Double Your Threat Blocking in 90 Days
In Picus, your privacy is protected in an open and transparent manner. Also, the use of our website and services are subject to terms and conditions, which are bounded by legal agreements. Below, you can find all related legal documents.
Picus is committed to protecting and respecting your personal information and privacy. This Policy sets out and is only limited with the personal data processing practices carried out through the use of our Websites (www.picussecurity.com and app.picussecurity.com), our Services (as described below) and any other electronic communications networks by Picus.
Please read this Policy carefully to understand how and why we collect, process and use your information.
2. COLLECTION OF YOUR PERSONAL INFORMATION
Personal Data is any information that directly or indirectly identifies a natural person. We will ask for your consent when we need information that personally identifies you (personal information) or allows us to contact you to provide a service or carry out a transaction that you have requested such as receiving information about Picus Security products and services, ordering email newsletters, joining a limited-access site or service, or when purchasing, downloading and/or registering Picus Security products.
The channels and types of personal information we may collect including, without limitation, are listed below:
Information you directly provide to us:
- Free-trial: Under your free-trial requests, we may collect your first name, last name, company email, company name and country information.
- Account: We may collect our customer’s company email address when logging into our online platform.
- Demo request: Under your demo requests, we may collect your first name, last name, company email address, company name, phone number and country information.
- Contacting us: Under your inquiries such as scheduling a demo, learn about pricing and upgrading product, we may collect your first name, last name, company email, company name, job title, country, phone number (optional) information and the descriptive message you submitted to facilitate your inquiry.
- Job application: We receive your job applications through a third-party platform. If you wish to apply for a job at Picus, we may collect your full name, email, resume/CV, phone (optional), current company (optional), LinkedIn Profile (optional) and any other optional information you submitted to us within your application.
- Partner account & User application: Under our partner program, we may collect your corporate email address.
- Picus Technology Alliances Partner Program application: Under our Technology Alliances Partner Program (TAP), we may collect your first name, last name, work email and role.
- Picus Technology Alliances Team meeting request: For your meeting requests with Picus Technology Alliances Team, we may collect your first name, last name and email address.
- Blog: If you wish to subscribe to our blog, we may collect your company email address.
- Purple Academy by Picus: If you wish to obtain a service from Purple Academy, we may collect your full name, company email address, company, country and job title information.
- Webinars, Case Studies & Reports: For your webinar, case studies, reports requests, we may collect your company email address.
- Exclusive Reports: Under your exclusive report requests, we may collect your full name, company email address, title, company name, country information.
We may also collect your personal data such as your first name, last name and email address when you follow us on social media, attend our events or correspond with us by phone, email, social media or otherwise.
Information from your visits to our website:
Our website enables us to communicate with you about us, our products and services. Even if you do not login with an account, we may still automatically collect information each time you visit our website. We may collect certain information about your visit, such as the name of the Internet service provider and the Internet Protocol (IP) address through which you access the Internet; the date and time you access the site; browser type and version; time zone setting; operating system and platform; the pages that you access while at the website and the Internet address of the website from which you linked directly to our website. This information is mainly used to provide you access to our website, improve the webpage view on your device and browser, and adapt to your settings and language. We also use this information to analyze trends, and to improve our website and online services.
We process such personal data pursuant to Article 6(b) of the GDPR, as these data are necessary to answer your inquiry.
Information from other resources:
We may also collect your personal information indirectly from third party sources such as business partners, advertising networks, payment and delivery services as well as from public records such as social media platforms and industry associations. Please note that, in such cases, we do not have any liability or responsibility over the use, storage and disclosure of your personal information as it is governed by those sources own privacy policies.
3. USE AND CONTROL OF YOUR PERSONAL INFORMATION
The purposes and processes of processing personal data processed by Picus vary according to the category of the person (i.e. customer, potential customer, visitor, employee candidate etc.) concerned and the type of personal data.
Consistent with applicable law and choices that may be available to you, we may use your personal information, without limitation, for the following purposes:
To perform our contractual obligations and provide you the requested information, products and services;
To personalize your experience on our website and services and customize content;
To carry out our marketing activities;
To deal with your inquiries and requests, and Data Capture Information;
To administer, operate, optimize and improve the quality of our website, products, services and operations;
To communicate with you about products or services that you requested;
To maintain a secure environment by detecting, investigating and preventing fraudulent or illegal activities;
To comply with legal requirements and standards.
We will send you information according to the preferences you submitted via our online forms, and in accordance with the consent you will have actively given us, where applicable. You may change these preferences and/or withdraw your consent at anytime.
Based on your consent, we may send out emails informing you of issues related to a product or service you requested or confirming you requested a product or service, such as invoices and confirmations. We may also occasionally communicate with you regarding our products, services, news and events. You have the option to not receive this information. In case you want to unsubscribe information, instructions to remove an email address are located at the bottom of every promotional email.
Except as otherwise described in this statement, the personal information you provide on the Website will not be shared outside of Picus Security and its controlled subsidiaries and affiliates without your permission.
Cookies are text files placed on users' computers by websites visited by internet users. They can be used by web servers to identify and track users as they navigate different pages on a website and to identify users returning to a website.
We collect personal data for different purposes via cookies through our Website www.picussecurity.com and app.picussecurity.com. It should also be noted that cookies are widely used not only on our website but also on almost all websites in order to effectively operate the websites for the preferences of the visitors and also to provide detailed information to the administrators of the relevant website.
5. SECURITY, STORAGE AND TRANSFER OF YOUR PERSONAL INFORMATION
In Picus, we implement technical and administrative measures to protect your personal data and prevent any unauthorized access, disclosure, use, and modification. We use industry standard technologies, operational security methods and cyber security products for the protection of collected personal data. In this context, we also regularly review and validate the adequacy and effectiveness of our security controls, tools and procedures for building a stronger security posture. Please note, however, that no security measures are fully-secure or impenetrable. For more information, please see our Corporate Practices.
All systems related to Picus products are cloud based. As a globally operated company, the destination where we store or transfer your personal information may be different from the country in which the data was collected. Regardless of the country that we transfer, store or process your data, we will take reasonable steps to ensure that your data is treated securely and in accordance with this Policy.
6. RETENTION OF YOUR PERSONAL INFORMATION
We retain personal information only for the period necessary to fulfill the purpose for which they were collected. In this context, the retention periods for each type of personal data are determined and if there is no reason to keep the relevant personal data, personal data is destroyed in accordance with the current legislation.
Adequate technical and administrative measures regarding the storage and destruction of personal information have been taken within the framework of the Information Security Management System.
7. YOUR RIGHTS
We respect your privacy. If you wish to exercise your privacy and data subject rights subject to applicable law such as GDPR, CCPA or KVKK, please fill out the initial request form here so that we can provide you the appropriate data subject request form depending on the legal source of your request.
8. CHILDREN AND SENSITIVE DATA
Children: Our Website, application and services are intended for business use and we do not expect them to be of any interest to minors. We do not, knowingly or intentionally, collect personal data from anyone under 16 years of age.
Sensitive data: We do not collect or receive any sensitive categories of personal data. Also, we ask you to not send or disclose, any sensitive personal information to us directly or through our products and services.
9. CONTACT US
If you have questions or concerns about this Policy or its implementation, please contact us by email at firstname.lastname@example.org
Picus Security, Inc.; Picus Bilişim Güvenlik Ticaret A.Ş.; Picus Security US, LLC.
We encourage you to frequently check this page to see any updates or changes, as we always show the latest modification date on this Policy. When required under applicable law and/or the change is significant, we will also notify you by using other means, e.g. via email.
Last Updated: 03.08.2023
This policy is effective as of February 3, 2023. Please note that as we make changes to our Websites, we may use different cookies. This Policy will be updated in any such changes or if deemed necessary according to the applicable laws, regulatory requirements and the practices of our Company.
2. WHAT ARE COOKIES?
Cookies are text files placed on users' computers by websites visited by internet users. They often include unique identifiers, that are sent by web servers to web browsers and which may then be sent back to the server each time the browser requests a page from the server. Cookies can be used by web servers to identify and track users as they navigate different pages on a website and to identify users returning to a website.
They are widely used not only on our Website but also on almost all websites in order to effectively operate the websites for the preferences of the visitors and also to provide detailed information to the administrators of the relevant website.
Cookies do not contain any information that personally identifies you. Still, personal information that we store about you may be linked, by us, to the information stored in and obtained from cookies. We may use the information we obtain from your use of our cookies for the following main purposes:
- To recognize your computer when you visit our websites and remember your preferences,
- To facilitate and improve your experience of our websites
- To analyze the use of our website and improve its usability
- In the administration of our websites
- To conduct online behavioral advertising activities.
When you use our websites, you may also be sent third-party cookies. Our service providers may send you cookies. They may use the information they obtain from your use of their cookies for the following purposes:
- To track your browser across multiple websites
- Build a profile of your web surfing
- To target advertisements that may be of particular interest to you.
4. TYPES OF COOKIES AND THEIR USE PURPOSES
Our Websites may place and access certain cookies on your web browser. We have carefully chosen these Cookies and have taken steps to ensure that your privacy and personal data is protected and respected at all times.
Cookies, depending on whoever implements them, can be categorized as follows:
a. First-party cookies: These cookies are issued by our website and only used in our domain for the purpose of providing a better user experience.
b. Third-party cookies: These cookies are issued by third parties to provide services on our websites and they are placed from different domains.
For more information on how these third-party companies collect and use information on our behalf, please refer to Table 1, which includes links to their privacy policies.
5. COOKIES ON OUR WEBSITES
The categories of cookies we use in our websites includes:
Necessary: These cookies are necessary for the website to function and cannot be switched off in our systems.
