Security & Privacy

Legal Documents

In Picus, your privacy is protected in an open and transparent manner. Also, the use of our website and services are subject to terms and conditions, which are bounded by legal agreements. Below, you can find all related legal documents.

1. INTRODUCTION

This Privacy Policy applies to Picus Security, Inc. and its Affiliates listed in Section 10 (“Picus,” “us,” “we,” or “our”).

Picus is committed to protecting and respecting your personal information and privacy. This Policy ​​outlines and is limited to the personal data processing practices carried out through the use of our Websites (www.picussecurity.com and app.picussecurity.com), our Services (as described below), and any other ​​electronic communications networks by Picus.

Please read this Policy carefully to understand how and why we collect, process, and use your information.

By using our Website and Services, you agree to this Privacy Policy.

2. COLLECTION OF YOUR PERSONAL INFORMATION

Personal Data is any information that directly or indirectly identifies a natural ​​person. We will ask for your consent when we need information that personally identifies you (personal ​​information) or allows us to contact you to provide a service or carry out a transaction that you ​​have requested, such as receiving information about Picus Security products and services, ​​ordering email newsletters, joining a limited-access site or service, or purchasing, ​​downloading and/or registering Picus Security products. 

The channels and types of personal information we may collect, including but not limited to, are listed below:

Information you directly provide to us:

a. Free-trial: Under your free-trial requests, we may collect your ​first name, last name, company name, company email,  and country information.

b. Account: We may collect our customers’ company email addresses when logging into our online platform.

c. Demo Request: Under your demo requests, we may collect your first name, last name, company email address, company name, phone number (optional), and country information.

d. Contacting us: When you make inquiries, such as scheduling a demo, learning about pricing, or upgrading a product, we may collect your first name, last name, company email, company name, job title, country, phone number (optional) information and any descriptive message you submit to facilitate your inquiry.

e. Job application: We receive your job applications through a third-party platform. If you apply for a job at Picus, we may collect your full name, email, resume/CV, phone (optional), current company (optional), LinkedIn Profile (optional), and any other optional information submitted within your application.

f. Partner account & User application: Under our partner program, we may collect your corporate email address.

g. Picus Technology Alliances Partner Program application: Under our Technology Alliances Partner Program (TAP), we may collect your first name, last name, work email, and role.

h. Picus Technology Alliances Team meeting request: For meeting requests with the Picus Technology Alliances Team, we may collect your first name, last name, and email address.

i. Blog: If you subscribe to our blog, we may collect your company email address.

j. Purple Academy by Picus: If you wish to obtain a service from Purple Academy, we may collect your full name, company email address, company, country, and job title information.

k. Webinars, Case Studies & Reports: For webinars, case studies, and reports requests, we may collect your company email address.

l. Exclusive Reports: Under exclusive report requests, we may collect your full name, company email address, title, company name, and country information.


We may also collect your personal data such as your first name, last name, and email address when you follow us on social media, attend our events, or correspond with us by phone, email, social media, or otherwise. 

Information from your visits to our website:

Our website enables us to communicate with you about us, our products, and our services. Even if you do not login with an account, we may automatically collect certain information each time you visit our website. This may include the name of the Internet Service ​Provider, Internet Protocol (IP) address,  date ​​and time of access browser type and version, time zone setting, operating system and platform, pages accessed, and the Internet ​​address of the website from which you linked directly to our website. This information is mainly used ​to provide access to our website, improve the webpage view, and adapt to device settings and language. We also use this information to analyze trends and to improve our website and online services.

We process such personal data pursuant to Article 6(b) of the GDPR, as it is necessary to respond to your inquiry. For more details about automatically collected information about your visit to our website, ​please see our Cookie Policy.


Information from other resources:

We may also collect your personal information indirectly from third party sources such as business partners, advertising networks, payment and delivery services as well as public records, such as social media platforms and industry associations. Please note that, in such cases, we strive to ensure that these parties adhere to privacy standards consistent with ours; however, we do not have any liability or responsibility over their use, storage, and disclosure of your personal information, as governed by their own privacy policies.

3. USE AND CONTROL OF YOUR PERSONAL INFORMATION

The purposes and processes for processing personal data by Picus vary according to the category of the individual (i.e. customer, potential customer, visitor, employee candidate, etc.) and the type of personal data. 

Consistent with applicable law and choices that may be available to you, we may use your personal information for purposes, including but not limited to:

  • Fulfilling contractual obligations and providing requested information, products, and services;

  • Personalizing your experience on our website and services and customizing content;

  • Carrying out marketing activities, as per your preferences and active consent where applicable;

  • Responding to  inquiries and requests, and capturing related data; 

  • Administering,  operating,  optimizing, and improving the quality of our website, products, services, and operations;

  • Notifying you of changes to our company, products, services, terms of use and conditions;

  • Communicating about products or services you requested;

  • Maintaining a secure environment by detecting, investigating, and preventing fraudulent or illegal activities;

  • Complying with legal requirements and standards.

We will send you information according to the preferences submitted via our online forms​​ and in accordance with any consent you have actively given, where applicable. You may ​​change these preferences and/or withdraw your consent at any time. 

Based on your consent, ​​we may send emails informing you of issues related to a product or ​​service you requested or confirming you requested a product or service, such as invoices and ​confirmations. We may also occasionally communicate with you regarding our products, services, news, and events. You have the option not to receive this information. You can unsubscribe at any time by following the instructions at the bottom of our promotional emails.


Except as otherwise described in this statement, the personal information you provide on the ​​Website will not be shared outside of Picus Security and its controlled subsidiaries and affiliates ​without your permission.

4. COOKIES

Cookies are text files placed on users' computers by visited websites. They can be used by web servers to identify and track users as they navigate different ​pages on a website and to identify users returning to a website.

We use cookies on our Websites ​www.picussecurity.com and app.picussecurity.com, to determine visitor preferences, facilitate user requests, improve website experiences, keep our services secure, and conduct online behavioral advertising.

For more detailed information, including cookie types and administration, please visit our Cookie Policy.

5. SECURITY, STORAGE AND TRANSFER OF YOUR PERSONAL INFORMATION

In Picus, we implement technical and administrative measures to protect your personal data and prevent any unauthorized access, disclosure, use, and modification. We use industry standard technologies, operational security methods, and cyber security products for the protection of collected personal data. In this context, we regularly review and validate the adequacy and effectiveness of our security controls, tools, and procedures to maintain a secure environment. Please note that no security measures are fully-secure or impenetrable. For more information, please see our Corporate Practices.

All systems related to Picus products are cloud based. As a globally operated company, the destination where we store or transfer your personal information may be different from the country in which the data was collected. Regardless of the country that we transfer, store, or process your data, we will take reasonable steps to ensure that your data is treated securely and in accordance with this Policy. 

6. RETENTION OF YOUR PERSONAL INFORMATION

Picus retains personal information only for the period necessary to fulfill the purposes for which they were collected and, thereafter, for a reasonable period to meet audit, contractual, or legal obligations or where we have a legitimate interest in retaining it. In this context, retention periods for each type of personal data are determined, and if there is no reason to keep certain personal data, it is destroyed in accordance with the current legislation.


Adequate technical and administrative measures have been implemented within our  Information Security Management System to ensure secure storage and destruction of personal information.

7. YOUR RIGHTS 

We respect your privacy. If you wish to exercise your privacy and data subject rights subject to applicable law such as GDPR, CCPA, or KVKK, please fill out the initial request form here so that we can provide you the appropriate data subject request form depending on the legal source of your request.

8. CHILDREN AND SENSITIVE DATA

a. Children: Our Website, application, and services are intended for business use and we do not expect them to be of any interest to minors. We do not knowingly or intentionally collect personal data from anyone under 16 years of age.

b. Sensitive data: We do not collect or receive any sensitive categories of personal data. Also, we ask you to not send or disclose any sensitive personal information to us directly or through our products and services.

9. CONTACT US

If you have questions or concerns about this Policy or its implementation, please contact us by email ​​at privacy@picussecurity.com.

10. AFFILIATES

Picus Security, Inc.; Picus Bilişim Güvenlik Ticaret A.Ş.; Picus Security US, LLC.

11. CHANGES TO THIS PRIVACY POLICY 

We review this Privacy Policy regularly and may change it to reflect our product and service updates, corporate practices, regulatory requirements, or other purposes. 

We encourage you to frequently check this page as we always display the latest modification date on this Policy. When required under applicable law and/or the change is significant, we will also notify you by using other means, such as email.

Last Updated: 01.11.2024

1. INTRODUCTION


Picus Security Inc., along with its affiliates, Picus Bilişim Güvenlik Tic. A.Ş. and Picus Security US, LLC (“Picus Security” or “Company”), collect personal data for various purposes via cookies through our websites ​www.picussecurity.com and app.picussecurity.com ​(“Websites”). This Cookie Policy explains what cookies are, how we use them, and how you can manage your preferences. For more information on how we collect, store, and use your personal data, please refer to our Privacy Policy

Please note that this policy may be updated from time to time to reflect changes in our Websites, applicable laws, regulatory requirements, or company practices. 

2. WHAT ARE COOKIES? 

Cookies are small text files that are placed on your device by websites you visit. They are widely used to make websites work more efficiently, to enhance user experience, and to provide information to the website owners. Cookies typically contain information such as a unique identifier that a website uses to recognize your device on subsequent visits.

They are commonly used on our Websites and most other websites to ensure that they function effectively according to the preferences of visitors and to provide detailed information to the administrators of the respective websites.

3. WHY DO WE USE COOKIES?

We mainly use cookies to:

  • Recognize your device and remember your preferences when you visit our Websites,

  • Facilitate and improve your experience on our Websites,

  • Analyze website usage and improve usability,

  • Manage the administration of our Websites, 

  • Conduct online behavioral advertising activities.

Cookies typically do not contain information that directly identifies you, such as your name or contact details. However, they may contain unique identifiers or other data that, when combined with other information we collect, could be used to recognize or remember you across different sessions or websites. This allows us to personalize your experience on our Websites by remembering your preferences, recognizing you on future visits, and tailoring content to your interests.

4. TYPES OF COOKIES AND THEIR USE PURPOSES

Our Websites may place and access certain cookies on your web browser. We have carefully chosen these cookies and have taken steps to ensure that your ​privacy and personal data are protected and respected at all times.

Cookies, depending on who implements them, can be categorized as follows:

a. First-party cookies: These cookies are issued by our Websites and are only used within our domain to provide a better user experience.

b. Third-party cookies: These cookies are issued by third parties to provide services on our Websites and are placed from different domains. 


When you use our Websites, you may also receive third-party cookies from our service providers. These third-party cookies may be used for the following purposes:

  • Tracking your browsing behavior across multiple websites

  • Building a profile of your web surfing habits

  • Targeting advertisements that may be of particular interest to you

We use both third-party cookies and our cookies to show you personalized ads on various websites. This practice, known as "retargeting", is based on your clicks, the pages you browse on our Websites, the products you view, and the advertisements that are shown to you. We also use cookies as part of our online marketing campaigns to understand how users interact with our Websites after seeing online ads, including those displayed on third-party websites. You can delete these cookies from your browser at any time. 

For more information on how these third-party companies collect and use information on our behalf, please refer to the privacy policies listed in Table 1 below.

5. COOKIES ON OUR WEBSITES 

The categories of cookies we use on our Websites include:

Necessary: These cookies are necessary for the website to function and cannot be switched off in our systems.

Analytics/Targeting: These non-essential cookies help us to understand how visitors engage with the website. These cookies are mainly used to collect information and report site usage statistics without personally identifying individual visitors.

Advertisement: These cookies are used to make our ads more engaging and relevant to site visitors.

Functionality: These cookies are optional for the website to function. They are usually set in response to information provided to the website to personalize and optimize your experience as well as remember your chat history.

