PTAAS EXCHANGE
If you missed the PtaaS Exchange in person, join us virtually to learn how to improve your security program in 2023.

Terms & Conditions

  • General

    Last Updated on April 29, 2022

    Introduction

    PLEASE NOTE: These Terms of Use (together with the Policies, as further defined, named in Section 1, the “Agreement”) form a binding contract between Us and You; by using the Services, You are agreeing to enter into a legal contract with Us, and to comply with the terms and conditions described here, which govern any use of the Services.

    If You do not agree to the terms presented in this Agreement, or if You do not meet the eligibility requirements described in Section 1 of this Agreement, You have no right to use the Services, and should terminate Your access, including use of the Cobalt website, immediately.

    Please be aware that Cobalt reserves the right, at its sole discretion, to change this Agreement (and the Services, including any fees), at any time and without giving advance notice. If We change this Agreement, the Privacy Policy, the Terms for Running a Security Program and/or the Terms for Engaging in a test, We will post the change on the Site or Services or provide You with notice of the change. We will also update the "Last Updated Date" at the top of this Agreement. By continuing to access or use the Site or Services after We have posted such a change, or have provided You with notice of it, You are agreeing to be bound by the Agreement as updated. If the Agreement as updated is not acceptable to You, You should stop using the Services, as the new terms will govern regardless.

    Please also be aware that disputes arising hereunder will be resolved by binding arbitration, and BY ACCEPTING THIS AGREEMENT, YOU AND COBALT ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY OR TO PARTICIPATE IN A CLASS ACTION. YOU AGREE TO GIVE UP YOUR RIGHT TO GO TO COURT to assert or defend Your rights under this contract (except for matters that may be taken to small claims court). Your rights will be determined by a NEUTRAL ARBITRATOR and NOT a judge or jury and Your claims cannot be brought as a class action. Please review the Arbitration Agreement in Section 9 below for the details regarding Your agreement to arbitrate any disputes with Cobalt.

     

    1. Parties and Scope of Agreement

    Parties, Authority, and Eligibility

    “You” or “Your” or “Customer” refers to you as an end user of the Services, and, if you are accessing the Services on behalf of a legal organization, that legal organization; You agree that You have the authority to enter into this Agreement and to bind that legal organization to the terms of this Agreement. You further agree that You are 18 years of age or older (if You want to use the Services but You are under 18 years of age, please contact info@cobalt.io).

    “Us”, “We”, “Our” or “Cobalt” means Cobalt Labs, Inc., a Delaware Corporation.

    Scope of this Agreement, Other Agreements, and Definitions.

    This Agreement makes reference to a number of other agreements which You may also be agreeing to by agreeing to this Agreement, and which You can find here (the “Policies”):

    In the event that the terms of this Agreement conflict with the terms of any other agreement named here, the terms of this Agreement will govern (except with respect to a mutually executed Sales Order, in which case the terms of that Sales Order will govern in the event of conflict).

    Finally, please note that, where not defined throughout this Agreement, capitalized terms having the meaning ascribed to the Definitions Section.

     

    2. Feedback, Credits, Tiers, Reports, and Security Pentesters

    Feedback
    We welcome and encourage You to provide feedback, comments and suggestions for improvements to the Services ("Feedback"). You may submit Feedback by emailing Us at info@cobalt.io or through the about section of the Site. By submitting Feedback, you irrevocably transfer all ownership in such Feedback to Cobalt, and waive any and all rights, including intellectual property rights to the extent such attach to the Feedback under applicable law, in favor of Cobalt. 

    Credits

    Upon purchase, your Cobalt Account will be updated to reflect the amount of Credits purchased.  Cobalt will scope Services based on projected level of effort as expressed in Credits. The level of Services associated with each Credit will vary depending on the applicable Tier to which a Customer has subscribed. The price and other applicable details associated with a purchased Credit will be set forth on your Cobalt Sales Order. Please note that the Services for which Credits may be used excludes certain professional services offerings (such as, without limitation, red team services, IOT/device testing, etc.), unless otherwise expressly agreed to by Cobalt (and subject to such additional terms and conditions as Cobalt may require relative to performing professional services). Credits may only be consumed within the service period on an applicable Sales Order, of up to one calendar year, and may not be extended beyond said service period(i.e. “rolled over”) unless otherwise mutually agreed in writing, or unless the Tier of Services you have purchased provides for some degree of Credit roll over.

    Tiers

    Access to Cobalt’s Services is provisioned across tiers that define the features and functionality associated with your Cobalt Account (“Tiers”). The Tiers offered by Cobalt are Standard, Premium, and Enterprise. The features and functionality associated with each Tier is more fully set out here. The Tier associated with your Cobalt Account will be selected by you at the time you engage Cobalt to provide Services, and will be reflected on the applicable Sales Order. A Customer may only be affiliated with one Tier at a time during their subscription. Tiers may be upgraded, but not downgraded, prior to the end of your subscription period. Cobalt reserves the right, at its sole discretion, to modify, enhance, or remove features of the Tiers, at any time upon prior notice (electronically via the Site), provided that such modifications do not materially diminish the functionality of the Tier associated with Customer’s Cobalt Account.