Analytics/Targeting: These are non-essential cookies, which help to understand how visitors engage with the website. These cookies are mainly used to collect information and report site usage statistic without personally identifying individual visitors.
Advertisement: These cookies are used to make our ads more engaging and valuable to site visitors.
Functionality: These cookies are optional for the website to function. They are usually only set in response to information provided to the website to personalize and optimize your experience as well as remember your chat history.
When you visit our websites and/or login to our platform (app.picussecurity.com), we will send you cookies related to the following web analytics, targeting and advertisement services:
Table 1: Advertisement, analytics, and targeting cookies sent by our websites
Type of cookie
Privacy Policies and related links
Google Analytics, Google Tag Manager
Advertisement, Analytics/ Targeting
These cookies are not integral to the functioning of our site and your use and experience of our site will not be impaired by blocking or deleting them. However, certain features of our site may not function fully or as intended.
Our website uses Google Analytics, an analysis service of Google Inc. ("Google"). On the other hand, Google Analytics uses “cookies,” that is, text files that are saved on your computer and enable the use of the website to be analyzed. The information generated by cookies about the use of the website is transmitted to and stored on a Google server in the USA. Upon the instruction of the operator of this website, Google uses this information to prepare reports to evaluate your use and to provide related services. The IP address transmitted from your browser within the framework of Google Analytics is not combined with other data from Google. If you do not want these cookies to be stored, you can make settings accordingly in your browser. In addition, our website (www.picussecurity.com) may also use Google AdWords and double-click cookies for statistical purposes.
If you think we have missed a cookie, please let us know by sending an email at email@example.com.
6. HOW TO CONTROL COOKIES
When you visit our website, you will see a cookie consent banner, which gives you the right to opt-in or opt-out of the cookies. You can also opt-out of specific cookies as well. Please note that blocking specific types of cookies may negatively impact your experience on the site and limit the services we are able to provide.
You can also change your browser settings so that existing cookies are removed and they are not placed on your device. However, when you delete or block cookies, you may not be able to use all functions and features on our websites completely.
As also mentioned above, our Website uses Google Analytics. If you want to ban Google Analytics tracking, you can install and activate the plug-in provided by Google.
7. INFORMATION ON COOKIES
To find out more about cookies, including how to see what cookies have been set and how to manage and delete them, you can visit the following websites: All About Cookies, About Cookies, Your Choices Online and Cookie Database.
END-USER LICENSE AGREEMENT
BY REGISTERING TO, ACCESSING OR USING, AND BY DOWNLOADING, INSTALLING, COPYING, ORDERING, OPERATING, OR OTHERWISE USING THE RELEVANT SOFTWARE COMPONENTS OF THE PICUS COMPLETE SECURITY CONTROL VALIDATION PLATFORM SERVICE (“SERVICE”), YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THE AGREEMENT AND AGREE TO THE TERMS OF THIS AGREEMENT. YOUR ACCEPTANCE OF THE TERMS MEANS SET FORTH IN THIS END USER LICENSE AGREEMENT (“EULA”) AND ANY ADDENDUM.
ATTACHED HERETO FORMS A LEGALLY BINDING AGREEMENT BETWEEN YOU AND PICUS SECURITY. IF YOU ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR COMPANY, OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL ENTITY AND ITS AFFILIATES TO THESE TERMS AND TO THE EXTENT YOU DO NOT HAVE SUCH AUTHORITY YOU AGREE TO BE BOUND TO THESE TERMS AND TO ACCEPT LIABILITY FOR HARM CAUSED BY ANY WRONGFUL USE OF THE WEBSITE RESULTING FROM SUCH ACCESS OR USE. IN SUCH A SCENARIO, THE WORDS "YOU" AND "YOUR," WHEN USED IN THESE TERMS, WILL APPLY TO THE PERSON ON WHOSE BEHALF YOU ARE ACTING AS WELL AS YOU AS AN INDIVIDUAL AS APPROPRIATE.
IF YOU DO NOT AGREE TO THESE TERMS: DO NOT REGISTER TO, ACCESS, OR USE, AND DO NOT DOWNLOAD, INSTALL, COPY, ORDER, OPERATE, OR OTHERWISE USE THE RELEVANT SOFTWARE OR SERVICE COMPONENTS AND ANY CONTENT OF THE “SERVICE” AND PROMPTLY UNINSTALL THE SOFTWARE OR SERVICE FROM YOUR SYSTEM.
IF YOU DO NOT CLICK “ACCEPT" YOU DECLARE THAT YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, AND THIS SERVICE WILL NOT BE INITIATED ON YOUR COMPUTER, NETWORK, OR OTHER RELEVANT SYSTEMS.1. Definitions
“You” means the individual (including the third person in case you accept this agreement on behalf of that person), company, Affiliates, or other legal entity that has registered to use the Service (including by downloading any updates or patches for the Complete Security Control Validation Platform System) and downloaded, installed, accessed, operated or otherwise used the software or service in any way.
“Service” means and covers all of The Complete Security Control Validation Platform currently shown on the official Picus Security or Picus Platform websites regardless of the available features or the service and relevant software, any future releases of the service, software, or any expansions, etc., are used.
“Security Control Validation”, “Security Assessment,” or “Security Test” means the mechanism by which “The Complete Security Control Validation Platform” and the relevant features of the Service are applied to determine the defensive capabilities of the "Control Systems" against the cyber threats.
“Control Systems” means cybersecurity prevention technologies such as endpoint protection software systems (such as endpoint antivirus, host-based intrusion prevention systems, endpoint detection and response, and other solutions that may be considered as endpoint protection software), secure email gateway, data-leakage or loss systems, network intrusion prevention systems, next-generation firewall systems, secure web gateway systems, and other similar prevention technologies.
“Assessment Type” defines different security assessment categories or types such as vertical attacks, regional attacks, targeted attacks, and others offered by and with full discretion of Picus Security.
“Term” defines the duration of the subscription granted for the Use of the Service.
“Picus Agent” means the software component provided for the supported Operating Systems that is used to test the security level of the Control Systems when an assessment is executed.
“Permitted Capacity” means the number of “Security Testing” delivered, term, Picus Agents, threat samples, or other license metrics set forth in the delivery of the service.
“Use of Service” means a non-exclusive, personal, non-transferable, time-limited right to use the Picus Platform Products or Services in accordance with this Agreement.
“Picus Security” means Picus Security Inc. (251 Little Falls Dr., Wilmington, DE 19808 USA) and its affiliates Picus Bilisim Guvenlik Tic. A.S. (Hacettepe Teknokent, Üniversiteler Mah. 1596. Cad. 1. Ar-Ge 97/12 Beytepe, Çankaya/ Ankara, Türkiye) and Picus Security US, LLC (3001 North Rocky Point Drive East Suite 200 Tampa, FL 33607 USA).2. Use of Service
Upon your acceptance and subject to the terms outlined in this Agreement, Picus Security hereby authorizes you to use the Service to test the defensive capabilities of the Control Systems that this Service is designed to put under Security Validation. Service may not cover all the Control Systems listed in the definitions section, and Picus Security can add or remove different Control Systems categories provided in Service.
By accepting these terms, You authorize Picus Security to perform Security Validation on Control Systems specified by You. Picus Security, through the Service, will provide You with the results of the Security Tests automatically. This Service aims at revealing which threats executed by the Service are blocked and not blocked by the Control Systems used in a different network or digital environments. In this respect, results may differ for the same security control technology in different environments. Picus Security cannot be held responsible if the Service fails to discover certain security or configuration shortcomings on the target Control Systems and shall not become subject to any claim and request (including but not limited to compensation, damage, loss, or reimbursement).
You understand that Your right to use the Products or Services is limited by the Permitted Capacity purchased by paying the defined fee or granted free of charge by Picus Security. You and Your Affiliate's combined use may in no event exceed the Permitted Capacity authorized under the applicable Order. The Permitted Capacity may be defined during the registration to Service. You acknowledge that the fees paid for the service are non-refundable to the extent permitted by applicable laws. You acknowledge that Picus Security may decide to cease providing Service without any further notice. In the case of a paid Service, if Picus Security decides to cease providing Service, the fee paid for the remainder of the Service is reimbursed to You.3. Service Level Commitments
Picus Security endeavors to provide the best customer experience during the registration and execution stages of Service. As part of its commitment to meeting its customers’ needs, Picus Security has established the following Service Level Agreements (SLA) to outline the availability and support standards it maintains.
3.1 Availability SLA
Picus Security is dedicated to providing its users with a reliable, uninterrupted service experience. With the exception of any planned outage of maintenance, Picus Security does its best to maintain a minimum uptime of 99.9% for users logging in and utilizing the dashboard metrics.
3.2 Support SLA
During the Term, Picus Security offers comprehensive technical support for all incidents within the supported versions of the Service. To ensure efficient handling of incidents, Picus Security has established Service Level Agreements (SLAs) that outline response time commitments based on the severity levels of reported problems. The severity level for each incident submitted by a customer or partner will be determined by Picus Technical Assistance Center (TAC) engineers, considering the requested level and information provided by the customer or partner.
Picus Security's Technical Assistance Center (TAC) is dedicated to promptly responding to and diligently resolving incidents in accordance with the initial response times as follows:
Initial Response Time
An incident that is causing a significant loss of service and no workaround is available
6 Business Hour
An incident that has a partial impact on mission-critical functionality
8 Business Hour
An incident that has no impact on Customer business functionality
16 Business Hour
Table: Severity Levels and Target Initial Response Times
The Initial Response Time is the duration before a qualified TAC representative contacts the customer or partner.