When you visit our Websites and/or log in to our Platform (app.picussecurity.com), we may send you cookies related to the following web analytics, targeting, and advertisement services:

Table 1: Advertisement, Analytics/Targeting Cookies Used on our Websites

Service Provider

Website

Purpose

Type of cookie

Related Privacy Policies

Google Analytics, Google Tag Manager

www.picussecurity.comapp.picussecurity.com

Analytics/Targeting

First-party

Google Privacy Policy

Hubspot

www.picussecurity.com

Analytics/Targeting

First-party

Hubspot Privacy Policy, Cookies set in a visitor's browser by HubSpot

Hotjar

www.picussecurity.comapp.picussecurity.com

Analytics/Targeting

First-party

Hotjar Privacy Policy

Cookies set by the Hotjar Tracking Code

Heap

app.picussecurity.com

Analytics/Targeting

First-party

Heap Privacy Policy, Cookies set by Heap

LinkedIn 

www.picussecurity.com

Advertisement, Analytics/Targeting

Third-party

LinkedIn Privacy Policy

Poptin

www.picussecurity.com

Analytics/Targeting

First-party

Poptin Privacy Policy

New Relic

app.picussecurity.com

Analytics/Targeting

Third-party

New Relic Privacy Policy

Sentry

app.picussecurity.com

Analytics/Targeting

Third-party

Sentry Privacy Policy

Youtube 

www.picussecurity.com

Advertisement

Third-party

Google Privacy Policy

Google  

www.picussecurity.com

Advertisement

Third-party

Google Privacy Policy

Visitor Queue

www.picussecurity.com

Analytics/Targeting

Third-party

Visitor Queue Privacy Policy

6Sense

www.picussecurity.com

Analytics/Targeting

Third-party

6Sense Privacy Policy

Userguiding

app.picussecurity.com

Analytics/Targeting

First-party

Userguiding Privacy Policy

 

These cookies are not integral to the functioning of our site, and your use and experience of ​​our site will not be impaired by blocking or deleting them. However, certain features of our site ​may not function fully or as intended.

Our Websites use Google Analytics, an analysis service of Google Inc. ("Google"). On the other hand, Google Analytics uses cookies to enable the analysis of website usage. The information generated by cookies about the use of the website is transmitted to and stored on a Google server in the USA. Upon the instruction of the operator of this website, Google uses this information to prepare reports to evaluate your use and provide related services. The IP address transmitted from your browser within the framework of Google Analytics is not combined with other data from Google. If you do not want these cookies to be stored, you can adjust your settings accordingly in your browser. 

In addition, our website (www.picussecurity.com) may also use Google AdWords and double-click cookies for statistical purposes. 

If you think we have missed a cookie, please let us know by sending an email to security@picussecurity.com.

6. HOW TO CONTROL COOKIES

You have the right to choose whether to accept or reject cookies. When you first visit our website, you will see a cookie consent banner, which allows you to opt-in or opt-out of specific types of cookies. You can also opt-out of specific cookies as well.  Please note that blocking specific types of cookies may negatively impact your experience on the site and limit the services we are able to provide.

You can also change your browser settings to delete existing cookies or prevent new cookies from being placed on your device. Please note that deleting or blocking certain types of cookies may negatively impact your experience on the site and limit the services we are able to provide. 

To opt-out of Google Analytics tracking, you can install and activate the plug-in provided by Google. 

7. FURTHER INFORMATION ON COOKIES

To learn more about cookies, including how to see which cookies have been set and how to​ ​manage and delete them, you can visit the following websites: All About Cookies, About Cookies, Your Choices Online, and Cookie Database. 

8. CONTACT

If you have any questions about our use of cookies, please contact us at security@picussecurity.com.

Last Updated: 02.09.2024

END-USER LICENSE AGREEMENT

BY REGISTERING TO, ACCESSING OR USING, AND BY DOWNLOADING, INSTALLING, COPYING, ORDERING, OPERATING, OR OTHERWISE USING THE RELEVANT SOFTWARE COMPONENTS OF THE PICUS COMPLETE SECURITY CONTROL VALIDATION PLATFORM SERVICE (“SERVICE”), YOU ACKNOWLEDGE THAT YOU HAVE READ AND UNDERSTOOD THE AGREEMENT AND AGREE TO THE TERMS OF THIS AGREEMENT. YOUR ACCEPTANCE OF THE TERMS MEANS SET FORTH IN THIS END USER LICENSE AGREEMENT (“EULA”) AND ANY ADDENDUM.

ATTACHED HERETO FORMS A LEGALLY BINDING AGREEMENT BETWEEN YOU AND PICUS SECURITY. IF YOU ARE ACCEPTING THESE TERMS ON BEHALF OF ANOTHER PERSON OR COMPANY, OR OTHER LEGAL ENTITY, YOU REPRESENT AND WARRANT THAT YOU HAVE FULL AUTHORITY TO BIND THAT PERSON, COMPANY, OR LEGAL ENTITY AND ITS AFFILIATES TO THESE TERMS AND TO THE EXTENT YOU DO NOT HAVE SUCH AUTHORITY YOU AGREE TO BE BOUND TO THESE TERMS AND TO ACCEPT LIABILITY FOR HARM CAUSED BY ANY WRONGFUL USE OF THE WEBSITE RESULTING FROM SUCH ACCESS OR USE. IN SUCH A SCENARIO, THE WORDS "YOU" AND "YOUR," WHEN USED IN THESE TERMS, WILL APPLY TO THE PERSON ON WHOSE BEHALF YOU ARE ACTING AS WELL AS YOU AS AN INDIVIDUAL AS APPROPRIATE.

IF YOU DO NOT AGREE TO THESE TERMS: DO NOT REGISTER TO, ACCESS, OR USE, AND DO NOT DOWNLOAD, INSTALL, COPY, ORDER, OPERATE, OR OTHERWISE USE THE RELEVANT SOFTWARE OR SERVICE COMPONENTS AND ANY CONTENT OF THE “SERVICE” AND PROMPTLY UNINSTALL THE SOFTWARE OR SERVICE FROM YOUR SYSTEM.

IF YOU DO NOT CLICK ​“ACCEPT" YOU DECLARE THAT YOU DO NOT AGREE TO THE TERMS OF THIS AGREEMENT, AND THIS SERVICE WILL NOT BE INITIATED ON YOUR COMPUTER, NETWORK, OR OTHER RELEVANT SYSTEMS.

1. Definitions

“You” ​means the individual (including the third person in case you accept this agreement on behalf of that person), company, Affiliates, or other legal entity that has registered to use the Service (including by downloading any updates or patches for the Complete Security Control Validation Platform System) and downloaded, installed, accessed, operated or otherwise used the software or service in any way.

“Service” ​​means and covers all of The Complete Security Control Validation Platform currently shown on the official Picus Security or Picus Platform websites regardless of the available features or the service and relevant software, any future releases of the service, software, or any expansions, etc., are used.

“Security Control Validation”, “Security Assessment,” ​or “​Security Test​” means the mechanism by which “The Complete Security Control Validation Platform” and the relevant features of the Service are applied to determine the defensive capabilities of the "Control Systems" against the cyber threats.

“Control Systems” ​means cybersecurity prevention technologies such as endpoint protection software systems (such as endpoint antivirus, host-based intrusion prevention systems, endpoint detection and response, and other solutions that may be considered as endpoint protection software), secure email gateway, data-leakage or loss systems, network intrusion prevention systems, next-generation firewall systems, secure web gateway systems, and other similar prevention technologies.

“Assessment Type” ​defines different security assessment categories or types such as vertical attacks, regional attacks, targeted attacks, and others offered by and with full discretion of Picus Security.

“​Term​” defines the duration of the subscription granted for the Use of the Service.

“Picus Agent” ​means the software component provided for the supported Operating Systems that is used to test the security level of the Control Systems when an assessment is executed.

“Permitted Capacity” ​means the number of “Security Testing” delivered, term, Picus Agents, threat samples, or other license metrics set forth in the delivery of the service.

“Use of Service” ​means a non-exclusive, personal, non-transferable, time-limited right to use the Picus Platform Products or Services in accordance with this Agreement.

“Picus Security” ​means Picus Security Inc. (1401 Pennsylvania Avenue Unit 105 Suite 104, Wilmington, DE 19806) and its affiliates Picus Bilisim Guvenlik Tic. A.S. (Hacettepe Teknokent, Üniversiteler Mah. 1596. Cad. 1. Ar-Ge 97/12 Beytepe, Çankaya/ Ankara, Türkiye) and Picus Security US, LLC (3001 North Rocky Point Drive East Suite 200 Tampa, FL 33607 USA).

2. Use of Service

Upon your acceptance and subject to the terms outlined in this Agreement, Picus Security hereby authorizes you to use the Service to test the defensive capabilities of the Control Systems that this Service is designed to put under Security Validation. Service may not cover all the Control Systems listed in the definitions section and Picus Security can add or remove different Control Systems categories provided in Service.

By accepting these terms, You authorize Picus Security to perform Security Validation on Control Systems specified by You. Picus Security, through the Service, will provide You with the results of the Security Tests automatically. This Service aims to reveal which threats executed by the Service are blocked and not blocked by the Control Systems used in a different network or digital environments. In this respect, results may differ for the same security control technology in different environments. Picus Security cannot be held responsible if the Service fails to discover certain security or configuration shortcomings on the target Control Systems and shall not become subject to any claim and request (including but not limited to compensation, damage, loss, or reimbursement).

You understand that Your right to use the Products or Services is limited by the Permitted Capacity purchased by paying the defined fee or granted free of charge by Picus Security. You and Your Affiliate's combined use may in no event exceed the Permitted Capacity authorized under the applicable Order. The Permitted Capacity may be defined during the registration to Service. You acknowledge that the fees paid for the service are non-refundable to the extent permitted by applicable laws. You acknowledge that Picus Security may decide to cease providing Service without any further notice. In the case of a paid Service, if Picus 

Security decides to cease providing Service, and the fee paid for the remainder of the Service is reimbursed to You​.

3. Service Level Commitments

Picus Security endeavors to provide the best customer experience during the registration and execution stages of Service. As part of its commitment to meeting its customers’ needs, Picus Security has established the following Service Level Agreements (SLA) to outline the availability and support standards it maintains.

3.1 Availability SLA 

Picus Security is dedicated to providing its users with a reliable, uninterrupted service experience. With the exception of any planned outage of maintenance, Picus Security does its best to maintain a minimum uptime of 99.5% for users logging in and utilizing the dashboard metrics.

3.2 Support SLA

During the Term, Picus Security offers comprehensive technical support for all incidents within the supported versions of the Service. To ensure efficient handling of incidents, Picus Security has established Service Level Agreements (SLAs) that outline response time commitments based on the severity levels of reported problems. The severity level for each incident submitted by a customer or partner will be determined by Picus Technical Assistance Center (TAC) engineers, considering the requested level and information provided by the customer or partner. 

Picus Security's Technical Assistance Center (TAC) is dedicated to promptly responding to and diligently resolving incidents in accordance with the initial response times as follows:

Severity Level

Definition

Initial Response Time

High

An incident that is causing a significant loss of service and no workaround is available

6 Business Hour

Medium

An incident that has a partial impact on mission-critical functionality

8 Business Hour

Low

An incident that has no impact on Customer business functionality

16  Business Hour

Table: Severity Levels and Target Initial Response Times

The Initial Response Time is the duration before a qualified TAC representative contacts the customer or partner. 

Please note that Picus Security’s SLAs are subject to periodic review and may be updated to reflect the evolving needs of the customers and technological advancements. Your continued use of the Service indicates your acceptance of the SLAs in effect at that time.

3.3 Service Commitment Exclusions

You agree to take the necessary precautions to ensure that Use of Service does not harm the computer system on which a Picus Agent is installed and will run. Picus Security is not committed to providing services for interpreting the results of the Security Validation applied to the chosen Control System or Control Systems. 

Picus Security shall not be liable for any damage, outage, interruption of service, or similar outcomes, including associated costs, arising due to any of the following:

a. Force majeure events, acts of nature, or actions of government activities
b. Factors outside of PICUS Security’s reasonable control, including any third parties acting on PICUS Security’s behalf or any third-party equipment, software, or other technology not within PICUS Security’s control
c. Downtime during planned outage and/or maintenance, or work undertaken as part of a request for a change
d. Actions or inactions of the affected Customer, or any third party
e. Failure or fault of Customer systems, equipment, software, or other technology
f. Issues that result in account suspension or termination due to breach of the Customer Agreement, including violation of Terms of Use, payment obligations, or usage policies 

4. Security of The End User Account Formation

Upon completing the registration to the Service, You will receive a password and account designation information by email. You are responsible for maintaining the confidentiality of the account information and the password. You agree to immediately notify Picus Security if the account has been accessed or used by an unauthorized individual or individuals. Picus Security cannot and will not be held responsible for any loss or damage arising from unauthorized access, use, or failure to notify Picus Security. If Picus Security detects such unauthorized use or any use that is not in accordance with the contract, You shall be notified immediately to stop the unauthorized use and given 3 (three) days for any such breach of the contractual obligations. In case the infringing use continues, Picus Security has a right of termination with immediate effect without any prior notice. Picus Security’s right to demand compensation is reserved.

5. Control Systems Indemnity

(a) You declare and warrant that You have the full right, power, and authority to consent to have the Service validate the Control Systems as set as target systems by You. You will indemnify and hold harmless Picus Security, its customers, Authorized Resellers, partners and sponsors, and their officers, directors, employees, and agents from and against any third-party claims, suits, liabilities, losses, damages, judgments, awards, fines, penalties, costs, and expenses (including reasonable attorneys' fees) incurred by or levied against the same resulting from or based on Your use of or inability to use the Service, including any claim resulting from Your breach of this Section. 