    Vulnerability Report

    Cobalt will produce a Vulnerability Report detailing findings uncovered during performance of the Services. The contents and format of the Vulnerability Report will be determined by Cobalt at its discretion, and Vulnerability Reports are not customizable, except where the Tier you purchased includes customizable Vulnerability Reports. By using Cobalt’s Services, you are acknowledging that Cobalt acts as a third-party assessor and possesses a degree of independence in formulating its findings (as articulated via a Vulnerability Report) and as such, Cobalt will not remove or minimize findings in a Vulnerability Report at a Customer’s request without a sufficient factual basis for so doing. Customer may remove Cobalt’s logo and any other marks from a Vulnerability Report and use the Vulnerability Report for Customer’s own, non-commercial, business purposes.

    Security Pentesters

    Customer understands and agrees that the Security Pentesters are independent third parties who are retained by Cobalt to assist in providing Services. .  The Security Pentesters’ use of the Site and their performance of any testing at Customer’s request is governed by the General Terms found at https://www.cobalt.io/terms, including the “Supplemental Terms for Engaging in a Test.” These terms must be accepted and agreed to by a Security Pentester prior to engaging in any testing activities on an Application/Network or providing a Vulnerability Report.

    Pentest Regions

    Security Pentesters are globally distributed. Cobalt cannot guarantee that a particular Service will leverage only Security Pentesters from a specific country, region, or other geographic specification, except where the Tier that you purchased provides you with choice in Security Pentester region selection. Please be aware that, if you have Security Pentester region selection available per your Cobalt Tier features, Cobalt may require additional time to initiate a test beyond the period articulated in “Security Program Time Period.”

    Customer acknowledges that Security Pentesters are not contingent workers engaged directly by the Customer. Security Pentesters provide Services through Cobalt and as such, do not and shall not enter into contracts directly with Customer. Cobalt will not facilitate the exchange of, or execution of, any agreements directly between a Security Pentester and Customer, including without limitation, any non-disclosure agreement or similar document. 

    Professional Services

    The Services provided via the Site exclude Professional Services provided pursuant to an SOW. Cobalt Professional Services are not delivered via the Site or via work performed by Security Pentesters. Any provision of Professional Services will be scoped on a per engagement basis via SOW and shall be subject to additional terms set forth in the Cobalt Professional Services Addendum

    Pentesting Types

    Cobalt offers its Services through two distinct penetration testing types: (1) Comprehensive testing, constituting a traditional pentest (subject to the conditions and restrictions established herein and in related documentation ), and (2) Agile testing, which consists of a more limited pentest. Agile testing is designed for (a) feature changes or new features added to an asset that has previously been tested by Cobalt, or (b) where the asset sought to be tested has not previously been tested by Cobalt, a narrowly targeted test of an asset of limited size where specific context or knowledge of environment is not required to undertake the test. Cobalt has the discretion to determine whether a particular asset or test scope is appropriate for Agile testing or Comprehensive testing. Agile test Vulnerability Reports are automated and not subject to customization opportunities, even at Premium or Enterprise Tiers. Cobalt requires a three-credit minimum to obtain an Agile test and a five-credit minimum to obtain a Comprehensive test.

    Customer Pentester Requests

    At the Enterprise Tier, Cobalt will accommodate special requests regarding the pentesters performing Services for the Customer. This includes requests that Cobalt (a) staff a test with pentesters from a specific region or time zone, or (b) ensure that pentesters communicate with customer and/or perform testing at specified times. Other requests may be facilitated on a case-by-case basis. All custom requests are subject to Cobalt availability. Cobalt may not be able to accommodate more than one such request per test. Customers should check with their Cobalt-assigned CSM to determine whether a particular request may be accommodated.

    3. Sales Orders, Invoicing and Payment.  

    Sales Orders
    If Customer wishes to order the Services, the parties shall enter into one or more Sales Orders, each of which shall be deemed to be incorporated herein by reference.  Each Sales Order shall specify, as applicable, the particular Services ordered (including a description thereof), the quantity of Service(s) ordered, the fees for the Service(s) and the term of the Sales Order (“Order Term”).  A Customer Affiliate may enter into a Sales Order pursuant to this Agreement and, in such case, by entering into the Sales Order, the Affiliate agrees to be bound by the terms and conditions of this Agreement with respect to such Sales Order and such Affiliate shall be considered to be the Customer, as such term is used herein, with respect to such Sales Order. The Customer entity signing the Sales Order shall be responsible for any of its Affiliates’ who use the Services compliance with the terms and conditions of this Agreement. 