Please note that, Picus Security’s SLAs are subject to periodic review and may be updated to reflect the evolving needs of the customers and technological advancements. Your continued use of the Service indicates your acceptance of the SLAs in effect at that time.
3.3. Service Commitment Exclusions
You agree to take the necessary precautions to ensure that Use of Service does not harm the computer system on which a Picus Agent is installed and will run. Picus Security is not committed to providing services for interpreting the results of the Security Validation applied to the chosen Control System or Control Systems.
Picus Security shall not be liable for any damage, outage, interruption of service, or similar outcomes, including associated costs, arising due to any of the following:
a. Force majeure events, acts of nature, or actions of government activities
b. Factors outside of PICUS Security’s reasonable control, including any third parties acting on PICUS Security’s behalf or any third-party equipment, software, or other technology not within PICUS Security’s control
c. Downtime during planned outage and/or maintenance, or work undertaken as part of a request for a change
d. Actions or inactions of the affected Customer, or any third party
e. Failure or fault of Customer systems, equipment, software, or other technology
4. Security of The End User Account Formation
Upon completing the registration to the Service, You will receive a password and account designation information by email. You are responsible for maintaining the confidentiality of the account information and the password. You agree to immediately notify Picus Security if the account has been accessed or used by an unauthorized individual or individuals. Picus Security cannot and will not be held responsible for any loss or damage arising from unauthorized access, use, or failure to notify Picus Security. If Picus Security detects such unauthorized use or any use that is not in accordance with the contract, You shall be notified immediately to stop the unauthorized use and given 3 (three) days for any such breach of the contractual obligations. In case the infringing use continues, Picus Security has a right of termination with immediate effect without any prior notice. Picus Security’s right to demand compensation is reserved.
5. Control Systems Indemnity
(a) You declare and warrant that You have the full right, power, and authority to consent to have the Service validate the Control Systems as set as target systems by You. You will indemnify and hold harmless Picus Security, its customers, Authorized Resellers, partners and sponsors, and their officers, directors, employees, and agents from and against any third-party claims, suits, liabilities, losses, damages, judgments, awards, fines, penalties, costs, and expenses (including reasonable attorneys' fees) incurred by or levied against the same resulting from or based on Your use of or inability to use the Service, including any claim resulting from Your breach of this Section.
(b) You also agree that the Security Testing of Control Systems may expose vulnerabilities, security gaps, and configuration errors.
Subject to Your strict compliance with the terms of this EULA, Picus Security authorizes you with a non-exclusive, personal, non-transferable, revocable, and limited License Usage Right in accordance with this Agreement to access and use the service solely for Your personal use. To access and use the service, You must have legally obtained the license from Picus Security and its official website. You are responsible for paying all fees, taxes, and other costs.
You agree not to decompile, disassemble, modify, sell, copy, or reverse-engineer the Picus Security owned software, platforms, modules, agents, and source code developed to run or enable the Service. In the same way, You agree not to decompile, disassemble, modify, sell, copy or reverse-engineer the third-party software or source code that may be used to enable the Service.
You agree to use the Service as outlined exactly in the published or shared documentation and website provided by Picus Security.
You are not allowed to publish the results provided by the Service. Under no circumstances results, in any form or shape, fully or partially, can be used to publicly compare or benchmark different technologies and Technology Providers.
You are not entitled to use the intellectual properties of Picus Security, including but not limited to logos, names, trademarks, affiliates, etc., without prior written consent.
For the execution of some of the Services, You may be required to deploy software components provided by Picus Security. Upon the termination of the Service, You are required to cease using these software components and remove them from the systems they were installed on immediately.
Your license to the Service (or any Picus Security intellectual property associated therewith) does not include any license, right, power, or authority to (including but not limited to);
- Copying the software, platform, or Service,
- Selling, renting, leasing, licensing, sublicensing, distributing, or otherwise transferring or making the software available to any other person, in whole or in part;
- Using the service and software or any part thereof in any commercial context - Reverse engineering, deriving source code, attack database, modifying, decompiling, disassembling, or creating derivative works of the software, platform and attach techniques, or any portion thereof, in whole or in part;
- Removing, disabling, or circumventing any proprietary notices or labels contained on or in the Software or any Online Service thereof; or
- Exporting or re-exporting or transmitting or extracting the Software or Service, or related documentation, attack techniques, and repositories and its database, and technical data or any copy or adaptation thereof,
Picus Security shall terminate the agreement immediately without any prior notice. Picus Security’s right to demand compensation is reserved in case of any breach.
Picus Security reserves all rights not expressly granted to You.
7. Intellectual Property Rights
The Service and all related intellectual property rights are the exclusive property of Picus Security or its licensors. All right, titles, and interests in and to the Service, any modifications, translations, or derivatives thereof, even if unauthorized, and all applicable rights in patents, copyrights, trade secrets, trademarks, and all intellectual property rights in the Service remain exclusively with Picus Security or its licensors. The Service and its Features are valuable, proprietary, and unique, and You agree to be bound by and observe the proprietary nature of the Service and its features. The Service contains material (including but not limited to any images, photographs, animations, codes, video, audio, music, text, and “applets” incorporated into the Service) that is protected by patent, copyright, license, and trade secret law. The Service and its Features may include software products licensed from third parties or open sources by international treaty provisions. In such cases, third parties have no obligations or liability to You under this Agreement but are third-party beneficiaries of this Agreement. All rights not granted to You in this Agreement are reserved for Picus Security. If You have subscribed to the Service, no ownership of the Service passes to You (The software/products/services/platform are being licensed, not sold. Picus Security retains all ownership rights in and to all software/products/services/platforms, including any intellectual property rights therein.). Picus Security may make changes to the Service at any time without notice. Picus Security grants no express or implied right under Picus Security patents, copyrights, trademarks, licenses, or other intellectual property rights except as otherwise expressly provided. You may not remove any proprietary notice of Picus Security or any third party from the Products or any copy of the Products without Picus Security’s prior written consent.
8. Intellectual Property Indemnity
Picus Security shall have the right, but not the obligation, to defend or settle, at its option, any action at law against You arising from a claim that Your authorized use of the Service under this Agreement infringes any patent, copyright, or other ownership rights of a third party. You agree to provide Picus Security with written notice of any such claim within 10 (ten) days of Your notice thereof and provide reasonable assistance in its defense. Picus Security has sole discretion and control over such defense and all negotiations for a settlement or compromise unless it declines to defend or settle, in which case, You are free to pursue any alternative You may have. In that case, you shall still have an obligation to act in good faith and loyally pursue and protect the interests of Picus Security and inform Picus Security in writing in a reasonable amount of time in the event of any situation that may affect Picus Security, this agreement, or any related process or procedures. You shall not assume or create any obligation, representation, warranty, or guarantee, express or implied, on behalf of Picus Security for any purpose whatsoever.
9. Confidentiality and Limitation on Use
(a) Confidential Information
Each Party hereto acknowledges that because of its relationship with the other party hereunder, it may have access to confidential information and materials concerning the other party’s business, technology, and/or products that are confidential and of substantial value to the other Party, which value could be impaired if such information were disclosed to third parties (“Confidential Information”). Written or other tangible Confidential Information must, at the time of disclosure, be identified and labeled as Confidential Information belonging to the disclosing Party. When disclosed orally or visually, Confidential Information must be identified as confidential at the time of the disclosure, with subsequent confirmation in writing within 15 (fifteen) days after disclosure. Each Party agrees that it will not use in any way for its own account or the account of any third party, such Confidential Information, except as authorized under this Agreement, and will protect Confidential Information at least to the same extent as it protects its own Confidential Information and to the same extent that a reasonable person would protect such Confidential Information.
Neither Party may use the other Party’s Confidential Information except to perform its duties under this Agreement.
The Confidential Information restrictions will not apply to Confidential Information that is (i) already known to the receiving Party, (ii) becomes publicly available through no wrongful act of the receiving Party, (iii) independently developed by the receiving Party without the benefit of the disclosing Party’s Confidential Information, (iv) has been rightfully received from a third party, not under an obligation of confidentiality or (v) is required to be disclosed by law, provided the Party compelled to disclose the Confidential Information provides the Party owning the Confidential Information with prior written notice of disclosure adequate for the owning Party to take reasonable action to prevent such disclosure, where reasonably possible. Unless otherwise agreed to by both Parties, upon the termination of this Agreement or an applicable Addendum, each Party will return the other Party’s Confidential Information.
(b) Use of Customer Data
(c) Use of Accumulated Data
You acknowledge that Picus Security can use the accumulated data of all Service users for statistical purposes and improve its products and services, provided that such data is fully anonymized and cannot be associated with You.
10. Limitation of Remedies and Damages
NOTWITHSTANDING ANYTHING IN THIS AGREEMENT TO THE CONTRARY, PICUS SECURITY, ITS AFFILIATES, ITS LICENSORS, OR AUTHORIZED PARTNERS WILL NOT BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR INCIDENTAL DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, ARISING OUT OF OR RELATED TO THIS AGREEMENT INCLUDING, BUT NOT LIMITED TO CLAIMS FOR LOSS OF DATA, GOODWILL, OPPORTUNITY, REVENUE, PROFITS, OR USE OF THE PRODUCTS, INTERRUPTION IN USE OR AVAILABILITY OF DATA, STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS, PRIVACY, ACCESS TO OR USE OF ANY ADDRESSES, EXECUTABLES OR FILES THAT SHOULD HAVE BEEN LOCATED OR BLOCKED, NEGLIGENCE, BREACH OF CONTRACT, TORT OR OTHERWISE AND THIRD PARTY CLAIMS, EVEN IF PICUS SECURITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL PICUS SECURITY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE LESSER OF: (A) THE TOTAL AMOUNT RECEIVED BY PICUS SECURITY FOR THE APPLICABLE PRODUCTS OVER THE ONE-YEAR PERIOD PRIOR TO THE EVENT OUT OF WHICH THE CLAIM AROSE FOR THE PRODUCTS THAT DIRECTLY CAUSED THE LIABILITY, OR (B) TEN THOUSAND USD.