(b) You also agree that the Security Testing of Control Systems may expose vulnerabilities, security gaps, and configuration errors.

6. Restrictions

Subject to Your strict compliance with the terms of this EULA, Picus Security authorizes you with a non-exclusive, personal, non-transferable, revocable, and limited License Usage Right in accordance with this Agreement to access and use the service solely for Your personal use. To access and use the service, You must 

have legally obtained the license from Picus Security and its official website. You are responsible for paying all fees, taxes, and other costs.

You agree not to decompile, disassemble, modify, sell, copy, or reverse-engineer the Picus Security owned software, platforms, modules, agents, and source code developed to run or enable the Service. In the same way, You agree not to decompile, disassemble, modify, sell, copy, or reverse-engineer the third-party software or source code that may be used to enable the Service. In addition, users are prohibited from downloading or exporting threat libraries or service resources in bulk. Any attempt to download or export these resources beyond the provided API or other services’ intended use or specified thresholds is forbidden. All services and resources provided are to be used solely for their intended purpose as outlined in this agreement.

You agree to use the Service as outlined exactly in the published or shared documentation and website provided by Picus Security.

You are not allowed to publish the results provided by the Service. Under no circumstances results, in any form or shape, fully or partially, can be used to publicly compare or benchmark different technologies and Technology Providers.

You are not entitled to use the intellectual properties of Picus Security, including but not limited to logos, names, trademarks, affiliates, etc., without prior written consent.

For the execution of some of the Services, You may be required to deploy software components provided by Picus Security. Upon the termination of the Service, You are required to cease using these software components and remove them from the systems they were installed on immediately.

Your license to the Service (or any Picus Security intellectual property associated therewith) does not include any license, right, power, or authority to (including but not limited to);

  • Copying the software, platform, or Service,
  • Selling, renting, leasing, licensing, sublicensing, distributing, or otherwise transferring or making the software available to any other person, in whole or in part;
  • Using the service and software or any part thereof in any commercial context - Reverse engineering, deriving source code, attack database, modifying, decompiling, disassembling, or creating derivative works of the software, platform and attach techniques, or any portion thereof, in whole or in part;
  • Removing, disabling, or circumventing any proprietary notices or labels contained on or in the Software or any Online Service thereof; or
  • Exporting or re-exporting or transmitting or extracting the Software or Service, or related documentation, attack techniques, and repositories and its database, and technical data or any copy or adaptation thereof,

Picus Security shall terminate the agreement immediately without any prior notice. Picus Security’s right to demand compensation is reserved in case of any breach.

Picus Security reserves all rights not expressly granted to You.

7. Intellectual Property Rights

The Service and all related intellectual property rights are the exclusive property of Picus Security or its licensors. All rights, titles, and interests in and to the Service, any modifications, translations, or derivatives thereof, even if unauthorized, and all applicable rights in patents, copyrights, trade secrets, trademarks, and all intellectual property rights in the Service remain exclusively with Picus Security or its licensors. The Service and its Features are valuable, proprietary, and unique, and You agree to be bound by and observe the proprietary nature of the Service and its features. The Service contains material (including but not limited to any images, photographs, animations, codes, video, audio, music, text, and “applets” incorporated into the Service) that is protected by patent, copyright, license, and trade secret law. The Service and its Features may include software products licensed from third parties or open sources by international treaty provisions. In such cases, third parties have no obligations or liability to You under this Agreement but are third-party beneficiaries of this Agreement. All rights not granted to You in this Agreement are reserved for Picus Security. If You have subscribed to the Service, no ownership of the Service passes to You (The software/products/services/platform are being licensed, not sold. Picus Security retains all ownership rights in and to all software/products/services/platforms, including any intellectual property rights therein.). Picus Security may make changes to the Service at any time without notice. Picus Security grants no express or implied right under Picus Security patents, copyrights, trademarks, licenses, or other intellectual property rights except as otherwise expressly provided. You may not remove any proprietary notice of Picus Security or any third party from the Products or any copy of the Products without Picus Security’s prior written consent.

8. Intellectual Property Indemnity

Picus Security shall have the right, but not the obligation, to defend or settle, at its option, any action at law against You arising from a claim that Your authorized use of the Service under this Agreement infringes any patent, copyright, or other ownership rights of a third party. You agree to provide Picus Security with written notice of any such claim within 10 (ten) days of Your notice thereof and provide reasonable assistance in its defense. Picus Security has sole discretion and control over such defense and all negotiations for a settlement or compromise unless it declines to defend or settle, in which case, You are free to pursue any alternative You may have. In that case, you shall still have an obligation to act in good faith and loyally pursue and protect the interests of Picus Security and inform Picus Security in writing in a reasonable amount of time in the event of any situation that may affect Picus Security, this agreement, or any related process or procedures. You shall not assume or create any obligation, representation, warranty, or guarantee, express or implied, on behalf of Picus Security for any purpose whatsoever.

9. Confidentiality and Limitation on Use

(a) Confidential Information

Each Party hereto acknowledges that because of its relationship with the other Party hereunder, it may have access to confidential information and materials concerning the other Party’s business, technology, and/or products that are confidential and of substantial value to the other Party, which value could be impaired if such information were disclosed to third parties (“Confidential Information”). Written or other tangible Confidential Information must, at the time of disclosure, be identified and labeled as Confidential Information belonging to the disclosing Party. When disclosed orally or visually, Confidential Information must be identified as confidential at the time of the disclosure, with subsequent confirmation in writing within 15 (fifteen) days after disclosure. Each Party agrees that it will not use in any way for its own account or the account of any third party, such Confidential Information, except as authorized under this Agreement, and will protect Confidential Information at least to the same extent as it protects its own Confidential Information and to the same extent that a reasonable person would protect such Confidential Information.

Neither Party may use the other Party’s Confidential Information except to perform its duties under this Agreement.

The Confidential Information restrictions will not apply to Confidential Information that is (i) already known to the receiving Party, (ii) becomes publicly available through no wrongful act of the receiving Party, (iii) independently developed by the receiving Party without the benefit of the disclosing Party’s Confidential Information, (iv) has been rightfully received from a third party, not under an obligation of confidentiality or (v) is required to be disclosed by law, provided the Party compelled to disclose the Confidential Information provides the Party owning the Confidential Information with prior written notice of disclosure adequate for the owning Party to take reasonable action to prevent such disclosure, where reasonably possible. Unless otherwise agreed to by both Parties, upon the termination of this Agreement or an applicable Addendum, each Party will return the other Party’s Confidential Information.

(b) Use of Customer Data

You agree that Picus Security collects, stores, processes, and tracks personal data entered by You during the registration stage of the Service. Picus Security can also be exposed to certain Customer Data ​, including but not limited to ​IP addresses, domain names, threat block or fail status, and others during the execution of the Services. Picus Security will take all the physical, technical, and operational precautionary measures to safeguard your data. By approving this contract, you give Picus Security your express consent to share your personal data and customer data with third parties that it has a relationship to enable the delivery of the service and to provide the platform needs of Picus Security and the promised service in a quality, secure and accurate manner. You can visit ​https://www.picussecurity.com/privacy ​for detailed information about our privacy policy.

(c) Use of Accumulated Data

You acknowledge that Picus Security can use the accumulated data of all Service users for statistical purposes and improve its products and services, provided that such data is fully anonymized and cannot be associated with You.

10. Limitation of Remedies and Damages

NOTWITHSTANDING ANYTHING IN THIS AGREEMENT TO THE CONTRARY, PICUS SECURITY, ITS AFFILIATES, ITS LICENSORS, OR AUTHORIZED PARTNERS WILL NOT BE LIABLE FOR ANY INDIRECT, CONSEQUENTIAL, SPECIAL, PUNITIVE, OR INCIDENTAL DAMAGES, WHETHER FORESEEABLE OR UNFORESEEABLE, ARISING OUT OF OR RELATED TO THIS AGREEMENT INCLUDING, BUT NOT LIMITED TO CLAIMS FOR LOSS OF DATA, GOODWILL, OPPORTUNITY, REVENUE, PROFITS, OR USE OF THE PRODUCTS, INTERRUPTION IN USE OR AVAILABILITY OF DATA, STOPPAGE OF OTHER WORK OR IMPAIRMENT OF OTHER ASSETS, PRIVACY, ACCESS TO OR USE OF ANY ADDRESSES, EXECUTABLES OR FILES THAT SHOULD HAVE BEEN LOCATED OR BLOCKED, NEGLIGENCE, BREACH OF CONTRACT, TORT OR OTHERWISE AND THIRD PARTY CLAIMS, EVEN IF PICUS SECURITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. IN NO EVENT WILL PICUS SECURITY’S AGGREGATE LIABILITY ARISING OUT OF OR RELATED TO THIS AGREEMENT EXCEED THE LESSER OF: (A) THE TOTAL AMOUNT RECEIVED BY PICUS SECURITY FOR THE APPLICABLE PRODUCTS OVER THE ONE-YEAR PERIOD PRIOR TO THE EVENT OUT OF WHICH THE CLAIM AROSE FOR THE PRODUCTS THAT DIRECTLY CAUSED THE LIABILITY, OR (B) TEN THOUSAND USD.

11. Warranty Disclaimer

THE SERVICE, ITS SOFTWARE COMPONENTS, ITS REPORTS, AND ALL OTHER DELIVERABLES ARE PROVIDED “AS IS,” AND PICUS SECURITY MAKES NO WARRANTY OR GUARANTEE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUALITY, ACCURACY, AND NON-INFRINGEMENT OF THIRD-PARTY RIGHTS, AND AS TO ITS USE OR PERFORMANCE AND DOES NOT WARRANT OR GUARANTEE THAT THE OPERATION OF THE SOFTWARE WILL BE FAIL-SAFE, UNINTERRUPTED OR FREE FROM ERRORS OR DEFECTS OR THAT THE SOFTWARE WILL PROTECT AGAINST ALL POSSIBLE THREATS OR IDENTIFY ALL POSSIBLE CYBER ATTACKS A SECURITY DEVICE MAY OR MAY NOT PROTECT AGAINST.

12. Export Controls

You acknowledge that the Service and relevant software components are subject to the United States, the United Kingdom, the Republic of Türkiye, and, when applicable, European Union export regulations. You shall comply with the applicable 

export and import laws and regulations for the jurisdiction in which the Software will be imported and/or exported. You shall not export the Software to any individual, entity, or country prohibited by applicable law or regulation. You are responsible, at your own expense, for any local government permits, licenses, or approvals required for importing and/or exporting the Software.

You warrant and agree that You are not: (i) located in, under the control of, or a national or resident of Cuba, North Korea, Iran, Syria, Sudan etc. (Please visit to see the full list of countries restricted for assets and trade operations: https://ofac.treasury.gov/sanctions-programs-and-country-information), and, or (ii) on the U.S Treasury Department list of Specially Designated Nationals or the U.S. Commerce Department’s Table of Deny Orders.

13. Cancellation of Services and Termination of the Contract by Picus Security

Picus Security may terminate this Agreement with immediate effect and without prior notice in the following cases and cease Service and Use of Services: (i) Without giving a reason at any time it deems necessary, and/or (ii) You Violating the Agreement, and/or (iii) You failing to fully or partially fulfill any of the terms and conditions of this Agreement.

No termination or expiration of this Agreement shall affect any rights of Picus Security, including but not limited to demanding compensation, that shall have accrued or prior to the date of such termination or expiration. Nothing in this Agreement shall constitute a waiver or limitation of any rights that Picus Security may have under applicable law.

You may only use paid software/products during the period for which you have paid the subscription fee.

Upon termination or expiration, You must immediately cease using the software/products and delete all copies of any related software found on Your computer and systems. Upon termination, Picus Security may disable further use of the software/products without further notice and delete any account information.

14. Governing Law and Jurisdiction

For the USA, This Agreement shall be governed by and construed in accordance with the laws of the State of Delaware, USA. The parties irrevocably submit to the non-exclusive jurisdiction of the Delaware courts. Exclusive jurisdiction for litigation of any dispute, controversy, or claim arising out of or in connection with this Agreement or the breach thereof shall be only in Delaware courts with competent jurisdiction in the State of Delaware.

For all other Countries except the USA, This Agreement shall be governed by and construed in accordance with the laws of the Republic of Türkiye. The parties irrevocably submit to the non-exclusive jurisdiction of the Ankara courts. Exclusive jurisdiction for litigation of any dispute, controversy, or claim arising out of or in connection with this Agreement or the breach thereof shall be only in the Republic of Türkiye courts with competent jurisdiction in Ankara.