    Invoicing and Payment

    Cobalt will invoice in accordance with the invoicing schedule set forth in the Sales Order. Customer will pay all fees within thirty (30) days of the date of the invoice unless otherwise set forth in the Sales Order.  All fees are stated as exclusive of taxes and Customer shall be responsible for the payment of all use, services, withholding or similar taxes on the use or sale of the Services. Any overdue invoices will accrue late interest at the rate of 1.5% of the outstanding balance per month or the greatest amount allowed by applicable laws, whichever is lower, plus all expenses of collection.

    Price Changes

    Customer acknowledges that future renewals of Services purchased under any particular Sales Order will occur at the then-current per-Credit price applicable at the time of such renewal. Cobalt reserves the right to change its per-Credit pricing at its discretion, such that future renewals of Services purchased under any particular Sales Order may reflect per-Credit price increases.

    4. Account & Use

    Creating an Account

    In order to access certain features of the Services, You must register as a User on the Site and create a  Customer account and profile page ("Cobalt Account"). You may do so directly via the Site or as described in this section.

    You can also register on the Site by logging into your Cobalt Account using certain third party social networking sites for which log-in support has been provided by Cobalt, including, but not limited to, Google (each a, “Third Party Service Provider”); each such account, a "Third Party Account", via the Site, as described below. As part of the functionality of the Site and Services, Customer can link a Cobalt Account with Third Party Accounts, by either: (i) providing the applicable Third Party Account login information to Cobalt through the Site or Services; or (ii) allowing Cobalt to access Customer’s Third Party Account, as is permitted under the applicable terms and conditions that govern the use of such Third Party Accounts. Customer represent that it is entitled to disclose Third Party Account login information to Cobalt and/or grant Cobalt access to such Third Party Accounts (including, but not limited to, for use for the purposes described herein), without breach of any of the terms and conditions that govern use of the applicable Third Party Accounts and without obligating Cobalt to pay any fees or making Cobalt subject to any terms and conditions imposed by such Third Party Service Providers. By granting Cobalt access to any Third Party Accounts, Customer understand that Cobalt may access, make available and store (if applicable) any Content that Customer has provided to and stored in such Third Party Accounts ("Third Party Content") so that it is available on and through the Site and Services via Customer’s Cobalt Account and Cobalt Account profile page. Unless otherwise specified in this Agreement, all Third Party Content, if any, will be considered to be Customer Data for the purposes of this Agreement. Depending on the Third Party Accounts Customer chooses, and subject to the privacy settings that Customer has set within such Third Party Accounts, personally identifiable information that Customer posts to such Third Party Accounts may be available on and through Customer’s Cobalt Account on the Site. If a Third Party Account or associated service becomes unavailable or Cobalt’s access to such Third Party Account is terminated by the Third Party Service Provider, then Third Party Content will no longer be available on and through the Site and Services. Customer has the ability to disable the connection between Customer’s Cobalt Account and any such Third Party Accounts, at any time, by accessing the "Settings" section of the Site.  CUSTOMER’S RELATIONSHIP WITH THE THIRD PARTY SERVICE PROVIDERS ASSOCIATED WITH THIRD PARTY ACCOUNTS IS GOVERNED SOLELY BY CUSTOMER’S AGREEMENT(S) WITH SUCH THIRD PARTY SERVICE PROVIDERS. Cobalt makes no effort to review any Third Party Content for any purpose, including but not limited to, for accuracy, legality or non-infringement and Cobalt is not responsible for any Third Party Content and is not responsible or liable for the acts or omissions of such Third Party Service Providers.

    User Eligibility

    Customer represents and warrants that each User is not: (a) a resident or national of any country subject to a United States embargo or other similar United States export restrictions; (b) on the United States Treasury Department’s list of Specifically Designated Nationals as defined under Applicable Laws; (c) on the United States Department of Commerce’s Denied Persons List or Entity List as defined under Applicable Laws; or (d) identified by the United States government as a prohibited end user of United States export controlled items or otherwise subject to sanctions or similar laws, regulations, or executive orders.

    Suspension of Cobalt Services

    Cobalt may, in its sole discretion, immediately suspend or terminate Customer’s Cobalt Account and/or access to or use of the Cobalt Services by Customer generally or as to any specific User if, in Cobalt’s reasonable judgment: (i) any information provided during the registration process or thereafter proves to be materially inaccurate, to the detriment of Cobalt; (ii)  the Cobalt Services or any component thereof may suffer a significant threat to security or functionality caused by continued access to or use of the Cobalt Services by Customer; or (iii) continued provision of the Services may have a deleterious effect on Cobalt or any other Customer. In the event Services are suspended pursuant to this paragraph, Cobalt shall endeavor to provide notice of the suspension and of the cause underlying the suspension as soon as practicable.  Cobalt shall use reasonable efforts to re-establish the affected Cobalt Services promptly after Cobalt determines, in its reasonable discretion, that the situation giving rise to the suspension has been cured. Where the cause underlying suspension of Services is a subject that Customer or a third party reasonably within the control of Customer is able to rectify, Cobalt may permanently terminate the Cobalt Services under a Sales Order if any of the foregoing causes of suspension is not cured within thirty (30) days after Cobalt’s initial notice to Customer thereof and such failure shall be deemed a material breach by Customer. Any suspension or termination by Cobalt under this Section will not excuse or release Customer from its obligation to make payment(s) under any Sales Orders in effect at the time of termination.