11. Warranty Disclaimer
THE SERVICE, ITS SOFTWARE COMPONENTS, ITS REPORTS, AND ALL OTHER DELIVERABLES ARE PROVIDED “AS IS,” AND PICUS SECURITY MAKES NO WARRANTY OR GUARANTEE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY, ACCURACY, AND NON INFRINGEMENT OF THIRD-PARTY RIGHTS, AND AS TO ITS USE OR PERFORMANCE AND DOES NOT WARRANT OR GUARANTEE THAT THE OPERATION OF THE SOFTWARE WILL BE FAIL-SAFE, UNINTERRUPTED OR FREE FROM ERRORS OR DEFECTS OR THAT THE SOFTWARE WILL PROTECT AGAINST ALL POSSIBLE THREATS OR IDENTIFY ALL POSSIBLE CYBER ATTACKS A SECURITY DEVICE MAY OR MAY NOT PROTECT AGAINST.
12. Export Controls
You acknowledge that the Service and relevant software components are subject to the United States, the United Kingdom, the Republic of Türkiye, and, when applicable, European Union export regulations. You shall comply with applicable export and import laws and regulations for the jurisdiction in which the Software will be imported and/or exported. You shall not export the Software to any individual, entity, or country prohibited by applicable law or regulation. You are responsible, at your own expense, for any local government permits, licenses, or approvals required for importing and/or exporting the Software.
You warrant and agree that You are not: (i) located in, under the control of, or a national or resident of Cuba, North Korea, Iran, Syria, Sudan and etc. (Please visit to see the full list of countries restricted for assets and trade operations: https://ofac.treasury.gov/sanctions-programs-and-country-information), and, or (ii) on the U.S Treasury Department list of Specially Designated Nationals or the U.S. Commerce Department’s Table of Deny Orders.
13. Cancellation of Services and Termination of the Contract by Picus Security
Picus Security may terminate this Agreement with immediate effect and without prior notice in the following cases and cease Service and Use of Services: (i) Without giving a reason at any time it deems necessary, and/or (ii) You Violating the Agreement, and/or (iii) You failing to fully or partially fulfill any of the terms and conditions of this Agreement.
No termination or expiration of this Agreement shall affect any rights of Picus Security, including but not limited to demanding compensation, that shall have accrued or prior to the date of such termination or expiration. Nothing in this Agreement shall constitute a waiver or limitation of any rights that Picus Security may have under applicable law.
You may only use paid software/products during the period for which you have paid the subscription fee.
Upon termination or expiration, You must immediately cease using the software/products and delete all copies of any related software found on Your computer and systems. Upon termination, Picus Security may disable further use of the software/products without further notice and delete any account information.
14. Governing Law and Jurisdiction
For the USA, This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, USA. The parties irrevocably submit to the non-exclusive jurisdiction of the Delaware courts. Exclusive jurisdiction for litigation of any dispute, controversy, or claim arising out of or in connection with this Agreement or the breach thereof shall be only in Delaware courts with competent jurisdiction in the State of Delaware.
For all other Countries except the USA, This Agreement shall be governed by and construed in accordance with the laws of the Republic of Türkiye. The parties irrevocably submit to the non-exclusive jurisdiction of the Ankara courts. Exclusive jurisdiction for litigation of any dispute, controversy, or claim arising out of or in connection with this Agreement or the breach thereof shall be only in the Republic of Türkiye courts with competent jurisdiction in Ankara.
This Agreement may not be modified except by a written addendum issued by a duly authorized representative of Picus Security. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by Picus Security. If any provision of this Agreement is invalid, the remainder shall continue in full force and effect.
Each party will comply with all applicable laws and regulations, including those of other jurisdictions that may apply concerning the protection of personal data, disclosure, and anti-bribery. You must obtain any required employee consent addressing the interception, reading, copying, or filtering of emails and their attachments. Neither party will use any data obtained via the Products or Service for any unlawful purpose.
All notices, requests, demands, and determinations for Picus Security under this Agreement (other than routine operational communications) shall be sent to: the applicable entity address on the first page of this Agreement addressed to “Attention: Legal Department.”
Either party may change its contact person for notices and/or address for notice by means of notice to the other party given in accordance with this paragraph. Neither party will be liable for any delay or failure in performance to the extent the delay or failure is caused by events beyond the party’s reasonable control, including fire, flood, natural disasters, pandemic diseases, explosion, war, or the engagement of hostilities, strike, embargo, labor dispute, government requirement, civil disturbances, civil or military authority, disturbances to the Internet or cloud services, delay or failure caused by an interruption or failure of telecommunication or digital transmission links, Internet slow-downs or failures, or other such transmission failures, hardware failure beyond the reasonable control of Picus Security, and inability to secure materials or transportation facilities. This Agreement constitutes the agreement between the parties regarding the subject matter herein. The parties have not relied on any promise, representation, or warranty, express or implied, that is not in this Agreement. Any waiver or modification of this Agreement is only effective if it is in writing and signed by both parties or posted by Picus Security at terms or policies on http://www.picussecurity.com/. All pre-printed or standard terms of your purchase orders or other business processing documents have no effect.
In the event of a conflict between the terms of this Agreement and the terms of an Order, the terms of this Agreement prevail. If any part of this Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this Agreement shall be interpreted reasonably to affect the parties' intention. Picus Security is not obligated under any other agreements unless they are in writing and signed by an authorized representative of Picus Security.
All provisions relating to confidentiality, proprietary rights, indemnification, and limitations of liability survive the termination of the agreement.
Last Updated: 03.08.2023
1. AGREEMENT TO TERMS
-Affiliate means an entity that controls is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for the election of directors or other managing authority.
-Country refers to the United States of America.
-Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Picus Security Inc.
-Device means any device that can access the Service, such as a computer, a cellphone, or a digital tablet.
-Service refers to the Website.
-Third-party Social Media Service means any services or content (including data, information, products, or services) provided by a third party that may be displayed, included, or made available by the Service.
-Website refers to PICUS, accessible from (www. picussecurity.com) and (picus.io)
You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.
The information provided on the Site is not intended for distribution to or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation or which would subject us to any registration requirement within such jurisdiction or country. Accordingly, those persons who choose to access the Site from other locations do so on their own initiative and are solely responsible for compliance with local laws, if and to the extent local laws are applicable.
The Site is not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use this Site. You may not use the Site in a way that would violate the Gramm- Leach-Bliley Act (GLBA).
The Site is intended for users who are at least 18 years old. Persons under the age of 18 are not permitted to use or register for the Site.
2. INTELLECTUAL PROPERTY RIGHTS
Provided that you are eligible to use the Site, you are granted a limited license to access and use the Site and to download or print a copy of any portion of the Content to which you have properly gained access solely for your personal, non-commercial use. We reserve all rights not expressly granted to you in and to the Site, the Content, and the Marks.
3. USER REPRESENTATIONS
If you provide any information that is untrue, inaccurate, not current, or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future use of the Site (or any portion thereof).
4. USER REGISTRATION
You may be required to register with the Site. You agree to keep your password confidential and will be responsible for all use of your account and password. We reserve the right to remove, reclaim, or change a username you select if we determine, in our sole discretion, that such username is inappropriate, obscene, or otherwise objectionable.
5. PROHIBITED ACTIVITIES
You may not access or use the Site for any purpose other than that for which we make the Site available. The Site may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved by us.
As a user of the Site, you agree not to:
-Systematically retrieve data or other content from the Site to create or compile, directly or indirectly, a collection, compilation, database, or directory without written permission from us.
-Trick, defraud, or mislead us and other users, especially in any attempt to learn sensitive account information such as user passwords.
-Circumvent, disable, or otherwise interfere with security-related features of the Site, including features that prevent or restrict the use or copying of any Content or enforce limitations on the use of the Site and/or the Content contained therein.
-Disparage, tarnish, or otherwise harm, in our opinion, us and/or the Site.
-Use any information obtained from the Site in order to harass, abuse, or harm another person.
-Make improper use of our support services or submit false reports of abuse or misconduct.
-Use the Site in a manner inconsistent with any applicable laws or regulations.
-Engage in unauthorized framing of or linking to the Site.
-Upload or transmit (or attempt to upload or to transmit) viruses, Trojan horses, or other material, including excessive use of capital letters and spamming (continuous posting of repetitive text), that interferes with any party’s uninterrupted use and enjoyment of the Site or modifies, impairs, disrupts, alters, or interferes with the use, features, functions, operation, or maintenance of the Site.
-Engage in any automated use of the system, such as using scripts to send comments or messages, or using any data mining, robots, or similar data gathering and extraction tools.
-Delete the copyright or other proprietary rights notice from any Content.
-Attempt to impersonate another user or person or use the username of another user.
-Upload or transmit (or attempt to upload or to transmit) any material that acts as a passive or active information collection or transmission mechanism, including without limitation, clear graphics interchange formats (“gifs”), 1×1 pixels, web bugs, cookies, or other similar devices (sometimes referred to as “spyware” or “passive collection mechanisms” or “pcms”).
-Interfere with, disrupt, or create an undue burden on the Site or the networks or services connected to the Site.