15. Miscellaneous

This Agreement may not be modified except by a written addendum issued by a duly authorized representative of Picus Security. No provision hereof shall be deemed waived unless such waiver shall be in writing and signed by Picus Security. If any provision of this Agreement is invalid, the remainder shall continue in full force and effect.

Each party will comply with all applicable laws and regulations, including those of other jurisdictions that may apply concerning the protection of personal data, disclosure, and anti-bribery. You must obtain any required employee consent addressing the interception, reading, copying, or filtering of emails and their attachments. Neither party will use any data obtained via the Products or Service for any unlawful purpose.

All notices, requests, demands, and determinations for Picus Security under this Agreement (other than routine operational communications) shall be sent to: the applicable entity address on the first page of this Agreement addressed to “Attention: Legal Department.”

Either party may change its contact person for notices and/or address for notice by means of notice to the other party given in accordance with this paragraph. Neither party will be liable for any delay or failure in performance to the extent the delay or failure is caused by events beyond the party’s reasonable control, 

including fire, flood, natural disasters, pandemic diseases, explosion, war, or the engagement of hostilities, strike, embargo, labor dispute, government requirement, civil disturbances, civil or military authority, disturbances to the Internet or cloud services, delay or failure caused by an interruption or failure of telecommunication or digital transmission links, Internet slow-downs or failures, or other such transmission failures, hardware failure beyond the reasonable control of Picus Security, and inability to secure materials or transportation facilities. This Agreement constitutes the agreement between the parties regarding the subject matter herein. The parties have not relied on any promise, representation, or warranty, express or implied, that is not in this Agreement. Any waiver or modification of this Agreement is only effective if it is in writing and signed by both parties or posted by Picus Security at terms or policies on http://www.picussecurity.com/. All pre-printed or standard terms of your purchase orders or other business processing documents have no effect.

In the event of a conflict between the terms of this Agreement and the terms of an Order, the terms of this Agreement prevail. If any part of this Agreement is found invalid or unenforceable by a court of competent jurisdiction, the remainder of this Agreement shall be interpreted reasonably to affect the parties' intention. Picus Security is not obligated under any other agreements unless they are in writing and signed by an authorized representative of Picus Security.

All provisions relating to confidentiality, proprietary rights, indemnification, and limitations of liability survive the termination of the agreement.

Last Updated: 28.05.2024

1. AGREEMENT TO TERMS

Definition

For the purposes of these Terms of Use:  

    -Affiliate means an entity that controls is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest, or other securities entitled to vote for the election of directors or other managing authority.

    -Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Picus Security and all its affiliates listed in Section 20.

    -Device means any device that can access the Service, such as a computer, a cellphone, or a digital tablet.

    -Service refers to the Website.

    -Terms of Use (also referred to as "Terms") mean these Terms of Use that form the entire agreement between You and the Company regarding the use of the Service.

    -Third-party Social Media Service means any services or content (including data, information, products, or services) provided by a third party that may be displayed, included, or made available by the Service.

    -Website refers to PICUS, accessible from (www. picussecurity.com) and (picus.io)

You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

These Terms of Use constitute a legally binding agreement made between you, whether personally or on behalf of an entity (“you”) and Picus Security Inc., doing business as PICUS ("PICUS," “we," “us," or “our”), concerning your access to and use of the http://www.picussecurity.com website as well as any other media form, media channel, mobile website or mobile application related, linked, or otherwise connected thereto (collectively, the “Site”). We are registered in Delaware, United States, and have our registered office at 1401 Pennsylvania Ave Unit 105 STE 104 Wilmington, DE 198063.You agree that by accessing the Site, you have read, understood, and agreed to be bound by all of these Terms of Use. IF YOU DO NOT AGREE WITH ALL OF THESE TERMS OF USE, THEN YOU ARE EXPRESSLY PROHIBITED FROM USING THE SITE AND YOU MUST DISCONTINUE USE IMMEDIATELY.

Supplemental terms and conditions or documents that may be posted on the Site from time to time are hereby expressly incorporated herein by reference. We reserve the right, in our sole discretion, to make changes or modifications to these Terms of Use from time to time. We will alert you about any changes by updating the “Last Updated” date of these Terms of Use, and you waive any right to receive specific notice of each such change. Please ensure that you check the applicable Terms every time you use our Site so that you understand which Terms apply. You will be subject to and will be deemed to have been made aware of and to have accepted the changes in any revised Terms of Use by your continued use of the Site after the date such revised Terms of Use are posted.

The information provided on the Site is not intended for distribution to or use by any person or entity in any jurisdiction or country where such distribution or use would be contrary to law or regulation or which would subject us to any registration requirement within such jurisdiction or country. Accordingly, those persons who choose to access the Site from other locations do so on their own initiative and are solely responsible for compliance with local laws, if and to the extent local laws are applicable.

The Site is not tailored to comply with industry-specific regulations (Health Insurance Portability and Accountability Act (HIPAA), Federal Information Security Management Act (FISMA), etc.), so if your interactions would be subjected to such laws, you may not use this Site. You may not use the Site in a way that would violate the Gramm- Leach-Bliley Act (GLBA).

The Site is intended for users who are at least 18 years old. Persons under the age of 18 are not permitted to use or register for the Site.

2. INTELLECTUAL PROPERTY RIGHTS

Unless otherwise indicated, the Site is our proprietary property and all source code, databases, functionality, software, website designs, audio, video, text, photographs, and graphics on the Site (collectively, the “Content”) and the trademarks, service marks, and logos contained therein (the “Marks”) are owned or controlled by us or licensed to us, and are protected by copyright and trademark laws and various other intellectual property rights and unfair competition laws of the United States, international copyright laws, and international conventions. The Content and the Marks are provided on the Site “AS IS” for your information and personal use only. Except as expressly provided in these Terms of Use, no part of the Site and no Content or Marks may be copied, reproduced, aggregated, republished, uploaded, posted, publicly displayed, encoded, translated, transmitted, distributed, sold, licensed, or otherwise exploited for any commercial purpose whatsoever, without our express prior written permission.

Provided that you are eligible to use the Site, you are granted a limited license to access and use the Site and to download or print a copy of any portion of the Content to which you have properly gained access solely for your personal, non-commercial use. We reserve all rights not expressly granted to you in and to the Site, the Content, and the Marks.

3. USER REPRESENTATIONS

By using the Site, you represent and warrant that: (1) all registration information you submit will be true, accurate, current, and complete; (2) you will maintain the accuracy of such information and promptly update such registration information as necessary; (3) you have the legal capacity and you agree to comply with these Terms of Use; (4) you are not a minor in the jurisdiction in which you reside; (5) you will not access the Site through automated or non-human means, whether through a bot, script, or otherwise; (6) you will not use the Site for any illegal or unauthorized purpose; and (7) your use of the Site will not violate any applicable law or regulation.

If you provide any information that is untrue, inaccurate, not current, or incomplete, we have the right to suspend or terminate your account and refuse any and all current or future use of the Site (or any portion thereof).

4. USER REGISTRATION

You may be required to register with the Site. You agree to keep your password confidential and will be responsible for all use of your account and password. We reserve the right to remove, reclaim, or change a username you select if we determine, in our sole discretion, that such username is inappropriate, obscene, or otherwise objectionable.

5. PROHIBITED ACTIVITIES

You may not access or use the Site for any purpose other than that for which we make the Site available. The Site may not be used in connection with any commercial endeavors except those that are specifically endorsed or approved by us.

As a user of the Site, you agree not to:

    -Systematically retrieve data or other content from the Site to create or compile, directly or indirectly, a collection, compilation, database, or directory without written permission from us.

    -Trick, defraud, or mislead us and other users, especially in any attempt to learn sensitive account information such as user passwords.

    -Circumvent, disable, or otherwise interfere with security-related features of the Site, including features that prevent or restrict the use or copying of any Content or enforce limitations on the use of the Site and/or the Content contained therein.

    -Disparage, tarnish, or otherwise harm, in our opinion, us and/or the Site. 

    -Use any information obtained from the Site in order to harass, abuse, or harm another person.

    -Make improper use of our support services or submit false reports of abuse or misconduct.

    -Use the Site in a manner inconsistent with any applicable laws or regulations. 

    -Engage in unauthorized framing of or linking to the Site.

    -Upload or transmit (or attempt to upload or to transmit) viruses, Trojan horses, or other material, including excessive use of capital letters and spamming (continuous posting of repetitive text), that interferes with any party’s uninterrupted use and enjoyment of the Site or modifies, impairs, disrupts, alters, or interferes with the use, features, functions, operation, or maintenance of the Site.

    -Engage in any automated use of the system, such as using scripts to send comments or messages, or using any data mining, robots, or similar data gathering and extraction tools.

    -Delete the copyright or other proprietary rights notice from any Content. 

    -Attempt to impersonate another user or person or use the username of another user.

    -Upload or transmit (or attempt to upload or to transmit) any material that acts as a passive or active information collection or transmission mechanism, including without limitation, clear graphics interchange formats (“gifs”), 1×1 pixels, web bugs, cookies, or other similar devices (sometimes referred to as “spyware” or “passive collection mechanisms” or “pcms”).

    -Interfere with, disrupt, or create an undue burden on the Site or the networks or services connected to the Site.

    -Harass, annoy, intimidate, or threaten any of our employees or agents engaged in providing any portion of the Site to you.

    -Attempt to bypass any measures of the Site designed to prevent or restrict access to the Site, or any portion of the Site.

    -Copy or adapt the Site’s software, including but not limited to Flash, PHP, HTML, JavaScript, or other code.

    -Except as permitted by applicable law, decipher, decompile, disassemble, or reverse engineer any of the software comprising or in any way making up a part of the Site.

    -Except as may be the result of the standard search engine or Internet browser usage, use, launch, develop, or distribute any automated system, including without limitation, any spider, robot, cheat utility, scraper, or offline reader that accesses the Site, or using or launching any unauthorized script or other software.

    -Use a buying agent or purchasing agent to make purchases on the Site.

    -Make any unauthorized use of the Site, including collecting usernames and/or email addresses of users by electronic or other means for the purpose of sending unsolicited email, or creating user accounts by automated means or under false pretenses.

    -Use the Site as part of any effort to compete with us or otherwise use the Site and/or the Content for any revenue-generating endeavor or commercial enterprise.

    -Use the Site to advertise or offer to sell goods and services. 

    -Sell or otherwise transfer your profile.

6. USER GENERATED CONTRIBUTIONS

The Site does not offer users to submit or post content. We may provide you with the opportunity to create, submit, post, display, transmit, perform, publish, distribute, or broadcast content and materials to us or on the Site, including but not limited to text, writings, video, audio, photographs, graphics, comments, suggestions, or personal information or other material (collectively, "Contributions"). Contributions may be viewable by other users of the Site and through third-party websites. As such, any Contributions you transmit may be treated in accordance with the Site Privacy Policy. When you create or make available any Contributions, you thereby represent and warrant that:

    -The creation, distribution, transmission, public display, or performance, and the accessing, downloading, or copying of your Contributions do not and will not infringe the proprietary rights, including but not limited to the copyright, patent, trademark, trade secret, or moral rights of any third party.

    -You are the creator and owner of or have the necessary licenses, rights, consents, releases, and permissions to use and to authorize us, the Site, and other users of the Site to use your Contributions in any manner contemplated by the Site and these Terms of Use.

    -You have the written consent, release, and/or permission of each and every identifiable individual person in your Contributions to use the name or likeness of each and every such identifiable individual person to enable inclusion and use of your Contributions in any manner contemplated by the Site and these Terms of Use.

    -Your Contributions are not false, inaccurate, or misleading.

    -Your Contributions are not unsolicited or unauthorized advertising, promotional materials, pyramid schemes, chain letters, spam, mass mailings, or other forms of solicitation.

    -Your Contributions are not obscene, lewd, lascivious, filthy, violent, harassing, libelous, slanderous, or otherwise objectionable (as determined by us). Your Contributions do not ridicule, mock, disparage, intimidate, or abuse anyone.

    -Your Contributions are not used to harass or threaten (in the legal sense of those terms) any other person and to promote violence against a specific person or class of people.

    -Your Contributions do not violate any applicable law, regulation, or rule. 

    -Your Contributions do not violate the privacy or publicity rights of any third party.

    -Your Contributions do not violate any applicable law concerning child pornography or otherwise intended to protect the health or well-being of minors.

    -Your Contributions do not include any offensive comments that are connected to race, national origin, gender, sexual preference, or physical handicap.

Any use of the Site in violation of the foregoing violates these Terms of Use and may result in, among other things, termination or suspension of your rights to use the Site.

7. CONTRIBUTION LICENSE

You and the Site agree that we may access, store, process, and use any information and personal data that you provide following the terms of the Privacy Policy and your choices (including settings).