    Security Program

    Customer shall comply with the terms and obligations set forth in the Supplemental Terms “Running a Security Program.

    If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, Cobalt reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. Cobalt further reserves the right to disqualify any User who tampers with the submission process or any other part of the Security Program or Site. Any attempt by a User to deliberately damage any web site, including the Site, or undermine the legitimate operation of the Security Program is a violation of criminal and civil laws and should such an attempt be made, Cobalt reserves the right to seek damages from you to the fullest extent under Applicable law.

    Acceptable Use

    Prohibited Use. In connection with Your use of our Services, You agree that You will not:

    • violate any Applicable Laws, including, without limitation, privacy laws;
    • use manual or automated software, devices, scripts robots, other means or processes to access, "scrape," "crawl" or "spider" any web pages or other services contained in the Site, Services or Content;
    • use the Services or Cobalt Content on behalf of for the benefit of any third party, including in a service bureau, time sharing or other arrangement, except where expressly authorized in writing by Cobalt, including without limitation, where undertaken pursuant to a valid Cobalt reseller agreement or similar agreement;
    • copy, store, modify, prepare derivative works based upon, distribute, license, sell, transfer, publicly display, publicly perform, transmit, broadcast or otherwise exploit any software forming a part of the Site r the Cobalt Content except as expressly permitted under this Agreement or attempt to expose the source code of or attempt to recreate any software which forms a part of the Site;
    • infringe the rights of any person or entity, including without limitation, their intellectual property, privacy, publicity or contractual rights;
    • interfere with or damage Cobalt’s Site or Services, including, without limitation, through the use of viruses, cancel bots, Trojan horses, harmful code, flood pings, denial-of-service attacks, packet or IP spoofing, forged routing or electronic mail address information or similar methods or technology;
    • contact a Security Pentester for any purpose other than communication related to a Security Program;
    • attempt to probe, scan, or test the vulnerability of any Cobalt system or network or breach any security or authentication measures;
    • avoid, bypass, remove, deactivate, impair, descramble, or otherwise circumvent any technological measure implemented by Cobalt or any of Cobalt’s providers or any other third party (including another User) to protect the Site, Services or Collective Content;
    • forge any TCP/IP packet header or any part of the header information in any email or newsgroup posting, or in any way use the Site, Services or Collective Content to send altered, deceptive or false source-identifying information;(b) attempt to decipher, decompile, disassemble or reverse engineer any of the software used to provide the Services or Collective Content; (c) attempt to expose the software or use the software used to provide the Services to recreate such software; or advocate, encourage, or assist any third party in doing any of the foregoing;
    • use the Site or Services in any way not contemplated by this Agreement.

     

    A violation of any of the use restrictions and obligations set forth in this Section 3 shall constitute a material breach of this Agreement.  Customer acknowledges and agrees that Cobalt has no obligation to monitor Customer’s access to or use of the Services or Collective Content or to review or edit any Customer Data. Cobalt reserves the right, at any time and without prior notice, to remove or disable access to any Customer Data that Cobalt, at its sole discretion, considers to be objectionable, in violation of this Agreement or otherwise harmful to the Services.

     

    Affirmative Obligations. In connection with Your use of the Services, You agree that:

    • You are solely responsible for compliance with any and all Applicable Laws, rules, regulations, and tax obligations that may apply to Your use of the Site, Services and Content.
    • You will provide accurate, current accurate, current and complete information during the registration process and to update such information to keep it accurate, current and complete.
    • You are responsible for safeguarding Your password and other sensitive credentials and Content; You also agree that You will not disclose Your password to any third party and that You will take sole responsibility for any activities or actions under Your Cobalt Account, whether or not You have authorized such activities or actions.
    • You are responsible for only using those Third Party Accounts that You deem to be secure for usage in connection with the Services, and You assume the risk of any privacy or security violations arising thereto.
    • You are responsible for managing security permissions, and for deleting sensitive data in a timely fashion to mitigate the risk of security breaches.
    • You will immediately notify Cobalt of any unauthorized use of Your Cobalt Account.
    • If You interact with anyone who You feel is acting or has acted inappropriately, including but not limited to, anyone who (i) engages in offensive, violent or sexually inappropriate behavior, (ii) You suspect of stealing from You, or (iii) engages in any other disturbing conduct, You should immediately report such person to the appropriate authorities and then to Cobalt by contacting Us with Your police station and report number at info@cobalt.io; provided that Your report will not obligate Us to take any action beyond that required by law (if any) or cause Us to incur any liability to You.
    Remedial Action