-Harass, annoy, intimidate, or threaten any of our employees or agents engaged in providing any portion of the Site to you.
-Attempt to bypass any measures of the Site designed to prevent or restrict access to the Site, or any portion of the Site.
-Except as permitted by applicable law, decipher, decompile, disassemble, or reverse engineer any of the software comprising or in any way making up a part of the Site.
-Except as may be the result of the standard search engine or Internet browser usage, use, launch, develop, or distribute any automated system, including without limitation, any spider, robot, cheat utility, scraper, or offline reader that accesses the Site, or using or launching any unauthorized script or other software.
-Use a buying agent or purchasing agent to make purchases on the Site.
-Make any unauthorized use of the Site, including collecting usernames and/or email addresses of users by electronic or other means for the purpose of sending unsolicited email, or creating user accounts by automated means or under false pretenses.
-Use the Site as part of any effort to compete with us or otherwise use the Site and/or the Content for any revenue-generating endeavor or commercial enterprise.
-Use the Site to advertise or offer to sell goods and services.
-Sell or otherwise transfer your profile.
6. USER GENERATED CONTRIBUTIONS
-The creation, distribution, transmission, public display, or performance, and the accessing, downloading, or copying of your Contributions do not and will not infringe the proprietary rights, including but not limited to the copyright, patent, trademark, trade secret, or moral rights of any third party.
-Your Contributions are not false, inaccurate, or misleading.
-Your Contributions are not unsolicited or unauthorized advertising, promotional materials, pyramid schemes, chain letters, spam, mass mailings, or other forms of solicitation.
-Your Contributions are not obscene, lewd, lascivious, filthy, violent, harassing, libelous, slanderous, or otherwise objectionable (as determined by us). Your Contributions do not ridicule, mock, disparage, intimidate, or abuse anyone.
-Your Contributions are not used to harass or threaten (in the legal sense of those terms) any other person and to promote violence against a specific person or class of people.
-Your Contributions do not violate any applicable law, regulation, or rule.
-Your Contributions do not violate the privacy or publicity rights of any third party.
-Your Contributions do not violate any applicable law concerning child pornography or otherwise intended to protect the health or well-being of minors.
-Your Contributions do not include any offensive comments that are connected to race, national origin, gender, sexual preference, or physical handicap.
7. CONTRIBUTION LICENSE
By submitting suggestions or other feedback regarding the Site, you agree that we can use and share such feedback for any purpose without compensation to you.
We do not assert any ownership over your Contributions. You retain full ownership of all of your Contributions and any intellectual property rights or other proprietary rights associated with your Contributions. We are not liable for any statements or representations in your Contributions provided by you in any area on the Site. You are solely responsible for your Contributions to the Site and you expressly agree to exonerate us from any and all responsibility and to refrain from any legal action against us regarding your Contributions.
You acknowledge and agree that any questions, comments, suggestions, ideas, feedback, or other information regarding the Site ("Submissions") provided by you to us are non-confidential and shall become our sole property. We shall own exclusive rights, including all intellectual property rights, and shall be entitled to the unrestricted use and dissemination of these Submissions for any lawful purpose, commercial or otherwise, without acknowledgment or compensation to you. You hereby waive all moral rights to any such Submissions, and you hereby warrant that any such Submissions are original with you or that you have the right to submit such Submissions. You agree there shall be no recourse against us for any alleged or actual infringement or misappropriation of any proprietary right in your Submissions.
9. SITE MANAGEMENT
We care about data privacy and security. Please review our Privacy
11. TERM AND TERMINATION
If we terminate or suspend your account for any reason, you are prohibited from registering and creating a new account under your name, a fake or borrowed name, or the name of any third party, even if you may be acting on behalf of the third party. In addition to terminating or suspending your account, we reserve the right to take appropriate legal action, including without limitation pursuing civil, criminal, and injunctive redress.
12. MODIFICATIONS AND INTERRUPTIONS
We reserve the right to change, modify, or remove the contents of the Site at any time or for any reason at our sole discretion without notice. However, we have no obligation to update any information on our Site. We also reserve the right to modify or discontinue all or part of the Site without notice at any time. We will not be liable to you or any third party for any modification, price change, suspension, or discontinuance of the Site.
13. GOVERNING LAW
14. DISPUTE RESOLUTION
Any dispute arising from the relationships between the Parties to this contract shall be determined by one arbitrator who will be chosen in accordance with the Arbitration and Internal Rules of the European Court of Arbitration being part of the European Centre of Arbitration having its seat in Strasbourg, and which are in force at the time the application for arbitration is filed, and of which adoption of this clause constitutes acceptance. The seat of arbitration shall be London, United Kingdom. The language of the proceedings shall be English. Applicable rules of substantive law shall be the law of the United Kingdom.
The Parties agree that any arbitration shall be limited to the Dispute between the Parties individually. To the full extent permitted by law, (a) no arbitration shall be joined with any other proceeding; (b) there is no right or authority for any Dispute to be arbitrated on a class-action basis or to utilize class action procedures, and (c) there is no right or authority for any Dispute to be brought in a purported representative capacity on behalf of the general public or any other persons.
Exceptions to Informal Negotiations and Arbitration
The Parties agree that the following Disputes are not subject to the above provisions concerning informal negotiations and binding arbitration: (a) any Disputes seeking to enforce or protect, or concerning the validity of, any of the intellectual property rights of a Party; (b) any Dispute related to or arising from, allegations of theft, piracy, invasion of privacy, or unauthorized use; and (c) any claim for injunctive relief. If this provision is found to be illegal or unenforceable, then neither Party will elect to arbitrate any Dispute falling within that portion of this provision found to be illegal or unenforceable, and such Dispute shall be decided by a court of competent jurisdiction within the courts listed for jurisdiction above, and the Parties agree to submit to the personal jurisdiction of that court.
There may be information on the Site that contains typographical errors, inaccuracies, or omissions, including descriptions, pricing, availability, and various other information. We reserve the right to correct any errors, inaccuracies, or omissions and to change or update the information on the Site at any time, without prior notice.
The Service is provided to You "AS IS" and "AS AVAILABLE" and with all faults and defects without warranty of any kind. To the maximum extent permitted under applicable law, the Company, on its own behalf and on behalf of its Affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Service, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice. Without limitation to the foregoing, the Company provides no warranty or undertaking, and makes no representation of any kind that the Service will meet Your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.
Without limiting the foregoing, neither the Company nor any of the company's provider makes any representation or warranty of any kind, express or implied: (i) as to the operation or availability of the Service, or the information, content, and materials or products included thereon; (ii) that the Service will be uninterrupted or error-free; (iii) as to the accuracy, reliability, or currency of any information or content provided through the Service; or (iv) that the Service, its servers, the content, or e-mails sent from or on behalf of the Company are free of viruses, scripts, trojan horses, worms, malware, timebombs or other harmful components.
Some jurisdictions do not allow the exclusion of certain types of warranties or limitations on applicable statutory rights of a consumer, so some or all of the above exclusions and limitations may not apply to You. But in such a case the exclusions and limitations set forth in this section shall be applied to the greatest extent enforceable under applicable law.
17. LIMITATIONS OF LIABILITY
IN NO EVENT WILL WE OR OUR DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFIT, LOST REVENUE, LOSS OF DATA, OR OTHER DAMAGES ARISING FROM YOUR USE OF THE SITE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
19. USER DATA
We will maintain certain data that you transmit to the Site for the purpose of managing the performance of the Site, as well as data relating to your use of the Site. Although we perform regular routine backups of data, you are solely responsible for all data that you transmit or that relates to any activity you have undertaken using the Site. You agree that we shall have no liability to you for any loss or corruption of any such data, and you hereby waive any right of action against us arising from any such loss or corruption of such data.
20. ELECTRONIC COMMUNICATIONS, TRANSACTIONS, AND SIGNATURES
Visiting the Site, sending us emails, and completing online forms constitute electronic communications. You consent to receive electronic communications, and you agree that all agreements, notices, disclosures, and other communications we provide to you electronically, via email, and on the Site, satisfy any legal requirement that such communication be in writing. YOU HEREBY AGREE TO THE USE OF ELECTRONIC SIGNATURES, CONTRACTS, ORDERS, AND OTHER RECORDS, AND TO ELECTRONIC DELIVERY OF NOTICES, POLICIES, AND RECORDS OF TRANSACTIONS INITIATED OR COMPLETED BY US OR VIA THE SITE. You hereby waive any rights or requirements under any statutes, regulations, rules, ordinances, or other laws in any jurisdiction which require an original signature or delivery or retention of non-electronic records, or to payments or the granting of credits by any means other than electronic means.
21. FOR EUROPEAN UNION (EU) USERS
If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in.
22. UNITED STATES LEGAL COMPLIANCE
You represent and warrant that (i) You are not located in a country that is subject to the United States government embargo, or that has been designated by the United States government as a "terrorist supporting" country, and (ii) You are not listed on any United States government list of prohibited or restricted parties.
23. CALIFORNIA USERS AND RESIDENTS
If any complaint with us is not satisfactorily resolved, you can contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs in writing at 1625 North Market Blvd., Suite N 112, Sacramento, California 95834 or by telephone at (800) 952-5210 or (916) 445-1254.
25. CONTACT US
In order to resolve a complaint regarding the Site or to receive further information regarding the use of the Site, please contact us at:
Picus Security Inc.
160 Spear Street, #1000
San Francisco, CA 94105 USA
+1 (415) 8905105
Last updated November 21, 2021
Picus Security Inc. (“Picus” or “Company”), which is a pioneer in violation and attack simulation technologies, serves many institutions and organizations domestically and abroad with its new and integrated approach in the field of information technologies. For the Picus, which works on security services in the field of information technologies, protecting personal data is extremely important.
