to the Board by e-mail to notification@picussecurity.com about the issues covered by the policy.

    This policy also provides additional specific information about the anti-corruption laws in Turkey and provides general guidance to compliance with anti-corruption laws in other jurisdictions in which we carry on business.

    Method

    Bribery is offering, promising, giving, or accepting any financial or other advantages, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage. Bribes can take many forms such as money (or cash equivalent such as shares); unreasonable gifts, entertainment, or hospitality; kickbacks; unwarranted rebates or excessive commissions (e.g. to sales agents or marketing agents); unwarranted allowances or expenses or anything else of value.

    Corruption is the abuse of public power, duty, and authority to obtain private benefit through bribery, extortion, nepotism, fraud, and embezzlement (ref. United Nations Development Programme).

    The People & Culture Unit has primary and day-to-day responsibility for implementing this policy, monitoring its use and effectiveness, dealing with any queries about it, and auditing internal control systems and procedures to ensure they are effective in countering bribery and corruption. In addition, the Operations Unit is responsible for monitoring this policy and updating it at least once a year.

    4.1. Scope and Implementation

    In PICUS, all forms of bribery and corruption are prohibited. Bribery is prohibited when dealing with any person whether they are in the public or private sector and the provisions of this policy are of general application. However, many countries have specific controls regarding dealing with public officials and this policy includes specific requirements in these circumstances.

    In summary, it is essential to act in accordance with the actions listed in the following:

    - Facilitation Payments and Kickbacks: Facilitation payments are any payments, no matter how small, given to an official to increase the speed at which they do their job. For example, this could include speeding up customs clearance. You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by PICUS or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt that details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with the Compliance Officer.

    - Gifts, Hospitality, and Expenses: PICUS and its employees, as well as third parties acting on its behalf to any external party, are prohibited from accepting and proportioning gifts and hospitality, as well as intangibles (e.g. job offers, investment opportunities, and favors) directly or through another party. The giving and accepting of gifts is allowed if the following requirements are met: 

       It is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;

       It is given in the company name, not in your name;

       It does not include cash or a cash equivalent (such as gift certificates or vouchers);

       It is appropriate in the circumstances, taking account of the reason for the gift, its timing, and value. For example, giving small gifts to celebrate important days is appropriate.

     It complies with any applicable local law

    - Record-Keeping: All payments and commissions to third parties must:

       be made via bank transfer through the accounts payable system and be fully accounted for;

       keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties; and

       must be made in accordance with the terms of the contract with the person or company providing the services.

    - Distributors and Channel Partners: All third parties should be made aware of the terms of the PICUS Code of Conduct and of their obligations to comply with it. All arrangements with third parties should be subject to clear contractual terms including specific provisions requiring them to comply with minimum standards and procedures in relation to bribery and corruption. Appropriate wording to be included in contracts can be obtained from legal@picussecurity.com

    4.2. Disciplinary Action

    PICUS personnel who fail to comply with this policy are subject to disciplinary action and may also be subject to legal punishments if they commit an offense under the law according to the Disciplinary Ordinance.

    Published: 08.11.2021 - v2

Corporate Security Practices

  • i. Information Security Governance Open or Close

    An Information Security Director (ISD) leads Picus’s information security and privacy program with a vision of continuous improvement, stronger cybersecurity resilience, wider compliance and keeping up with the latest technologies. ISD is responsible from managing Picus' business on information security, business continuity, risk management, auditing and compliance.

  • ii. Access Control Open or Close

    All access requests are treated on a least-access principle. Secure logon procedures, including multi-factor authentication (MFA), are implemented. In addition, a stringent password security policy is enforced and a password manager solution is provided for the use of all employees.

  • iii. Endpoint Security Open or Close

    Picus implements various endpoint security solutions such as Mobile Device Management (MDM), Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR). All corporate laptops are encrypted. In addition, a zero-trust architecture, which requires all users to be authenticated, authorized, and continuously verified before being granted, has been adopted.

  • iv. Data Protection Open or Close

    In Picus systems and platform, both data in transit and at rest are encrypted using industry-standard algorithms. In addition, special encryptions are used in the SSHv2 protocol in order to provide secure access to the company cloud servers, where Picus products and systems are located.

  • v. Business Continuity and Disaster Recovery Open or Close

    All systems related to Picus products are cloud based and have high available architecture in AWS US and EU data centers. Picus uses redundant RDS instances to ensure full backup recovery of its database. Daily database backups are also taken automatically.

  • vi. Data Communication Open or Close

    Picus uses a fully encrypted VPN solution as well as HTTPS to communicate with and access its network. All traffic within the network is redirected from HTTP to HTTPS.

  • vii. Software Development Open or Close

    Picus operates Secure Development Life Cycle (SDLC) rules based on agility, information security, and secure code development techniques for product and system development, depending on best practices and well-known techniques.

  • viii. Vendor Security Open or Close

    Picus performs third-party risk management process and routinely assesses its vendors through audits, reviews of their standardized assessment reports, certifications or other appropriate processes in order to confirm they are meeting their contractual obligations and applicable legal requirements.

  • ix. Security Awareness and Training Open or Close

    Security training and awareness programs are conducted for all employees on an annual basis. In addition, regular training sessions as well as secure code trainings are conducted to Picus developers by field experts.

Recent Pentest and Security Assessments Reports

  • i. Pentest & Security Assessments Reports Open or Close

    In addition to our internal Picus Lab teams, Picus also contracts a third party to perform annual penetration tests. Recent reports shall only be provided under NDA. If you request access to these reports, please reach us at security@picussecurity.com

VULNERABILITY DISCLOSURE PROGRAM

In Picus, we believe that security should primarily be internalized in our company culture. Below, you can find some of our, but not limited to, corporate documents and practices, which helps us building a strong and regularly validated security posture.

VULNERABILITY DISCLOSURE POLICY