    We may, in Our sole discretion and at any time, with or without cause, and with or without prior notice: (a) terminate or modify this Agreement, (b) terminate, modify or restrict Your access to the Services, (c) deactivate or cancel Your Cobalt Account, and (d) take other actions as We see fit in our sole discretion (collectively, such actions being “Remedial Actions”). In the event of Remedial Actions, You will remain liable for all amounts due hereunder, or under an applicable Sales Order.

    Notwithstanding the foregoing, We will not cancel Your account if there is an active Sales Order in effect unless such termination is for Cause. Unless otherwise specified in the Sales Order, “Cause” shall mean (a) a material breach by You of this Agreement, including but not limited to any breach of the restrictions described herein, (b) a material breach of a Sales Order, where such breach is not cured within 30 days following Your receipt of e-mail or other notice of such breach, and (c) violation of any third party right or of Applicable Law, as determined in Our sole discretion.

    Cancellation

    You may cancel Your Cobalt Account at any time via the "Cancel Account" feature of the Services or by sending an email to info@cobalt.io, provided that any such cancellation by You shall not affect any obligations by You under an active Sales Order including any payment obligations unless otherwise expressly agreed by the parties in the Sales Order. Please note that if Your Cobalt Account is canceled, We do not have an obligation to delete or return to You any Customer DataYou have posted to the Services, including, but not limited to, any reviews or Feedback unless explicitly agreed in a Sales Order.

    5. Privacy 

    See Cobalt’s Privacy Policy, which is hereby incorporated by reference, and to which You agree to be bound.

    6. Confidentiality

    Definition

    During the Term the parties may need to exchange or make available confidential and proprietary information to the other party in connection with this Agreement, whether disclosed in written, oral, electronic or visual form, which is identified as confidential at the time of disclosure or should reasonably be understood to be confidential given the nature of the information or the circumstances surrounding the disclosure, including without limitation business, operations, finances, technologies, products and services, pricing, personnel, customers and suppliers (“Confidential Information”). Without limiting the foregoing, (i) Cobalt Confidential Information shall include Cobalt Property; and (ii) Customer Confidential Information shall include Customer Data and the Applications/Networks except to the extent Customer posts Customer Data on the Site for the purpose of making it available to Cobalt, Security Pentesters, or any other User.

    Non-Use

    During the Term, and continuing after expiration or termination of the Agreement, each party shall retain in confidence, and not use (except for the purposes described in this Agreement), the Confidential Information of the other party. The receiving party will use the same degree of care and discretion (but not less than reasonable care) to avoid disclosure, publication or dissemination of the disclosing party’s Confidential Information as it uses with its own confidential or proprietary information of a similar nature.  Except as authorized in this Agreement or a Sales Order, the receiving party will not disclose the Confidential Information of the disclosing party to a third party other than to its or its Affiliates’ employees, contractors, agents or advisors in connection with its performance of this Agreement who are bound by terms no less protective of a disclosing party’s rights as those set forth in this Agreement and the receiving party shall be liable to the disclosing party for any violation of this Agreement by such persons. 

    Exclusions

    Confidential Information shall not include information that (a) is publicly known at the time of disclosure, (b) is lawfully received from a third party not bound in a confidential relationship with the disclosing party, (c) is published or otherwise made known to the public by the disclosing party, or (d) was or is generated independently without use of the disclosing party’s Confidential Information.  The receiving party may disclose Confidential Information as required to comply with orders of governmental entities that have jurisdiction over it or as otherwise required by law, provided that the receiving party (i) gives the disclosing party reasonable advance written notice to allow the disclosing party to seek a protective order or other appropriate remedy (except to the extent that compliance with the foregoing would cause it to violate an order of the governmental entity or other legal requirement), (ii) discloses only that portion of the Confidential Information as is required, and (iii) cooperates with the disclosing party to obtain confidential treatment for any Confidential Information so disclosed.  Notwithstanding anything herein to the contrary, provided that Cobalt does not use or disclose Customer Confidential Information, Cobalt shall be free to use, exploit and disclose its general skills, concepts, ideas, know-how, and expertise gained or learned during the course of this Agreement, and Cobalt shall not be restricted from creating output for other Customers which is similar to that provided to Customer.