Picus has set a target to act in accordance with the Personal Data Protection Law ("PDPL") numbered 6698 that is in force in Turkey and with other legal practices accepted in the international arena as well. In this context, this Clarification Text for the Protection and Processing of Personal Data (“Clarification Text”) has been prepared in order to enlighten the relevant persons regarding general conditions regarding how and for what purpose the Personal Data is processed, how they are protected and how long they are stored by Picus, from its customers, potential customers, suppliers, business partners and their employees and officials, visitors, employees, ex-employees and candidate employees, and also to third parties whose personal data is processed for business transactions while maintaining their business relations with Picus.
All the concepts and expressions in this Clarification Text will express the meaning ascribed to them in PDPL and other legislation.
In the event of inconsistency between the KVKK and other relevant legislative provisions and this Clarification Text, the KVKK and other relevant legislative provisions will be applied first. Our company takes the necessary technical and administrative measures to ensure the security of personal data. This text can be changed if deemed necessary according to the current legislation and the practices of our Company. You can access the final version of the text from our website www.picussecurity.com ("Website").
All personal data processed by Picus are processed in accordance with PDPL and related legislation. In accordance with Article 4 of PDPL, the basic principles to be applied in the processing of your personal data are listed.
The personal data are processed by Picus;
- With the purchase of Picus products and / or services;
- When you offer products or services to Picus;
- When you contact Picus by any means;
- When you request or choose to receive commercial electronic messages we send for marketing;
- When you apply for a job at Picus and / or start working at Picus;
- When you attend our events and organizations organized by Picus and - When you visit our Website
in accordance with the rules determined in this Clarification Text and / or its annexes. Picus complies with the rules stated in the scope of PDPL and the following basic principles:
-Processing in accordance with the law and honesty rule.
-Ensuring that personal data are accurate and up to date when necessary.
-Operation for specific, clear and legitimate purposes.
-Being connected, limited and restrained for the purpose for which they are processed.
-Storage for the period required by the relevant legislation or for the purpose for which they are processed.
Within the scope of the services it provides, Picus processes some commercial, legal and / or personal data regarding its customers, potential customers, suppliers, business partners and their employees and officials, visitors, employees, ex-employees and employee candidates, as well as third parties whose personal data are processed in accordance with their business processes. This data will be protected as the same care that Picus apply to its own data, even if Picus does not specified as a trade secret in accordance with a contract or the applicable legislation, unless it is required by Picus to share with third parties within the scope of the service provided under the contractual relationship, unless otherwise specified in the applicable legislation.
The e-mail addresses, names and surnames, Turkish ID no, identification information, addresses or phone numbers of customers, potential customers, suppliers, business partners and their employees and officials, visitors, employees, ex-employees and employee candidates as well as third parties whose personal data are processed in accordance with their business processes, can be processed by Picus. In addition, via the website, your IP address, the start and end information about your use, the type and scope of your use, and the type of your browser and operating system are also recorded.
In addition to these, if you upload your name and surname, title, phone number, e-mail address, personal messages and similar information to the website through forms available at various locations on the Website, and thus share this information with Picus, we process this information you provide in accordance with your request and for the purposes of the services offered by Picus.
Our website uses Google Analytics, an analysis service of Google Inc. ("Google"). On the other hand, Google Analytics uses “cookies”, that is, text files that are saved on your computer and enable the use of the website to be analyzed. The information generated by cookies about the use of the website is transmitted to and stored on a Google server in the USA. Upon the instruction of the operator of this website, Google uses this information to prepare reports to evaluate your use and to provide related services. The IP address transmitted from your browser within the framework of Google Analytics is not combined with other data of Google. If you do not want these cookies to be stored, you can make settings accordingly in your browser. In addition, our website uses AdWords and double-click-Cookies for statistical purposes. If you do not want these tools to be used, you can disable them by setting them in your browser. However, we would like to state that in this case, you may not be able to use all the functions on the website completely.
Special c personal data is not processed by Picus without the informed explicit consent of the relevant person.
The personal data processed may differ in relation to the products and / or services offered by Picus. Personal data collected orally, in writing or electronically via online or offline means, during the period of use of the products and services offered by Picus, are processed with the consent of the person's before the effective date of Personal Data Protection Law no. 6698 or explicit consent after the effective date of the law, or within the framework of the rules and conditions specified in the Personal Data Protection Law.
BASIC PRINCIPLES FOR PROCESSING OF THE PERSONAL DATA
Personal data is processed on condition that it is required to obtain open consent in accordance with the applicable legislation or without explicit consent, unless explicit consent is required under the applicable legislation, in line with the objectives of the services provided by Picus, in order Picus to continue its activities, to provide better service, to measure and improve the quality of its service, to determine the preferences and needs of our dealers, suppliers, customers and employees, to process and evaluate job applications, to provide communication with people who have a business relationship with our company, to comply with the current legislation, to send bulletins by e-mail and to make notifications.
The personal data will only be collected within the scope of Picus activities, will be used in connection with the purposes of collection, will be stored for the periods required by the processing purposes, will not be processed in excess of the rules and exceptions specified in the current legislation, and in cases where the reasons requiring its processing disappear, with the exception of situations arising from other legislation in force, will be deleted, destroyed or anonymized.
Keeping the personal data accurate and up-to-date is one of our primary goals. For this reason, our Company meets the technical and administrative requirements required to keep personal data accurate and up-to-date.
Only authorized persons can access personal data and unauthorized persons working in our Company and / or having a contractual relationship with our Company are prohibited from accessing personal data. In this context, we would like to state that; Our company takes the necessary measures to ensure the security and confidentiality of personal data.
Transfer of the Personal Data Domestically
Picus is under the responsibility of acting in accordance with primarily art. 8 of PDPL and the decisions and related regulations envisaged in the PDPL and taken by the Board. As a rule, personal data and special categories of data cannot be transferred to other real persons or legal entities by Picus without the explicit consent of the relevant person.
However, in cases foreseen in Articles 5 and 6 of PDPL, transfer is possible without the explicit consent of the relevant person. Picus, in accordance with the conditions stipulated in PDPL and other relevant legislation and by taking the security measures specified in the legislation; can transfer the personal data to third parties unless otherwise arranged in law or other relevant legislation in Turkey.
Transfer of the Personal Data Abroad
Picus can transfer the personal data abroad by processing the personal data in Turkey or to be processed and stored outside of Turkey, in accordance with the conditions foreseen in PDPL and by taking security measures specified in the legislation.
We transfer your personal data abroad by taking the necessary technical and administrative measures, through cloud informatics technology, to take advantage of the opportunities of technology in order to carry out our company activities in the most efficient way and to provide services at world standards.
We work with the above mentioned service providers for the purposes of developing our websites and platforms, increasing the variety of products and services and measuring the user experience according to the preferences of our customers and users. We would like to point out that you should also review the policies of the relevant service providers, as Picus has no responsibility for the policies of the respective service providers for processing personal data.
Regarding the processing of personal data, according to the definition specified in the legislation, the data controller is Picus Informatics Security trade INC.
In accordance with Article 11 of PDPL, the relevant persons have the right of, by applying to Picus; Learning whether your personal data is processed, requesting information if it is processed, requesting the purpose of processing your personal data and whether it is used in accordance with its purpose, knowing the third party people that the person data is transferred, requesting correction of personal data if it is incomplete or incorrectly processed, requesting the deletion or removal of your personal data, requesting a notification for the third parties to whom their personal data are transferred about the deletion or removal process, objecting to the emergence of a result against you by analyzing your processed personal data exclusively with automated systems, and requesting the compensation of your loss if you are harmed due to illegal processing of personal data.
To use these specified rights arising from the current legislation, you need make a written application to address of the company given below or fill in the Application Form with the registered electronic mail (REM) address, secure electronic signature or mobile signature by adding the following information and documents according to Article 13 of PDPL; Your name and your last name and the signature, if you are a citizen of the Republic of Turkey, your Turkish ID number, if you are not a citizen of Republic of Turkey, your nationality, passport number, if you have, your ID number, your location, or workplace address that is set for notifications, main e-mail address and telephone number that are set for notifications and your demand issues, and other necessary information and documents to be used for identification.
The application made by you or representative authorized person will be evaluated by our Company and concluded free of charge within thirty days.
Application methods and addresses are as follows:
The addresses where application can be made
The applicant, can apply by filling out the Application Form with the necessary information and documents that is required to determine his/her identity by coming to the address of Picus Security Inc..
The applicant, him/herself or by a Proxy who is authorized to represent, can apply by filling out the Application Form and sending it to the address of Picus Informatics Security trade INC. through notary or certified mail.
Üniversiteler Mah. 1596 Cad. Arge 1 No:12
Beytepe 06800 Çankaya/ ANKARA
The applicant can apply with an electronic mail registered with a secure electronic signature.
In Picus, we respect your data privacy rights. If you want to exercise your data subject rights, please fill out the form here. Upon your submission, we will share the related data subject request form with you, depending on the legal source of your request.
In Picus, we believe that security should primarily be internalized in our company culture. Below, you can find some of our, but not limited to, corporate documents and practices, which helps us building a strong and regularly validated security posture.
The Business Continuity policy has been established in order to operate, manage, measure, and continuously improve the business continuity management system within PICUS, in line with and support the corporate business objectives of PICUS. It refers to definitions, rules, practices, responsibilities, and workflows based on business needs and regulated by relevant laws and standards. This policy is in an active relationship with ISMS and IT SMS and aims to progress through common values in necessary process management.