By submitting suggestions or other feedback regarding the Site, you agree that we can use and share such feedback for any purpose without compensation to you.

We do not assert any ownership over your Contributions. You retain full ownership of all of your Contributions and any intellectual property rights or other proprietary rights associated with your Contributions. We are not liable for any statements or representations in your Contributions provided by you in any area on the Site. You are solely responsible for your Contributions to the Site and you expressly agree to exonerate us from any and all responsibility and to refrain from any legal action against us regarding your Contributions.

8. SUBMISSIONS

You acknowledge and agree that any questions, comments, suggestions, ideas, feedback, or other information regarding the Site ("Submissions") provided by you to us are non-confidential and shall become our sole property. We shall own exclusive rights, including all intellectual property rights, and shall be entitled to the unrestricted use and dissemination of these Submissions for any lawful purpose, commercial or otherwise, without acknowledgment or compensation to you. You hereby waive all moral rights to any such Submissions, and you hereby warrant that any such Submissions are original with you or that you have the right to submit such Submissions. You agree there shall be no recourse against us for any alleged or actual infringement or misappropriation of any proprietary right in your Submissions.

9. SITE MANAGEMENT

We reserve the right, but not the obligation, to: (1) monitor the Site for violations of these Terms of Use; (2) take appropriate legal action against anyone who, in our sole discretion, violates the law or these Terms of Use, including without limitation, reporting such user to law enforcement authorities; (3) in our sole discretion and without limitation, refuse, restrict access to, limit the availability of, or disable (to the extent technologically feasible) any of your Contributions or any portion thereof; (4) in our sole discretion and without limitation, notice, or liability, to remove from the Site or otherwise disable all files and content that are excessive in size or are in any way burdensome to our systems; and (5) otherwise manage the Site in a manner designed to protect our rights and property and to facilitate the proper functioning of the Site.

10. PRIVACY POLICY

We care about data privacy and security. Please review our Privacy

Policy: https://www.picussecurity.com/privacy. By using the Site, you agree to be bound by our Privacy Policy, which is incorporated into these Terms of Use. Please be advised the Site is hosted in the United States. If you access the Site from any other region of the world with laws or other requirements governing personal data collection, use, or disclosure that differ from applicable laws in the United States, then through your continued use of the Site, you are transferring your data to the United States, and you agree to have your data transferred to and processed in the United States.

11TERM AND TERMINATION

These Terms of Use shall remain in full force and effect while you use the Site. WITHOUT LIMITING ANY OTHER PROVISION OF THESE TERMS OF USE, WE RESERVE THE RIGHT TO, IN OUR SOLE DISCRETION AND WITHOUT NOTICE OR LIABILITY, DENY ACCESS TO AND USE OF THE SITE (INCLUDING BLOCKING CERTAIN IP ADDRESSES), TO ANY PERSON FOR ANY REASON OR FOR NO REASON, INCLUDING WITHOUT LIMITATION FOR BREACH OF ANY REPRESENTATION, WARRANTY, OR COVENANT CONTAINED IN THESE TERMS OF USE OR OF ANY APPLICABLE LAW OR REGULATION. WE MAY TERMINATE YOUR USE OR PARTICIPATION IN THE SITE OR DELETE YOUR ACCOUNT AND ANY CONTENT OR INFORMATION THAT YOU POSTED AT ANY TIME, WITHOUT WARNING, AT OUR SOLE DISCRETION.

If we terminate or suspend your account for any reason, you are prohibited from registering and creating a new account under your name, a fake or borrowed name, or the name of any third party, even if you may be acting on behalf of the third party. In addition to terminating or suspending your account, we reserve the right to take appropriate legal action, including without limitation pursuing civil, criminal, and injunctive redress.

12. MODIFICATIONS AND INTERRUPTIONS

We reserve the right to change, modify, or remove the contents of the Site at any time or for any reason at our sole discretion without notice. However, we have no obligation to update any information on our Site. We also reserve the right to modify or discontinue all or part of the Site without notice at any time. We will not be liable to you or any third party for any modification, price change, suspension, or discontinuance of the Site.

We cannot guarantee the Site will be available at all times. We may experience hardware, software, or other problems or need to perform maintenance related to the Site, resulting in interruptions, delays, or errors. We reserve the right to change, revise, update, suspend, discontinue, or otherwise modify the Site at any time or for any reason without notice to you. You agree that we have no liability whatsoever for any loss, damage, or inconvenience caused by your inability to access or use the Site during any downtime or discontinuance of the Site. Nothing in these Terms of Use will be construed to obligate us to maintain and support the Site or to supply any corrections, updates, or releases in connection therewith.

13. GOVERNING LAW

These Terms of Use and your use of the Site are governed by and construed in accordance with the laws of the State of Delaware applicable to agreements made and to be entirely performed within the State of Delaware, without regard to its conflict of law principles.

14. DISPUTE RESOLUTION

Informal Negotiations

To expedite resolution and control the cost of any dispute, controversy or claim related to these Terms of Use (each "Dispute" and collectively, the “Disputes”) brought by either you or us (individually, a “Party” and collectively, the “Parties”), the Parties agree to first attempt to negotiate any Dispute (except those Disputes expressly provided below) informally for at least thirty (30) days before initiating the arbitration. Such informal negotiations commence upon written notice from one Party to the other Party.

Binding Arbitration

Any dispute arising from the relationships between the Parties to this contract shall be determined by one arbitrator who will be chosen in accordance with the Arbitration and Internal Rules of the European Court of Arbitration being part of the European Centre of Arbitration having its seat in Strasbourg, and which are in force at the time the application for arbitration is filed, and of which adoption of this clause constitutes acceptance. The seat of arbitration shall be London, United Kingdom. The language of the proceedings shall be English. Applicable rules of substantive law shall be the law of the United Kingdom.

Restrictions

The Parties agree that any arbitration shall be limited to the Dispute between the Parties individually. To the full extent permitted by law, (a) no arbitration shall be joined with any other proceeding; (b) there is no right or authority for any Dispute to be arbitrated on a class-action basis or to utilize class action procedures, and (c) there is no right or authority for any Dispute to be brought in a purported representative capacity on behalf of the general public or any other persons.

Exceptions to Informal Negotiations and Arbitration

The Parties agree that the following Disputes are not subject to the above provisions concerning informal negotiations and binding arbitration: (a) any Disputes seeking to enforce or protect, or concerning the validity of, any of the intellectual property rights of a Party; (b) any Dispute related to or arising from, allegations of theft, piracy, invasion of privacy, or unauthorized use; and (c) any claim for injunctive relief. If this provision is found to be illegal or unenforceable, then neither Party will elect to arbitrate any Dispute falling within that portion of this provision found to be illegal or unenforceable, and such Dispute shall be decided by a court of competent jurisdiction within the courts listed for jurisdiction above, and the Parties agree to submit to the personal jurisdiction of that court.

15. CORRECTIONS

There may be information on the Site that contains typographical errors, inaccuracies, or omissions, including descriptions, pricing, availability, and various other information. We reserve the right to correct any errors, inaccuracies, or omissions and to change or update the information on the Site at any time, without prior notice.

16. DISCLAIMER

The Service is provided to You "AS IS" and "AS AVAILABLE" and with all faults and defects without warranty of any kind. To the maximum extent permitted under applicable law, the Company, on its own behalf and on behalf of its Affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Service, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice. Without limitation to the foregoing, the Company provides no warranty or undertaking, and makes no representation of any kind that the Service will meet Your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.

Without limiting the foregoing, neither the Company nor any of the company's provider makes any representation or warranty of any kind, express or implied: (i) as to the operation or availability of the Service, or the information, content, and materials or products included thereon; (ii) that the Service will be uninterrupted or error-free; (iii) as to the accuracy, reliability, or currency of any information or content provided through the Service; or (iv) that the Service, its servers, the content, or e-mails sent from or on behalf of the Company are free of viruses, scripts, trojan horses, worms, malware, timebombs or other harmful components.

Some jurisdictions do not allow the exclusion of certain types of warranties or limitations on applicable statutory rights of a consumer, so some or all of the above exclusions and limitations may not apply to You. But in such a case the exclusions and limitations set forth in this section shall be applied to the greatest extent enforceable under applicable law.

17. LIMITATIONS OF LIABILITY

IN NO EVENT WILL WE OR OUR DIRECTORS, EMPLOYEES, OR AGENTS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DIRECT, INDIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, SPECIAL, OR PUNITIVE DAMAGES, INCLUDING LOST PROFIT, LOST REVENUE, LOSS OF DATA, OR OTHER DAMAGES ARISING FROM YOUR USE OF THE SITE, EVEN IF WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

18. INDEMNIFICATION

You agree to defend, indemnify, and hold us harmless, including our subsidiaries, affiliates, and all of our respective officers, agents, partners, and employees, from and against any loss, damage, liability, claim, or demand, including reasonable attorneys’ fees and expenses, made by any third party due to or arising out of: (1) use of the Site; (2) breach of these Terms of Use; (3) any breach of your representations and warranties set forth in these Terms of Use; (4) your violation of the rights of a third party, including but not limited to intellectual property rights; or (5) any overt harmful act toward any other user of the Site with whom you connected via the Site. Notwithstanding the foregoing, we reserve the right, at your expense, to assume the exclusive defense and control of any matter for which you are required to indemnify us, and you agree to cooperate, at your expense, with our defense of such claims. We will use reasonable efforts to notify you of any such claim, action, or proceeding which is subject to this indemnification upon becoming aware of it.

19. USER DATA

We will maintain certain data that you transmit to the Site for the purpose of managing the performance of the Site, as well as data relating to your use of the Site. Although we perform regular routine backups of data, you are solely responsible for all data that you transmit or that relates to any activity you have undertaken using the Site. You agree that we shall have no liability to you for any loss or corruption of any such data, and you hereby waive any right of action against us arising from any such loss or corruption of such data.

20. AFFILIATES

Picus Bilişim Güvenlik Ticaret A.Ş.; Picus Security, Inc.; Picus Security US, LLC.

21. ELECTRONIC COMMUNICATIONS, TRANSACTIONS, AND SIGNATURES

Visiting the Site, sending us emails, and completing online forms constitute electronic communications. You consent to receive electronic communications, and you agree that all agreements, notices, disclosures, and other communications we provide to you electronically, via email, and on the Site, satisfy any legal requirement that such communication be in writing. YOU HEREBY AGREE TO THE USE OF ELECTRONIC SIGNATURES, CONTRACTS, ORDERS, AND OTHER RECORDS, AND TO ELECTRONIC DELIVERY OF NOTICES, POLICIES, AND RECORDS OF TRANSACTIONS INITIATED OR COMPLETED BY US OR VIA THE SITE. You hereby waive any rights or requirements under any statutes, regulations, rules, ordinances, or other laws in any jurisdiction which require an original signature or delivery or retention of non-electronic records, or to payments or the granting of credits by any means other than electronic means.

22. FOR EUROPEAN UNION (EU) USERS

If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in.

23. UNITED STATES LEGAL COMPLIANCE

You represent and warrant that (i) You are not located in a country that is subject to the United States government embargo, or that has been designated by the United States government as a "terrorist supporting" country, and (ii) You are not listed on any United States government list of prohibited or restricted parties.

24. CALIFORNIA USERS AND RESIDENTS

If any complaint with us is not satisfactorily resolved, you can contact the Complaint Assistance Unit of the Division of Consumer Services of the California Department of Consumer Affairs in writing at 1625 North Market Blvd., Suite N 112, Sacramento, California 95834 or by telephone at (800) 952-5210 or (916) 445-1254.

25. MISCELLANEOUS

These Terms of Use and any policies or operating rules posted by us on the Site or in respect to the Site constitute the entire agreement and understanding between you and us. Our failure to exercise or enforce any right or provision of these Terms of Use shall not operate as a waiver of such right or provision. These Terms of Use operate to the fullest extent permissible by law. We may assign any or all of our rights and obligations to others at any time. We shall not be responsible or liable for any loss, damage, delay, or failure to act caused by any cause beyond our reasonable control. If any provision or part of a provision of these Terms of Use is determined to be unlawful, void, or unenforceable, that provision or part of the provision is deemed severable from these Terms of Use and does not affect the validity and enforceability of any remaining provisions. There is no joint venture, partnership, employment, or agency relationship created between you and us as a result of these Terms of Use or use of the Site. You agree that these Terms of Use will not be construed against us by virtue of having drafted them. You hereby waive any and all defenses you may have based on the electronic form of these Terms of Use and the lack of signing by the parties hereto to execute these Terms of Use.

26. CONTACT US

In order to resolve a complaint regarding the Site or to receive further information regarding the use of the Site, please contact us at:

Picus Security Inc.