     

    Remedies

    Due to the unique nature of Confidential Information gained through the Services, the Parties acknowledge that the breach of this Section 6 could cause irreparable harm, which monetary damages would be insufficient to remedy. Accordingly, the Parties agree and acknowledge that any such violation or threatened violation may cause irreparable injury to Us, Security Pentesters, or to third parties, and that, in addition to any other remedies available at law, such other Parties shall be entitled to seek injunctive relief against the threatened or continuing breach of this Agreement.

     

    7. Intellectual Property

     

    Cobalt Rights, Licenses

    The Services, and Collective Content are protected by copyright, trademark, and other laws of the United States of America and foreign countries.

    Cobalt Property Ownership: You acknowledge and agree that Cobalt and/or its licensors own all right, title and interest to the Site, Services and Cobalt Content, including without limitation any techniques, ideas, concepts, methods, processes, software, utilities, data, documents, directories, designs, user interfaces, know-how, graphics, video content or other data or information acquired, created, developed or licensed by Cobalt prior to or outside the scope of the Services and all modifications, improvements and derivative works thereof and all associated Intellectual Property Rights (collectively as “Cobalt Property”).

    Cobalt License. Subject to Your compliance with the terms and conditions of this Agreement, Cobalt grants You a limited, world-wide, non-exclusive, non-transferable, non-sublicensable right and license, during the subscription term specified in a Sales Order, to (i) access and use the Site and Services in accordance with the terms of this Agreement; and (ii) access and view any Cobalt Content contained on the Site solely for Your internal use in connection with Your use of the Services. Except as provided herein, You shall have no right to make the Site, Services or Cobalt Content available to, use the Site, Services or Cobalt Content on behalf of, or for the benefit of any third party without Cobalt’s express written authorization.  Except for the rights expressly licensed to You hereunder, Cobalt and its licensors reserve and retain all right, title and interest to the Site, Services and Cobalt Content. You shall not (i) remove or alter any proprietary notices included on the Services(s) and/or Cobalt Content; or (ii) modify or attempt to expose the source code of or attempt to recreate any software which forms a part of the Site. 

    No title, licenses, or other rights or interests are granted to You by implication or otherwise under any intellectual property rights owned or controlled by Cobalt or its licensors, except for the licenses and rights expressly granted in this Agreement.

     

    Customer Rights, Licenses

    The parties acknowledge and agree that You and/or Your licensors own all right, title and interest to the Applications/Networks and any Customer Data made available by the You through the Site or Services and any findings contained in the Vulnerability Reports created specifically and uniquely for the You, but excluding Security Pentester Property (as defined below) and any Intellectual Property Rights therein.

    Customer License Grants

    Statistical Data

    You acknowledge and agree that (i) Cobalt has the right to  collect and create high level, generic, anonymous, statistical and/or benchmarking data derived from Customer’s use of the Site and the Services  that is aggregated with other findings, results and information (the “Statistical Data”), (ii) all such Statistical Data is the sole and exclusive intellectual property of Cobalt, except to the extent such Statistical Data includes Customer Data, and (iii) to the extent such Statistical Data includes any Customer Data, Customer hereby grants to Cobalt a perpetual, worldwide, irrevocable license to use, reproduce, store, modify, create derivative works of, exploit, publish, license and transmit such Customer Data; provided, that Cobalt shall in all cases refrain from publishing any Statistical Data, Customer Data, or any insights or work derived therefrom in a manner that reveals or   allows to be inferred the identity of identify any specific person, Customer’s name, Customer Data, Application, Customer Confidential Information or Network.  Except as expressly licensed herein, Customer shall retain all right, title and/or interest to the Customer Data and Customer Confidential Information and all intellectual property rights therein, and except as expressly licensed herein, Cobalt shall obtain no right or license thereto.

     

    You understand and agree that Cobalt shall have the right to share Customer contact details with third party partners and service providers in connection with the delivery of the Services and enabling such partners to offer other software and/or services as related to the Services.

    Customer Data License Grant

    You grant to Cobalt a worldwide, non-exclusive, non-transferable (except by assignment or as otherwise expressly permitted under this Agreement), royalty-free license and right to, during the Order Term, (i) use, access, view, copy, display, transmit and store Customer Data on, through or by means of the Site and Services solely to the extent necessary to operate, maintain, perform, and provide the Site and Services, (ii) use, access, view, copy,  and display, information relating to the Applications/Networks solely to the extent necessary to engage in testing and/or create the Vulnerability Reports or otherwise perform tasks in connection with the Security Program; and (iiii) create, view, display, transmit and store Vulnerability Reports relating to the Applications/Networks. You acknowledge that this license grant extends, to the extent necessary to facilitate performance of the Services, to Cobalt’s personnel and Security Pentesters. Except as expressly licensed herein, You shall retain all right, title and/or interest to the Applications/Network and all intellectual property rights therein, and except as expressly licensed herein, Cobalt shall obtain no right or license thereto.