This policy will guide all activities of PICUS related to business continuity and will provide the following basic requirements:
a) Supporting business strategy and corporate objectives
b) Complying with laws, standards, and contracts
c) Managing existing and anticipated business continuity processes, risks, and threat environment
d) To ensure the continuity of all assets and processes within the scope of PICUS' BCMS, especially information assets and processes.
While PICUS meets business continuity requirements, it has planned, implemented, and regularly controlled the processes necessary to carry out activities that address risks and opportunities. It implements determined plans and exercises to achieve these goals. It retains written information to the point where it is certain that these processes are carried out as planned, reviews the results of undesired changes by controlling the testing and exercises processes, as well as planned changes, and can take new actions if necessary to mitigate negative effects.
The business continuity policy is reviewed at regular intervals or when significant changes occur by Senior Management in order to measure the operability of the system and is updated as needed to ensure continuous suitability, accuracy, and effectiveness.
This policy is intended to be accessible and understandable to all employees and the target audience, including relevant external parties. All employees and external parties defined in the BCMS are obliged to comply with this policy and the processes supporting this policy.
Published: 06.07.2022 - v2
PICUS, business processes, and customer services are in full compliance with the IT Service Management principle and policy; It is a leading company in its sector, operating effectively against its Stakeholders, Customers, and Employees.
The Service Management Policy has been established to operate, manage, measure, and continuously improve the information technology service management system within PICUS and has been approved by the highest level of management. With this policy, PICUS will provide the following basic requirements to manage its service management purposes and achieve the determined business objectives:
a) Supporting business strategy and corporate goals
b) To comply with laws, standards, and contracts
c) To manage the objectives, processes, and risks of current and anticipated service management,
d) Keeping information technology services operational, managing changes, and using information technology services according to business needs
e) To ensure the success, performance, and quality of all services and processes within the scope of PICUS's IT SMS, in line with the targets
f) Ensuring that all services determined by service catalogs within the scope of IT SMS are provided in accordance with the Service Level Agreements (SLA), their performance is measured and reported; To increase customer satisfaction by providing continuous improvement in line with technological changes and business requirements
g) To manage accessibility and capacity by making the necessary monitoring and to reduce costs by making the right financial and resource management.
The service management policy is reviewed at regular intervals or when significant changes occur in order to measure the operability of the system and services, in order to ensure continuous suitability, accuracy, and effectiveness, and is approved by the Senior Management.
Published: 06.07.2022 - v2
The purpose of this policy is to explain the basics of use necessary to ensure that all employees pay due attention and care to PICUS Information Security policies and procedures in the processes of using all kinds of communication and information networks and services within the scope of the Management System.
PICUS communication and information network, software, enterprise applications, processes, information assets, and hardware (including the Internet, e-mail, telephone, pagers, fax, computers, mobile devices, IoT, video-conferencing and mobile phones, etc.) should be used for PICUS and for employees to run their corporate business. Any use of these systems that is illegal, inconveniencing other users, contrary to other policies, standards and rules of PICUS, or harming the company, its stakeholders or customers means a violation of this policy.
This policy requires that:
- Background verification checks on all candidates for employees and contractors should be carried out in accordance with relevant laws, regulations, and ethics, and proportional to the business requirements, the classification of the information to be accessed, and the perceived risk.
- Employees, contractors, and third-party users must agree and sign the terms and conditions of their employment contract, and comply with acceptable use.
- Employees will go through an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures PICUS has in place. Employees will also have ongoing security awareness training that is audited.
- Employee offboarding will include reiterating any duties and responsibilities still valid after terminations, verifying that access to any PICUS systems has been removed, as well as ensuring that all company owned assets are returned.
- PICUS and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets.
- PICUS will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
- A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc., PICUS reserves the right to terminate employees in the case of serious cases of misconduct.
PICUS requires all workforce members to comply with the following general acceptable usage requirements and procedures, such that:
- All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.
- The use of PICUS computing systems is subject to monitoring by PICUS Security teams.
- Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.
- Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
- All email messages containing sensitive or confidential data will be encrypted.
- Employees may not post any sensitive or confidential data in public forums, social media, or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.
- All data storage devices and media must be managed according to the PICUS Data Classification specifications and Data Handling procedures.
- Employees may only use photocopiers and other reproduction technology for authorized use.
- Media containing sensitive/classified information should be removed from printers immediately.
- The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.
The processes within the scope of this policy are followed by the Information Security Director with the support of the relevant process owners. It is reviewed annually by the Information Security Committee, and necessary updates are made and announced to the employees.
Published: 09.11.2021 - v3
The Personal Data Management Policy has been established to define the personal data collection, processing, protection, storage, and destruction rules, management, and practices approved by the Senior Management, and to announce to the employees and relevant external parties.
Protection of personal data is extremely important for PICUS, which provides services to many companies and organizations at home and abroad and works on security services in the field of information technologies.
PICUS has set itself the goal of acting in accordance with other legal practices both in force in Turkey and accepted in the international arena regarding the protection of personal data. This policy covers the general conditions regarding how and for what purpose PICUS processes, protects, and for how long the personal data of its customers, suppliers, business partners, and their employees and officials, as well as third parties whose personal data are processed in accordance with business processes while maintaining business relations prepared for the determination. PICUS takes the confidentiality and integrity of its customer data very seriously and strives to assure data is protected from unauthorized access and is available when needed.
Processing of Personal Data
All personal data processed by PICUS are processed in accordance with national and international law. Personal data by PICUS;
- With the purchase of PICUS products and/or services;
- When products or services are offered to PICUS;
- When communicating with PICUS by any means;
- When it is requested or preferred to receive commercial electronic messages sent for marketing;
- When applying for a job at PICUS and/or starting to work at PICUS;
- Production systems that create, receive, store, or transmit PICUS customer data
- Participating in events and organizations organized by PICUS and
- When visiting the website www.picussecurity.com
PICUS complies with the rules specified within the scope of personal data, within the framework of the following basic principles:
- Legal and Integrity Processing: PICUS; acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, PICUS takes into account the proportionality requirements in the processing of personal data and does not use personal data other than as required for the purpose.
- Ensuring Personal Data Are Accurate and Up-to-Date: PICUS; It ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of the persons concerned and their own legitimate interests.
- Processing for Specific, Explicit, and Legitimate Purposes: PICUS clearly and precisely determines the legitimate and lawful purpose of processing personal data. Picus processes personal data as much as necessary and in connection with the products and services it offers.
- Being Related to the Purpose for which they are Processed, Limited and Measured: PICUS processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.
- Retaining Personal Data for the Period Envisioned in the Relevant Legislation or Required for the Purpose of Processing: PICUS retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, PICUS first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period. Personal data is deleted, destroyed, or anonymized by Picus in the event that the period expires or the reasons for its processing disappear.
- Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.
- Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.
- Employees shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery.
- All access to Production Systems must be logged.
- All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.
Personal Data Processing Purposes and Legal Reasons
The purposes and processes of processing personal data processed by PICUS vary according to the category of the person concerned and the type of personal data.
The purposes of processing personal data processed by PICUS are as follows:
- Establishment and management of customer relations:
- Management of contract processes with our suppliers and business partners
- Execution of direct marketing processes
- Compliance with legal obligations
- Protection and security of company interests
- Within the scope of marketing activities
- Visitors and closed-circuit camera system (CCTV)
- Employee candidates
Data Protection Implementation and Processes
Customer Data Protection: PICUS cloud products host on AWS by default. Data is replicated across multiple regions for redundancy and disaster recovery. On PICUS products, only customer email addresses and Customer attack simulation results are kept and all customer data at rest and in motion are encrypted. Picus only analyze system usage data anonymously to monitor and improve the quality of the threat library.
Access: PICUS employee access to production is guarded by an approval process and by default is disabled. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the DevOps team on a case-by-case basis.
Separation: Customer data is logically separated at the database/datastore level using a unique identifier for the customer. All database/datastore queries then include the account identifier.
Monitoring: PICUS uses AWS tools to monitor the entire cloud service operation. If a system failure and alarm is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action.
Confidentiality/Non-Disclosure Agreement (NDA): PICUS uses confidentiality or non-disclosure agreements to protect confidential information using legally enforceable terms. NDAs are applicable to both internal and external parties.
Data At Rest: All databases, data stores, and file systems are encrypted according to PICUS’s Encryption Policy.
Data In Transit: Data will only be transferred where strictly necessary for effective business processes. To ensure the safety of data in transit:
- All external data transmission must be encrypted end-to-end using encryption keys managed by PICUS. This includes, but is not limited to, cloud infrastructure and third-party vendors and applications.
- All internet and intranet connections are encrypted and authenticated using a strong protocol, a strong key exchange, and a strong cipher.
Security of Personal Data
PICUS takes the necessary administrative and technical measures in line with the Personal Data Security Guide published by the Personal Data Protection Authority in order to protect personal data and prevent unlawful access. In this context, procedures and policies are prepared by Picus within the scope of ISO 27001, necessary illumination and explicit consent texts are prepared, and necessary inspections are made or made.
The personal data management policy is reviewed at regular intervals or when significant changes occur and is approved by the Senior Management.
Published: 13.11.2021 - v3
The purpose of this policy is to determine the rules that PICUS employees must comply with and pay attention to while working inside or outside the company, in the use of computer and peripheral devices, network resources, cloud services, workspaces, and information access environments, including desks, cabinets, drawers and screens.
- They should never keep documents and information assets that should not be seen by anyone other than themselves in open areas (on desks, open drawers and cabinets, screens, etc.).
- When he leaves the desk or work areas during the day, he must remove or close the documents he works in safe places.