1401 Pennsylvania Avenue Unit 105 Suite 104, Wilmington, DE 19806

info@picussecurity.com

Picus Security Inc. (“Picus” or “Company”), which is a pioneer in violation and attack  simulation technologies, serves many institutions and organizations domestically and abroad  with its new and integrated approach in the field of information technologies. For the Picus,  which works on security services in the field of information technologies, protecting personal  data is extremely important.  

Picus has set a target to act in accordance with the Personal Data Protection Law ("PDPL")  numbered 6698 that is in force in Turkey and with other legal practices accepted in the  international arena as well. In this context, this Clarification Text for the Protection and  Processing of Personal Data (“Clarification Text”) has been prepared in order to enlighten the  relevant persons regarding general conditions regarding how and for what purpose the  Personal Data is processed, how they are protected and how long they are stored by Picus,  from its customers, potential customers, suppliers, business partners and their employees  and officials, visitors, employees, ex-employees and candidate employees, and also to third  parties whose personal data is processed for business transactions while maintaining their  business relations with Picus.  

All the concepts and expressions in this Clarification Text will express the meaning ascribed  to them in PDPL and other legislation.  

In the event of inconsistency between the KVKK and other relevant legislative provisions and  this Clarification Text, the KVKK and other relevant legislative provisions will be applied first.  Our company takes the necessary technical and administrative measures to ensure the  security of personal data. This text can be changed if deemed necessary according to the  current legislation and the practices of our Company. You can access the final version of the  text from our website www.picussecurity.com ("Website").  

  1. THE CONDITIONS OF PROCESSING PERSONAL DATA 

All personal data processed by Picus are processed in accordance with PDPL and related  legislation. In accordance with Article 4 of PDPL, the basic principles to be applied in the  processing of your personal data are listed.  

The personal data are processed by Picus;  

- With the purchase of Picus products and / or services;  

- When you offer products or services to Picus;  

- When you contact Picus by any means;  

- When you request or choose to receive commercial electronic messages we send for  marketing;  

- When you apply for a job at Picus and / or start working at Picus;  

- When you attend our events and organizations organized by Picus and  - When you visit our Website  

in accordance with the rules determined in this Clarification Text and / or its annexes.  Picus complies with the rules stated in the scope of PDPL and the following basic principles: 

    -Processing in accordance with the law and honesty rule. 

    -Ensuring that personal data are accurate and up to date when necessary. 

    -Operation for specific, clear and legitimate purposes. 

    -Being connected, limited and restrained for the purpose for which they are processed.

    -Storage for the period required by the relevant legislation or for the purpose for which  they are processed.  

Within the scope of the services it provides, Picus processes some commercial, legal and /  or personal data regarding its customers, potential customers, suppliers, business partners  and their employees and officials, visitors, employees, ex-employees and employee  candidates, as well as third parties whose personal data are processed in accordance with  their business processes. This data will be protected as the same care that Picus apply to its  own data, even if Picus does not specified as a trade secret in accordance with a contract or  the applicable legislation, unless it is required by Picus to share with third parties within the  scope of the service provided under the contractual relationship, unless otherwise specified  in the applicable legislation.  

The e-mail addresses, names and surnames, Turkish ID no, identification information,  addresses or phone numbers of customers, potential customers, suppliers, business  partners and their employees and officials, visitors, employees, ex-employees and employee  candidates as well as third parties whose personal data are processed in accordance with  their business processes, can be processed by Picus. In addition, via the website, your IP  address, the start and end information about your use, the type and scope of your use, and  the type of your browser and operating system are also recorded.  

In addition to these, if you upload your name and surname, title, phone number, e-mail  address, personal messages and similar information to the website through forms available  at various locations on the Website, and thus share this information with Picus, we process  this information you provide in accordance with your request and for the purposes of the  services offered by Picus.  

Our website uses Google Analytics, an analysis service of Google Inc. ("Google"). On the  other hand, Google Analytics uses “cookies”, that is, text files that are saved on your  computer and enable the use of the website to be analyzed. The information generated by  cookies about the use of the website is transmitted to and stored on a Google server in the  USA. Upon the instruction of the operator of this website, Google uses this information to  prepare reports to evaluate your use and to provide related services. The IP address  transmitted from your browser within the framework of Google Analytics is not combined with  other data of Google. If you do not want these cookies to be stored, you can make settings  accordingly in your browser. In addition, our website uses AdWords and double-click-Cookies  for statistical purposes. If you do not want these tools to be used, you can disable them by  setting them in your browser. However, we would like to state that in this case, you may not  be able to use all the functions on the website completely.  

We use third-party cookies and our own cookies to show you personalized ads on websites.  This is called "retargeting" and aims to base your clicks on the pages you browse on our  website, the products you display, and the advertising space shown to you. We also use  cookies as part of our online marketing campaigns to see how users interact with our website  after online ads are shown, including those on third-party websites. You can delete these  cookies from your browser at any time.  

Special c personal data is not processed by Picus without the informed explicit consent of the  relevant person.  

The personal data processed may differ in relation to the products and / or services offered  by Picus. Personal data collected orally, in writing or electronically via online or offline  means, during the period of use of the products and services offered by Picus, are processed  with the consent of the person's before the effective date of Personal Data Protection Law  no. 6698 or explicit consent after the effective date of the law, or within the framework of the  rules and conditions specified in the Personal Data Protection Law. 

BASIC PRINCIPLES FOR PROCESSING OF THE PERSONAL DATA  

Personal data is processed on condition that it is required to obtain open consent in  accordance with the applicable legislation or without explicit consent, unless explicit consent  is required under the applicable legislation, in line with the objectives of the services provided  by Picus, in order Picus to continue its activities, to provide better service, to measure and  improve the quality of its service, to determine the preferences and needs of our dealers,  suppliers, customers and employees, to process and evaluate job applications, to provide  communication with people who have a business relationship with our company, to comply  with the current legislation, to send bulletins by e-mail and to make notifications.  

The personal data will only be collected within the scope of Picus activities, will be used in  connection with the purposes of collection, will be stored for the periods required by the  processing purposes, will not be processed in excess of the rules and exceptions specified in  the current legislation, and in cases where the reasons requiring its processing disappear,  with the exception of situations arising from other legislation in force, will be deleted,  destroyed or anonymized.  

Keeping the personal data accurate and up-to-date is one of our primary goals. For this  reason, our Company meets the technical and administrative requirements required to keep  personal data accurate and up-to-date.  

Only authorized persons can access personal data and unauthorized persons working in our  Company and / or having a contractual relationship with our Company are prohibited from  accessing personal data. In this context, we would like to state that; Our company takes the  necessary measures to ensure the security and confidentiality of personal data.  

  1. TRANSFER OF THE PERSONAL DATA 

Transfer of the Personal Data Domestically  

Picus is under the responsibility of acting in accordance with primarily art. 8 of PDPL and the  decisions and related regulations envisaged in the PDPL and taken by the Board. As a rule,  personal data and special categories of data cannot be transferred to other real persons or  legal entities by Picus without the explicit consent of the relevant person.  

However, in cases foreseen in Articles 5 and 6 of PDPL, transfer is possible without the  explicit consent of the relevant person. Picus, in accordance with the conditions stipulated in  PDPL and other relevant legislation and by taking the security measures specified in the  legislation; can transfer the personal data to third parties unless otherwise arranged in law or  other relevant legislation in Turkey.  

Transfer of the Personal Data Abroad 

Picus can transfer the personal data abroad by processing the personal data in Turkey or to  be processed and stored outside of Turkey, in accordance with the conditions foreseen in  PDPL and by taking security measures specified in the legislation.  

We transfer your personal data abroad by taking the necessary technical and administrative  measures, through cloud informatics technology, to take advantage of the opportunities of  technology in order to carry out our company activities in the most efficient way and to  provide services at world standards.  

We work with the above mentioned service providers for the purposes of developing our  websites and platforms, increasing the variety of products and services and measuring the  user experience according to the preferences of our customers and users. We would like to  point out that you should also review the policies of the relevant service providers, as Picus  has no responsibility for the policies of the respective service providers for processing  personal data. 

  1. RIGHTS OF THE RELEVANT PERSON 

Regarding the processing of personal data, according to the definition specified in the  legislation, the data controller is Picus Informatics Security trade INC.  

In accordance with Article 11 of PDPL, the relevant persons have the right of, by applying to  Picus; Learning whether your personal data is processed, requesting information if it is  processed, requesting the purpose of processing your personal data and whether it is used  in accordance with its purpose, knowing the third party people that the person data is  transferred, requesting correction of personal data if it is incomplete or incorrectly processed,  requesting the deletion or removal of your personal data, requesting a notification for the  third parties to whom their personal data are transferred about the deletion or removal  process, objecting to the emergence of a result against you by analyzing your processed  personal data exclusively with automated systems, and requesting the compensation of your  loss if you are harmed due to illegal processing of personal data.  

To use these specified rights arising from the current legislation, you need make a written  application to address of the company given below or fill in the Application Form with the  registered electronic mail (REM) address, secure electronic signature or mobile signature by  adding the following information and documents according to Article 13 of PDPL; Your name  and your last name and the signature, if you are a citizen of the Republic of Turkey, your  Turkish ID number, if you are not a citizen of Republic of Turkey, your nationality, passport  number, if you have, your ID number, your location, or workplace address that is set for  notifications, main e-mail address and telephone number that are set for notifications and  your demand issues, and other necessary information and documents to be used for  identification.  

The application made by you or representative authorized person will be evaluated by our  Company and concluded free of charge within thirty days.  

Application methods and addresses are as follows: 

Application methods 

The addresses where  application can be made

The applicant, can apply by filling out the Application  Form with the necessary information and documents  that is required to determine his/her identity by coming  to the address of Picus Security Inc..

www.picussecurity.com

The applicant, him/herself or by a Proxy who is  authorized to represent, can apply by filling out the  Application Form and sending it to the address of Picus  Informatics Security trade INC. through notary or  certified mail.

Üniversiteler Mah. 1596  Cad. Arge 1 No:12  

Beytepe 06800 Çankaya/ ANKARA

The applicant can apply with an electronic mail  registered with a secure electronic signature. 

picusbilisim@hs01.kep.tr

 

Picus Security, Inc. is based in the state of Delaware in the United States. The Website can be accessed from countries around the world. Access to the Website may not be legal by certain persons or in certain jurisdictions. If you access the Website from outside the United States, you do so on your initiative and are responsible for compliance with all laws applicable to you, including local laws. Access to the Website from jurisdictions where the Website or any of its services or products are illegal is prohibited.

You may not access, download, use, or export materials posted to the Website in violation of U.S. export laws or regulations or violation of any other applicable export or import laws or regulations. You agree to comply with all export laws, restrictions, and regulations of any United States or foreign agency or authority.

Without limiting the foregoing, you represent and warrant that you are not located in, and shall not use the Website from, any country that is subject to U.S. export restrictions.

At PICUS, we value transparent and straightforward communication with our customers, partners, and community. For any concerns or issues, please contact us at info@picussecurity.com. Your feedback is crucial, and we are dedicated to addressing grievances quickly and effectively.

Data Subject Requests

In Picus, we respect your data privacy rights. If you want to exercise your data subject rights, please fill out the form here. Upon your submission, we will share the related data subject request form with you, depending on the legal source of your request.

Sub-Processors

Picus engages and uses certain sub-processors to deliver its products and services. These sub-processors are third-party services or entities authorized by Picus to process personal data on behalf of Picus’s customers, in accordance with the Data Processing Agreements (DPA) signed between Picus and each sub-processor. Picus conducts an annual compliance review of its sub-processors as part of its Third Party Risk Management program.

 

Security Policies and Practices

At Picus, we deeply integrate security into our company culture. Our dedication to safeguarding information and assets is also reflected in the comprehensive set of corporate documents and practices we maintain. Below, you can find a selection of these resources, highlighting the key elements that help us build and maintain a strong, well-tested, and continuously validated security posture.

a) Corporate Security Documents

PICUS ensures that its business processes, products, services, and corporate identity are fully aligned with information security principles and policies. As a leading company in the sector, these assurances are effectively implemented to protect and maintain trust with all stakeholders, including partners, customers, and employees.

PICUS has established an Information Security Management System (ISMS) to maintain the confidentiality, integrity and availability of information.  By implementing robust asset and risk management processes, the ISMS provides assurance that risks are effectively addressed and being managed.

The ISMS is integrated into PICUS's corporate processes and overall management structure. Information security processes were taken into account in the design of information systems and controls and scaled in line with the needs of PICUS.

PICUS has targeted the ISO/IEC 27001:2022 in accordance with the scope of ISMS it is applying and can use this standard to demonstrate to internal and external stakeholders the ability of PICUS to meet their information security requirements.