    Pentester Rights, Licenses

    The parties acknowledge and agree that as between the parties, the Security Pentesters and/or their licensors reserve all right, title and interest to any techniques, methods, processes, or technical information contained in any Customer Data acquired, created, developed or licensed by the Security Pentester prior to, independently of, and outside the scope of of Your specific Security Program and Vulnerability Report(s) thereto, and any intellectual property rights therein (“Security Pentester Property”), except as described in this Agreement.

     

    All Parties

    We may, in our sole discretion, permit Users to post, upload, publish, submit or transmit Customer Data, including Security Program(s). This License grant section covers the license grant for Customer Data.

    Subject to the license rights and restrictions otherwise expressly provided for in this Agreement and the Cobalt Privacy Policy, by making available any Customer Data on or through the Services, You hereby grant to Cobalt a worldwide, irrevocable, perpetual, non-exclusive, transferable, royalty-free license, with the right to sublicense, to use, view, copy, adapt, modify, distribute, license, sell, transfer, publicly display, publicly perform, transmit, stream, broadcast, access, view, and otherwise exploit such Customer Data on, through, or by means of the Services, for the purpose of providing or enjoying the Services and pursuant to the terms of this Agreement.

    Except as provided for in this Agreement, Cobalt does not claim any ownership rights in any such Customer Data and nothing in this Agreement will be deemed to restrict any rights that You may have to use and exploit any such Customer Data that You are otherwise entitled to use and exploit.

    Other Third Party Rights, Licenses

    Links. The Services may contain links to third-party websites or resources. You acknowledge and agree that Cobalt is not responsible or liable for: (i) the availability or accuracy of such websites or resources; or (ii) the content, products, or services on or available from such websites or resources. Links to such websites or resources do not imply any endorsement by Cobalt of such websites or resources or the content, products, or services available from such websites or resources. You acknowledge sole responsibility for and assume all risk arising from Your use of any such websites or resources or the Content, products or services on or available from such websites or resources.

    Proprietary Rights Notice. All trademarks, service marks, logos, trade names and any other proprietary designations of Cobalt used herein are trademarks or registered trademarks of Cobalt. Any other trademarks, service marks, logos, trade names and any other proprietary designations are the trademarks or registered trademarks of their respective parties.

    Digital Millennium Copyright Act. If You believe that Your copyrighted work has been copied in a way that constitutes copyright infringement and is accessible via the Services, please notify our copyright agent, as set forth in the Digital Millennium Copyright Act of 1998 ("DMCA"). For Your complaint to be valid under the DMCA, You must provide the following information in writing to info@cobalt.io:

    • An electronic or physical signature of a person authorized to act on behalf of the copyright owner;
    • Identification of the copyrighted work that You claim has been infringed;
    • Identification of the material that is claimed to be infringing and where it is located on the Service;
    • Information reasonably sufficient to permit Us to contact You, such as Your address, telephone number, and, e-mail address;
    • A statement that You have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or law; and
    • A statement, made under penalty of perjury, that the above information is accurate, and that You are the copyright owner or are authorized to act on behalf of the owner.

    Use of Customer Name and Logo.  Cobalt may use Customer's name and logo to identify Customer as a customer of Cobalt, unless you object in writing to Cobalt's use thereof.  Cobalt's use of the name and logo does not create any ownership right therein and all rights not granted to Cobalt are preserved by Customer.

    8. Representations & Warranties

    Warranty

    Your Warranty. You acknowledge and agree that You are solely responsible for (a) all activity occurring through Your Cobalt Account, whether authorized or not, and (b) all Customer Data that You make available through the Services. Accordingly, You represent and warrant that: (i) You either are the sole and exclusive owner of all Customer Data that You make available through the Services or You have all necessary legal rights, licenses, consents and releases to grant to Cobalt its Security Pentesters the rights in such Customer Data, as contemplated under this Agreement, and that You have a process to manage alleged infringements of third party rights thereto, including processes to ensure compliance with the DMCA; and (ii) neither the Customer Data nor Your posting, uploading, publication, sublicensing, submission or transmittal of the Customer Data or Cobalt’s or Security Pentester’s use of the Customer Data(or any portion thereof) on, through or by means of the Site and the Services will infringe, misappropriate or violate any third party patent, copyright, trademark, trade secret, moral rights or other proprietary or intellectual property rights, or rights of publicity or privacy, or result in the violation of any Applicable Law. 

    Cobalt Warranty

    Cobalt represents and Warrants that: (i) Cobalt either is the sole and exclusive owner of all Cobalt Content and the Site or Cobalt has obtained all necessary legal rights, licenses, consents, permissions, approvals and releases to grant You the right to such Cobalt Content and the Site, as contemplated under this Agreement; and (ii) Cobalt shall comply with all applicable laws relating to its performance under this Agreement.