- They must keep critical documents, materials and any media carrying information for themselves or their units in locked drawers or cabinets.
- User access information and passwords that they use to access cloud services, services, computer and peripheral devices, network resources, and workspaces should not be written on places that others can see, such as desktop, notebook, or on-screen notes.
- They should not leave confidential documents on their computers on the screen or the desktop.
- When staying away from computers, even for short breaks from the desk, they should press the screen lock (ctrl+alt+delete; Ctrl-Command-Q, etc.) keys at the same time and lock the computer with the lock the computer option.
- They should not leave CD/DVD, USB memory or disk and similar portable storage devices unattended on desks, open drawers and cabinets. If possible, portable disks/media containing confidential information should be encrypted and kept in a safe place.
- After printing from in-house fax or network printers, it should directly take the printout on the printer itself. Paper printouts should not be kept on the printers; they should be taken as soon as possible.
- It should not print confidential and classified information from remote network printers. If printing from remote printers is required, password-protected printing must be used.
- User access information (user name, access codes, password keys, defined account login information, etc.) and passwords should not be kept in written form on paper, sticky paper and notebook.
- Instead of throwing the paper printouts that contain valuable and confidential information for PICUS, they should be trimmed and destroyed in paper shredders. Unclaimed printouts left on or around printers or fax machines should be destroyed as soon as possible.
- For hard disk, CD/DVD, USB etc. portable media that will not be used again, the information on them should not be processed as scrap or garbage without making them irreversible and unusable by using appropriate techniques.
- In case of loss/theft of media containing confidential information assets, PICUS Management should be contacted immediately.
- They should not consume foods (bagels, cakes, sweets, etc.) and beverages (water, tea, coffee, etc.) that may cause physical damage to computers on and around the desktop.
- Working rooms where confidential information and documents can be found in the open should be kept locked when there is no employee in the room.
- Keys to study rooms, cabinets, desk drawers; private keys such as house and car; safe keys; wallets, ID cards, etc.
Clear Table and Clear Screen rules apply in different offices within the company, meeting rooms or in any environment where you work remotely and in the employees' work areas.
In addition, the content of this policy is re-transmitted to the company's users through awareness training at regular intervals throughout the year.
Published: 17.05.2021 - v2
The purpose of this policy is to reveal PICUS's approaches to environmental and energy issues and its management perspective.
As a company that is aware of its responsibility towards environmental values, PICUS believes that it is necessary to leave a livable world to future generations. In order to minimize the consumption of natural resources and to prevent environmental pollution, it takes care to work by setting targets within the framework of continuous improvement.
The PICUS working ecosystem and environment do not require a large infrastructure and energy consumption. Our employees generally work remotely and independently of the location. Within the framework of our activities, processes with waste generation and environmental impact are at a very low level. There is no fixed server room within the PICUS campus and all business activities are carried out through cloud systems. For these reasons, the working environment of PICUS has low energy consumption and very low environmental impacts.
As PICUS, we base all of our activities on reducing waste at its source and recycling as much as possible. In this context, there are separate boxes for the separation of all wastes in the office areas, providing an important gain for our strategy to prevent pollution at its source. These wastes are collected by Hacettepe Teknokent management and processed with the same sensitivity.
All energy-consuming devices and equipment used in the PICUS campus are selected from types and models that comply with the principles of low consumption and energy efficiency and are regularly monitored.
Training and informing our employees about environmental and energy issues is also part of our awareness activities. We expect and encourage all of our employees to act with this awareness on the company campus and in the environments where they work.
With the same approach, PICUS asks its suppliers and service providers to meet their sensitivities in environmental and energy issues. In this context, we adopt as a principle to work with third parties with the lowest environmental impact and closest to green energy principles.
Within the scope of our sustainability strategies, we consider the protection of natural resources and the realization of our activities with minimum environmental impact as one of our main responsibilities. We evaluate our services from a life-long perspective and manage the positive or negative effects we create.
All related processes, including this policy, are regularly updated annually and monitored by the senior management.
Published: 07.10.2021 - v1
The Anti-Bribery and Corruption Policy has been established to define the anti-bribery and corruption management, and practices approved by the Senior Management, and to announce to the employees and relevant external parties.
This policy applies to all PICUS employees (full and part-time) and temporary workers (such as consultants or contractors) (together referred to as “employees” in this document) across the company no matter where they are located or what they do. Every person concerned can send their complaints and notifications directly to the Board by e-mail to firstname.lastname@example.org about the issues covered by the policy.
This policy also provides additional specific information about the anti-corruption laws in Turkey and provides general guidance to compliance with anti-corruption laws in other jurisdictions in which we carry on business.
Bribery is offering, promising, giving, or accepting any financial or other advantages, to induce the recipient or any other person to act improperly in the performance of their functions, or to reward them for acting improperly, or where the recipient would act improperly by accepting the advantage. Bribes can take many forms such as money (or cash equivalent such as shares); unreasonable gifts, entertainment, or hospitality; kickbacks; unwarranted rebates or excessive commissions (e.g. to sales agents or marketing agents); unwarranted allowances or expenses or anything else of value.
Corruption is the abuse of public power, duty, and authority to obtain private benefit through bribery, extortion, nepotism, fraud, and embezzlement (ref. United Nations Development Programme).
The People & Culture Unit has primary and day-to-day responsibility for implementing this policy, monitoring its use and effectiveness, dealing with any queries about it, and auditing internal control systems and procedures to ensure they are effective in countering bribery and corruption. In addition, the Operations Unit is responsible for monitoring this policy and updating it at least once a year.
4.1. Scope and Implementation
In PICUS, all forms of bribery and corruption are prohibited. Bribery is prohibited when dealing with any person whether they are in the public or private sector and the provisions of this policy are of general application. However, many countries have specific controls regarding dealing with public officials and this policy includes specific requirements in these circumstances.
In summary, it is essential to act in accordance with the actions listed in the following:
- Facilitation Payments and Kickbacks: Facilitation payments are any payments, no matter how small, given to an official to increase the speed at which they do their job. For example, this could include speeding up customs clearance. You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by PICUS or on our behalf, or that might suggest that such a payment will be made or accepted. If you are asked to make a payment on our behalf, you should always be mindful of what the payment is for and whether the amount requested is proportionate to the goods or services provided. You should always ask for a receipt that details the reason for the payment. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with the Compliance Officer.
- Gifts, Hospitality, and Expenses: PICUS and its employees, as well as third parties acting on its behalf to any external party, are prohibited from accepting and proportioning gifts and hospitality, as well as intangibles (e.g. job offers, investment opportunities, and favors) directly or through another party. The giving and accepting of gifts is allowed if the following requirements are met:
It is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
It is given in the company name, not in your name;
It does not include cash or a cash equivalent (such as gift certificates or vouchers);
It is appropriate in the circumstances, taking account of the reason for the gift, its timing, and value. For example, giving small gifts to celebrate important days is appropriate.
It complies with any applicable local law
- Record-Keeping: All payments and commissions to third parties must:
be made via bank transfer through the accounts payable system and be fully accounted for;
keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties; and
must be made in accordance with the terms of the contract with the person or company providing the services.
- Distributors and Channel Partners: All third parties should be made aware of the terms of the PICUS Code of Conduct and of their obligations to comply with it. All arrangements with third parties should be subject to clear contractual terms including specific provisions requiring them to comply with minimum standards and procedures in relation to bribery and corruption. Appropriate wording to be included in contracts can be obtained from email@example.com
4.2. Disciplinary Action
PICUS personnel who fail to comply with this policy are subject to disciplinary action and may also be subject to legal punishments if they commit an offense under the law according to the Disciplinary Ordinance.
Published: 08.11.2021 - v2
An Information Security Director (ISD) leads Picus’s information security and privacy program with a vision of continuous improvement, stronger cybersecurity resilience, wider compliance and keeping up with the latest technologies. ISD is responsible from managing Picus' business on information security, business continuity, risk management, auditing and compliance.
All access requests are treated on a least-access principle. Secure logon procedures, including multi-factor authentication (MFA), are implemented. In addition, a stringent password security policy is enforced and a password manager solution is provided for the use of all employees.
Picus implements various endpoint security solutions such as Mobile Device Management (MDM), Endpoint Protection Platform (EPP) and Endpoint Detection and Response (EDR). All corporate laptops are encrypted. In addition, a zero-trust architecture, which requires all users to be authenticated, authorized, and continuously verified before being granted, has been adopted.
In Picus systems and platform, both data in transit and at rest are encrypted using industry-standard algorithms. In addition, special encryptions are used in the SSHv2 protocol in order to provide secure access to the company cloud servers, where Picus products and systems are located.
All systems related to Picus products are cloud based and have high available architecture in AWS US and EU data centers. Picus uses redundant RDS instances to ensure full backup recovery of its database. Daily database backups are also taken automatically.
Picus uses a fully encrypted VPN solution as well as HTTPS to communicate with and access its network. All traffic within the network is redirected from HTTP to HTTPS.
Picus operates Secure Development Life Cycle (SDLC) rules based on agility, information security, and secure code development techniques for product and system development, depending on best practices and well-known techniques.
Picus performs third-party risk management process and routinely assesses its vendors through audits, reviews of their standardized assessment reports, certifications or other appropriate processes in order to confirm they are meeting their contractual obligations and applicable legal requirements.
Security training and awareness programs are conducted for all employees on an annual basis. In addition, regular training sessions as well as secure code trainings are conducted to Picus developers by field experts.
In addition to our internal Picus Lab teams, Picus also contracts a third party to perform annual penetration tests. Recent reports shall only be provided under NDA. If you request access to these reports, please reach us at firstname.lastname@example.org