Information Security Policy expresses requirements, definitions, rules, practices, responsibilities and workflows based on business needs and regulated according to relevant laws and standards, in line with and supporting PICUS's corporate business objectives. The information security policy created for this purpose will provide the following basic requirements:

  • Supporting business strategy and corporate goals
  • To comply with laws, standards and contracts.
  • Documenting the ISMS in a way that fulfills the requirements of the ISO/IEC 27001:2013 standard, making it a corporate culture and continuously improving it
  • Managing existing and anticipated information security processes, risks and threat environment
  • To implement effective risk management to keep the confidentiality, integrity and availability values of all assets and processes within the scope of ISMS belonging to PICUS, especially information assets and business processes, above an acceptable level
  • To create information security awareness of PICUS employees, partners and stakeholders with ISMS and inform everyone about Information Security Policy and ISMS practices.
  • To ensure information security in PICUS business processes, to increase the quality of its products and services and the efficiency of the processes, thanks to ISMS; provide the necessary assurance to its employees, stakeholders and partners

This policy aims to guide all activities related to information security in PICUS and to reveal information security processes and controls with the support of sub-documents.

 

Last update: 14.10.2024

The Business Continuity policy has been established in order to operate, manage, measure, and continuously improve the business continuity management system within PICUS, in line with and support the corporate business objectives of PICUS. It refers to definitions, rules, practices, responsibilities, and workflows based on business needs and regulated by relevant laws and standards. This policy is in an active relationship with ISMS, PIMS and IT SMS and aims to progress through common values ​​in necessary process management.

This policy will guide all activities of PICUS related to business continuity and will provide the following basic requirements:

  1. a) Supporting business strategy and corporate objectives
    b) Complying with laws, standards, and contracts
    c) Managing existing and anticipated business continuity processes, risks, and threat environment
    d) To ensure the continuity of all assets and processes within the scope of PICUS' BCMS, especially information assets and processes.

While PICUS meets business continuity requirements, it has planned, implemented, and regularly controlled the processes necessary to carry out activities that address risks and opportunities. It implements determined plans and exercises to achieve these goals. It retains written information to the point where it is certain that these processes are carried out as planned, reviews the results of undesired changes by controlling the testing and exercises processes, as well as planned changes, and can take new actions if necessary to mitigate negative effects.

Based on the business impact analysis and risk assessment outputs, PICUS has defined business continuity strategies that consider all options before, during and after the disruption and has created the necessary process for implementing the solutions and resource requirements that can select the appropriate ones. In this context, processes, business continuity plans and recovery methods have been established to provide timely warnings to the parties, ensure communication, and provide management and guidance during a disruption. Regular and scheduled exercises and controls are also provided for the approval, verification, testing, testing and updating of business continuity and plans.

PICUS's risk management framework covers the identification, assessment and improvement of business continuity risks. The risk assessment and risk improvement plan define how business continuity risks are controlled along with information security risks. The Information Security Committee is responsible for the management and realization of this plan.

The business continuity policy is reviewed at regular intervals or when significant changes occur by Senior Management in order to measure the operability of the system and is updated as needed to ensure continuous suitability, accuracy, and effectiveness.

This policy is intended to be accessible and understandable to all employees and the target audience, including relevant external parties. All employees and external parties defined in the BCMS are obliged to comply with this policy and the processes supporting this policy.

Last update: 14.10.2024

PICUS, business processes, and customer services are in full compliance with the IT Service Management principle and policy. It is a leading company in its sector, operating effectively against its Stakeholders, Customers, and Employees.

The Service Management Policy has been established to operate, manage, measure, and continuously improve the information technology service management system within PICUS and has been approved by the highest level of management. With this policy, PICUS will provide the following basic requirements to manage its service management purposes and achieve the determined business objectives:

a) Supporting business strategy and corporate goals
b) To comply with laws, standards, and contracts
c) To manage the objectives, processes, and risks of current and anticipated service management,
d) Keeping information technology services operational, managing changes, and using information technology services according to business needs
e) To ensure the success, performance, and quality of all services and processes within the scope of PICUS's IT SMS, in line with the targets
f) Ensuring that all services determined by service catalogs within the scope of IT SMS are provided in accordance with the Service Level Agreements (SLA), their performance is measured and reported; To increase customer satisfaction by providing continuous improvement in line with technological changes and business requirements
g) To manage accessibility and capacity by making the necessary monitoring and to reduce costs by making the right financial and resource management.

The service management policy is reviewed at regular intervals or when significant changes occur in order to measure the operability of the system and services, in order to ensure continuous suitability, accuracy, and effectiveness, and is approved by the Senior Management.

Last Update: 14.10.2024

The purpose of this policy is to explain the basics of use necessary to ensure that all employees pay due attention and care to PICUS Information Security policies and procedures in the processes of using all kinds of communication and information networks and services within the scope of the Management System.

PICUS communication and information systems, including software, enterprise applications, processes, information assets, and hardware such as Internet, e-mail, telephone, pagers, fax, computers, mobile devices, IoT, video-conferencing and mobile phones are intended exclusively for company-related activities.. Any use of these systems that is illegal, causes disruption or inconvenience to other users, violates Picus policies, standards, or rules, or harms the company, its stakeholders, or customers, constitutes a violation of this policy. 

This policy requires that:

  • Background verification checks on all candidates for employment  and contractor roles should be carried out in accordance with relevant laws, regulations, and ethical standards. These checks should be proportional to the business requirements, the classification of the information being accessed, and the associated risk.
  • Employees, contractors, and third-party users must agree to and sign the terms and conditions of their employment contract, and comply with acceptable use policies.
  • Employees will undergo an onboarding process that familiarizes them with the environments, systems, security requirements, and procedures PICUS has in place. Additionally, employees will receive ongoing security awareness training, which will be audited regularly.
  • The offboarding process will include reiterating any responsibilities that remain valid after termination, ensuring all access to Picus systems is revoked, and confirming that all company-owned assets are returned.
  • PICUS and its employees will take reasonable measures to ensure no corporate data is transmitted via digital communications such as email or posted on social media outlets.
  • PICUS will maintain a list of prohibited activities that will be part of onboarding procedures and have training available if/when the list of those activities changes.
  • A fair disciplinary process will be utilized for employees that are suspected of committing breaches of security. Multiple factors will be considered when deciding the response, such as whether or not this was a first offense, training, business contracts, etc., PICUS reserves the right to terminate employees in the case of serious cases of misconduct.

PICUS requires all workforce members to comply with the following general acceptable

usage requirements and procedures, such that:

  • All workforce members are primarily considered as remote users and therefore must follow all system access controls and procedures for remote access.
  • The use of PICUS computing systems is subject to monitoring by PICUS Security teams.
  • Employees may not leave computing devices (including laptops and smart devices) used for business purposes, including company-provided and BYOD devices, unattended in public.
  • Device encryption must be enabled for all mobile devices accessing company data, such as whole-disk encryption for all laptops.
  • All email messages containing sensitive or confidential data will be encrypted.
  • Employees may not post any sensitive or confidential data in public forums, social media, or chat rooms. If a posting is needed to obtain technical support, data must be sanitized to remove any sensitive or confidential information prior to posting.
  • All data storage devices and media must be managed according to the PICUS Data Classification specifications and Data Handling procedures.
  • Employees may only use photocopiers and other reproduction technology for authorized use.
  • Media containing sensitive/classified information should be removed from printers immediately.
  • The PIN code function will be used on printers with such capability, so that the originators are the only ones who can get their print-outs and only when physically present at the printer.

The processes within the scope of this policy are followed by the Information Security Director with the support of the relevant process owners. It is reviewed annually by the Information Security Committee, and necessary updates are made and announced to the employees.

Last update: 14.06.2024

The Personal Data Management Policy has been established to define the personal data collection, processing, protection, storage, and destruction rules, management, and practices approved by the Senior Management, and to announce to the employees and relevant external parties.

Protection of personal data is extremely important for PICUS, which provides services to many companies and organizations both locally and around the globe, specializing in security services in the field of information technologies.

PICUS has set itself the goal of acting in accordance with other legal practices, both locally and internationally, regarding the protection of personal data. This policy covers the general conditions regarding how and for what purpose PICUS processes, protects, and for how long the personal data of its customers, suppliers, business partners, and their employees and officials, as well as third parties whose personal data are processed in accordance with business processes while maintaining business relations prepared for the determination. PICUS takes the confidentiality and integrity of its customer data very seriously and strives to assure data is protected from unauthorized access and is available when needed.

Processing of Personal Data

All personal data processed by PICUS are processed in accordance with national and international law. Personal data is processed by PICUS;

  • With the purchase of PICUS products and/or services;
  • When products or services are offered to PICUS;
  • When communicating with PICUS by any means;
  • When it is requested or preferred to receive commercial electronic messages sent for marketing;
  • When applying for a job at PICUS and/or starting to work at PICUS;
  • Production systems that create, receive, store, or transmit PICUS customer data;
  • Participating in events and organizations organized by PICUS and
  • When visiting the website www.picussecurity.com

PICUS complies with the rules specified within the scope of personal data, within the framework of the following basic principles:

  • Legal and Integrity Processing: PICUS acts in accordance with the principles introduced by legal regulations and the general rule of trust and honesty in the processing of personal data. In this context, PICUS takes into account the proportionality requirements in the processing of personal data and does not use personal data other than as required for the purpose.
  • Ensuring Personal Data Are Accurate and Up-to-Date: PICUS ensures that the personal data it processes is accurate and up-to-date, taking into account the fundamental rights of the persons concerned and their own legitimate interests.
  • Processing for Specific, Explicit, and Legitimate Purposes: PICUS clearly and precisely determines the legitimate and lawful purpose of processing personal data. Picus processes personal data as much as necessary and in connection with the products and services it offers.
  • Being Related to the Purpose for which they are Processed, Limited and Measured: PICUS processes personal data in a way that is suitable for the realization of the determined purposes and avoids the processing of personal data that is not related to the realization of the purpose or is not needed.
  • Retaining Personal Data for the Period Envisioned in the Relevant Legislation or Required for the Purpose of Processing: PICUS retains personal data only for the period specified in the relevant legislation or required for the purpose for which they are processed. In this context, PICUS first determines whether a period is foreseen for the storage of personal data in the relevant legislation, if a period is determined, it acts in accordance with this period. Personal data is deleted, destroyed, or anonymized by Picus in the event that the period expires or the reasons for its processing disappear.
  • Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable.
  • Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository.
  • Employees shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery.
  • All access to Production Systems must be logged.
  • All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable.

Personal Data Processing Purposes and Legal Reasons

The purposes and processes of processing personal data processed by PICUS vary according to the category of the person concerned and the type of personal data.

The purposes of processing personal data processed by PICUS are as follows:

  • Establishment and management of customer relations 
  • Management of contract processes with our suppliers and business partners
  • Execution of direct marketing processes
  • Compliance with legal obligations
  • Protection and security of company interests
  • Within the scope of marketing activities
  • Cookies
  • Visitors and closed-circuit camera system (CCTV)
  • Employee candidates

Data Protection Implementation and Processes

Customer Data Protection: PICUS products are securely hosted on AWS by default, with data replication across multiple availability zones for redundancy and disaster recovery.  On PICUS products, only customer email addresses and Customer attack simulation results are kept and all customer data at rest and in motion are encrypted. Picus only analyzes system usage data anonymously to monitor and improve the quality of the threat library.

Access: PICUS employee access to production is guarded by an approval process and by default is disabled. When access is approved, temporary access is granted that allows access to production. Production access is reviewed by the DevOps team on a case-by-case basis.

Separation: Customer data is logically separated at the database/datastore level using a unique identifier for the customer. All database/datastore queries then include the account identifier.

Monitoring: PICUS uses AWS tools to monitor the entire cloud service operation. If a system failure and alarm is triggered, key personnel are notified by text, chat, and/or email message in order to take appropriate corrective action.

Confidentiality/Non-Disclosure Agreement (NDA): PICUS uses confidentiality or non-disclosure agreements to protect confidential information using legally enforceable terms. NDAs are applicable to both internal and external parties.

Data At Rest: All databases, data stores, and file systems are encrypted according to PICUS’s Encryption Policy.

Data In Transit: Data will only be transferred where strictly necessary for effective business processes. To ensure the safety of data in transit:

  • All external data transmission must be encrypted end-to-end using encryption keys managed by PICUS. This includes, but is not limited to, cloud infrastructure and third-party vendors and applications.
  • All internet and intranet connections are encrypted and authenticated using a strong protocol, a strong key exchange, and a strong cipher.

Security of Personal Data

PICUS implements necessary administrative and technical measures to safeguard personal data, aligning with the Personal Data Security Guide published by the Personal Data Protection Authority, as well as GDPR requirements. In this context, PICUS has established robust procedures and policies in compliance with ISO 27001 and ISO 27701 standards. 

Additionally, necessary privacy notices and explicit consent forms are prepared, and regular audits and monitoring are conducted to ensure ongoing compliance and data protection. 

The personal data management policy is reviewed at regular intervals or when significant changes occur and is approved by the Senior Management.

Last update:  14.06.2024

The purpose of this policy is to reveal PICUS's approaches to environmental and energy issues and its management perspective.

As a company that is aware of its responsibility towards environmental values, PICUS believes that it is necessary to leave a livable world to future generations. In order to minimize the consumption of natural resources and to prevent environmental pollution, it takes care to work by setting targets within the framework of continuous improvement.

The PICUS working ecosystem and environment do not require a large infrastructure and energy consumption. Our employees generally work remotely and independently of the location. Within the framework of our activities, processes with waste generation and environmental impact are at a very low level. There is no fixed server room within the PICUS campus and all business activities are carried out through cloud systems. For these reasons, the working environment of PICUS has low energy consumption and very low environmental impacts.

As PICUS, we base all of our activities on reducing waste at its source and recycling as much as possible. In this context, there are separate boxes for the separation of all wastes in the office areas, providing an important gain for our strategy to prevent pollution at its source. These wastes are collected by Hacettepe Teknokent management and processed with the same sensitivity.

All energy-consuming devices and equipment used in the PICUS campus are selected from types and models that comply with the principles of low consumption and energy efficiency and are regularly monitored.

Training and informing our employees about environmental and energy issues is also part of our awareness activities. We expect and encourage all of our employees to act with this awareness on the company campus and in the environments where they work.

With the same approach, PICUS asks its suppliers and service providers to meet their sensitivities in environmental and energy issues. In this context, we adopt as a principle to work with third parties with the lowest environmental impact and closest to green energy principles.

Within the scope of our sustainability strategies, we consider the protection of natural resources and the realization of our activities with minimum environmental impact as one of our main responsibilities. We evaluate our services from a life-long perspective and manage the positive or negative effects we create. All related processes, including this policy, are regularly updated annually and monitored by the senior management.

Last update: 14.08.2024

The Anti-Bribery and Corruption Policy has been established to define the anti-bribery and corruption management, and practices approved by the Senior Management, and to announce to the employees and relevant external parties.

This policy applies to all PICUS employees (full and part-time) and temporary workers (such as consultants or contractors) (together referred to as “employees” in this document) across the company no matter where they are located or what they do. Every person concerned can send their complaints and notifications directly to the Board about the issues covered by the policy.

This policy also provides additional specific information about the anti-corruption laws in Turkey and provides general guidance to compliance with anti-corruption laws in other jurisdictions in which we carry on business.

The People & Culture Unit has primary and day-to-day responsibility for implementing this policy, monitoring its use and effectiveness, dealing with any queries about it, and auditing internal control systems and procedures to ensure they are effective in countering bribery and corruption. In addition, the Operations Unit is responsible for monitoring this policy and updating it at least once a year.

Scope and Implementation

In PICUS, all forms of bribery and corruption are prohibited. Bribery is prohibited when dealing with any person whether they are in the public or private sector and the provisions of this policy are of general application. However, many countries have specific controls regarding dealing with public officials and this policy includes specific requirements in these circumstances.

In summary, it is essential to act in accordance with the actions listed in the following:

  • Facilitation Payments and Kickbacks: Facilitation payments are any payments, no matter how small, given to an official to increase the speed at which they do their job. You must avoid any activity that might lead to a facilitation payment or kickback being made or accepted by PICUS or on our behalf, or that might suggest that such a payment will be made or accepted. If you have any suspicions, concerns, or queries regarding a payment, you should raise these with the Legal and Compliance Executive. 
  • Gifts, Hospitality, and Expenses: PICUS and its employees, as well as third parties acting on its behalf to any external party, are prohibited from accepting and proportioning gifts and hospitality, as well as intangibles (e.g. job offers, investment opportunities, and favors) directly or through another party. The giving and accepting of gifts is allowed if the following requirements are met: 
  • It is not made with the intention of influencing a third party to obtain or retain business or a business advantage, or to reward the provision or retention of business or a business advantage, or in explicit or implicit exchange for favors or benefits;
  • It is given in the company name, not in your name;
  • It does not include cash or a cash equivalent (such as gift certificates or vouchers);
  • It is appropriate in the circumstances, taking account of the reason for the gift, its timing, and value. For example, giving small gifts to celebrate important days is appropriate.
  • It complies with any applicable local law.
  • Record-Keeping: All payments and commissions to third parties must:
  • be made via bank transfer through the accounts payable system and be fully accounted for;
  • keep financial records and have appropriate internal controls in place which will evidence the business reason for making payments to third parties; and
  • must be made in accordance with the terms of the contract with the person or company providing the services.
  • Distributors and Channel Partners: All third parties should be made aware of the terms of the PICUS Code of Conduct and of their obligations to comply with it. All arrangements with third parties should be subject to clear contractual terms including specific provisions requiring them to comply with minimum standards and procedures in relation to bribery and corruption. 

Risk management and Information Security Controls

Risk assessments specific to bribery and corruption shall be conducted as part of PICUS's Information Security Management System (ISMS) and Privacy Information Management System (PIMS) framework. In accordance with the assessment, appropriate controls and measures shall be implemented to mitigate identified bribery and corruption risks.

In addition, access to sensitive information related to bribery investigations and anti-corruption measures shall be strictly controlled and limited to authorized personnel only, in accordance with the principles of least privilege.

Disciplinary Action

PICUS personnel who fail to comply with this policy are subject to disciplinary action and may also be subject to legal punishments if they commit an offense under the law according to the Disciplinary Ordinance.

Last update:  14.06.2024

The purpose of this policy is to define the export control and sanctions compliance, its management and practices approved by the Senior Management, and to announce to the employees and relevant external parties.

This policy applies to all PICUS employees (full and part-time) and temporary workers

(such as consultants or contractors) (together referred to as “employees” in this document) across the company no matter where they are located or what they do. Every person concerned can send their complaints and notifications directly to the Board by e-mail to notification@picussecurity.com about the issues covered by the policy.

A sanction is to be seen as a commercial and financial penalty applied by one or more

countries against a targeted country, group, or individual. The main difference between an embargo and a sanction is that whereas an embargo completely restricts trade, some degree of trade is still possible with a sanctioned country, as long as we comply with the sanction laws. Picus software products and services are subject to the export control and sanctions laws of various countries, including without limitation, the laws of the United States of America, and Türkiye.

To accomplish applicable foreign policy and national security goals, the applicable governmental authority (such as the Department of the Treasury’s Office of Foreign Assets Controls (OFAC) in the USA) administers economic sanctions programs and embargoes for several countries. Certain destinations, organizations, and individuals are subject to trade sanctions, embargoes, and restrictions under applicable law. These sanctions are subject to change, usually involve financial components, and can range from narrow restrictions to broad sanctions and embargoes. It's important that before initiating any transaction with a third party, the relevant website is checked and guidance from the legal department is received.

Scope and Implementation

In PICUS, we are not doing any business in destination restriction, and we are applying end-user restrictions.

Destination Restrictions

To accomplish its obligations under export rules, the first step is to use the principle of “Know Your Customer”: by identifying business partners and their sales to the end user. When we know the business partner and end-user, we can validate its country and its purpose of usage. Our second step is to determine whether there are any red flags. Red flags mean taking into account any abnormal circumstances in a transaction that indicate that the export may be destined for an inappropriate end-user or destination. Included among examples of red flags are orders for items that are inconsistent with the needs of the purchaser, a customer's declining installation, and testing when included in the sales price.

Taking into account overall business risks, Picus Security products and services are not

available for export, reexport, transfer, and/or use in the following sanction countries/regions (subject to change without notice): Cuba, Iran, North Korea, Syria, Crimea Region so-called Donetsk People’s Republic (DNR) / People’s Republic of Luhansk (LNR) regions of Ukraine.

Additionally, transactions with or related to certain destinations that pose an elevated export control or sanctions risk for Picus Security are subject to enhanced due diligence requirements, which may include authorization from the competent authorities.

End-User Restrictions

Picus Security products and services are not available to entities and individuals with whom transactions are prohibited under applicable export control and sanctions laws, including those listed on any applicable sanctioned party lists (e.g., European Union Sanctions List, U.S. Specially Designated National (SDN) lists, U.S. Denied Persons List, BIS Entity List, United Nations Security Council Sanctions).

To define such information and usage purposes we are collecting information from Business Partner and End-User. After all the necessary information regarding the sale is collected, suspicious entities and users are questioned through OFAC and other platforms, and Picus products are not supplied to companies or organizations that have any sanctions on them.

Picus Platform Free Trial Procedure

To initiate a free trial period on the Picus platform, end-users need to complete registration. Registration includes agreeing to the terms of our Privacy Policy and EULA. We are starting with user verification via a few checklists, if they fail on the verification, the account will be blacklisted. In user verification, there are domain, competitor, suspicious domain, personal account, country, and region checks.

The companies to whom goods and services are sold and business partners must comply with the Policy principles and other relevant regulations. Relations with persons and institutions failing to comply with these conditions shall be terminated. 

Access to sensitive information related to sanctions and export restrictions investigations shall be strictly controlled and limited to authorized personnel only, following the principles of least privilege. Sensitive information on sanctions and export restrictions incidents and related investigations shall be protected in accordance with established ISMS and PIMS policies to prevent unauthorized access and disclosure.

The Legal and Information Security teams have primary and day-to-day responsibility for implementing this policy, and monitoring its use and effectiveness. In addition, the Operation Unit is responsible for monitoring this policy and updating it at least once a year. We provide relevant compliance training to all employees (online and/or face to face) for their knowledge to be expanded. Training is an important instrument for increasing awareness. Within this scope, the Legal Department designs training programs together with the Information Security which are compulsory for all employees.

b) Corporate Security Practices

An Information Security Director (ISD) leads Picus’s information security and privacy program with a vision of continuous improvement, stronger cybersecurity resilience, broader compliance, and keeping up with the latest technologies. This role includes developing and maintaining security policies, aligning the security strategy with organizational goals, and overseeing incident management. The ISD is also responsible for managing Picus's efforts in information security, business continuity, risk management, auditing, and compliance.

All access requests are managed based on the principle of least privilege. Secure login procedures, including multi-factor authentication (MFA), are implemented. In addition, a stringent password security policy is enforced and a password manager solution is provided for all employees to ensure secure and efficient password management.

At Picus, we implement an effective suite of endpoint security solutions to protect our devices and data. This includes Mobile Device Management (MDM) to enforce security policies on mobile devices, Endpoint Protection Platform (EPP) for antivirus and anti-malware protection, and Endpoint Detection and Response (EDR) for advanced threat detection and incident response. All corporate laptops are encrypted to safeguard sensitive information, and regular updates and patches are applied to ensure systems remain secure. Additionally, we conduct continuous monitoring and logging to detect and respond to any suspicious activities on endpoints promptly.

In Picus systems and platforms, both data in transit and at rest are encrypted using industry-standard algorithms. In addition, special encryptions are used in the SSHv2 protocol to provide secure access to the company cloud servers, where Picus products and systems are hosted.

All systems related to Picus products are cloud-based and have High Availability Architecture in AWS United States, Europe and Middle East data centers. Picus uses redundant RDS instances to ensure full backup recovery of its database. Daily database backups are also taken automatically.

Picus uses a fully encrypted VPN solution as well as HTTPS to communicate with and access its network. All traffic within the network is redirected from HTTP to HTTPS.

Picus operates Secure Development Life Cycle (SDLC) rules based on agility, information security, and secure code development techniques for product and system development, depending on best practices and well-known techniques.

Picus conducts a third-party risk management program and regularly evaluates its vendors through security reviews to minimize associated risks. This ensures that our vendors meet their contractual obligations and comply with applicable legal requirements.

Security and privacy training and awareness programs are conducted for all employees on an annual basis. In addition, regular training sessions as well as secure code training are conducted to Picus developers by field experts.

In addition to conducting internal penetration tests with our Lab teams, Picus also engages with third-party experts for external penetration tests regularly. Recent reports shall only be provided under NDA. To request access to these reports, please reach us at security@picussecurity.com

At Picus, our SIEM solution monitors and analyzes log data from various sources. This proactive approach helps us to quickly identify and respond to potential security threats, ensuring the integrity and confidentiality of our systems and data.

All new employees undergo background checks, including criminal, education, and employment history verification. Additionally, they are required to sign Non-Disclosure and Confidentiality agreements before employment.

Vulnerability Disclosure Program

In Picus, we believe that security should primarily be internalized in our company culture. Below, you can find some of our, but not limited to, corporate documents and practices, which helps us building a strong and regularly validated security posture.