    Express Waivers of Warranties

    YOU ACKNOWLEDGE AND AGREE THAT EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS", WITHOUT ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. WITHOUT LIMITING THE FOREGOING, COBALT EXPLICITLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. COBALT MAKES NO WARRANTY THAT THE SERVICES, INCLUDING, BUT NOT LIMITED TO, THE SECURITY PROGRAMS OR ANY VULNERABILITY REPORTS WILL MEET YOUR REQUIREMENTS, BE EXHAUSTIVE IN DOCUMENTING SECURITY RISKS, OR BE AVAILABLE ON AN UNINTERRUPTED, SECURE, OR ERROR-FREE BASIS. COBALT MAKES NO WARRANTY REGARDING THE QUALITY OF ANY SECURITY PROGRAMS AND VULNERABILITY REPORTS, THE SERVICES, OR THE ACCURACY, TIMELINESS, TRUTHFULNESS, COMPLETENESS OR RELIABILITY OF ANY SECURITY PROGRAMS, VULNERABILITY REPORTS OR OTHER COLLECTIVE CONTENT OBTAINED THROUGH THE SITE OR SERVICES.

    NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM COBALT OR THROUGH THE SITE, SERVICES OR COLLECTIVE CONTENT, WILL CREATE ANY WARRANTY NOT EXPRESSLY MADE HEREIN.

    COBALT MAKES NO GUARANTEE AGAINST ANY MALFUNCTION OF THE ENTIRE SECURITY PROGRAM SITE OR ANY LATE, LOST, DAMAGED, MISDIRECTED, INCOMPLETE, ILLEGIBLE, UNDELIVERABLE, OR DESTROYED VULNERABILITY REPORT SUBMISSIONS DUE TO SYSTEM ERRORS, FAILED, INCOMPLETE OR DISTORTED COMPUTER OR OTHER TELECOMMUNICATION TRANSMISSION MALFUNCTIONS, HARDWARE OR SOFTWARE FAILURES OF ANY KIND, LOST OR UNAVAILABLE NETWORK CONNECTIONS, TYPOGRAPHICAL OR SYSTEM/HUMAN ERRORS AND FAILURES, TECHNICAL MALFUNCTION(S) OF ANY TELEPHONE NETWORK OR LINES, CABLE CONNECTIONS, SATELLITE TRANSMISSIONS, SERVERS OR PROVIDERS, OR COMPUTER EQUIPMENT, TRAFFIC CONGESTION ON THE INTERNET OR AT THE SITE, OR ANY COMBINATION THEREOF, INCLUDING OTHER TELECOMMUNICATION, CABLE, DIGITAL OR SATELLITE MALFUNCTIONS WHICH MAY LIMIT THE PERIOD A PROGRAM IS LISTED ON THE SITE.

    YOU ARE SOLELY RESPONSIBLE FOR ALL OF YOUR COMMUNICATIONS AND INTERACTIONS WITH OTHER USERS OF THE SERVICES, WITH OTHER PERSONS WITH WHOM YOU COMMUNICATE OR INTERACT AS A RESULT OF YOUR USE OF THE SITE OR SERVICES. YOU UNDERSTAND THAT COBALT DOES NOT MAKE ANY ATTEMPT TO VERIFY THE STATEMENTS OF USERS OF THE SITE OR SERVICES OR TO VERIFY ANY SECURITY PROGRAMS OR VULNERABILITY REPORTS, OR THE SECURITY OF ANY THIRD PARTY ACCOUNT USAGE. YOU AGREE TO TAKE REASONABLE PRECAUTIONS IN ALL COMMUNICATIONS AND INTERACTIONS WITH OTHER USERS OF THE SITE OR SERVICES AND WITH OTHER PERSONS WITH WHOM YOU COMMUNICATE OR INTERACT AS A RESULT OF YOUR USE OF THE SITE OR SERVICES, INCLUDING, BUT NOT LIMITED TO, SECURITY PENTESTERS.

    YOU UNDERSTAND AND AGREE THAT THE NATURE OF PENETRATION TESTING MAY CAUSE SIGNIFICANT HARM OR DISRUPTION TO PROGRAM(S) AND YOUR BUSINESS, AND YOU ASSUME SUCH RISK, TOGETHER WITH THE RISK OF AN INCOMPLETE OR UNRELIABLE VULNERABILITY REPORT.

    Limited Warranties

    Cobalt represents and warrants that (i) it shall provide the Services in a professional manner and will provide a standard of care consistent with that used by service providers similar to Cobalt; and (ii) that the Security Pentesters have the general skills and expertise necessary to perform the Services. In order to state a claim for breach of the foregoing warranty, You must provide notice of such non-compliance within the thirty (30) day period following the delivery of a Vulnerability Report, specifying the details of such noncompliance. If You provides Cobalt with the required notice, as Your sole and exclusive remedy and Cobalt’s sole and exclusive liability for breach of warranty, Cobalt shall, at the Your request and option, either extend the period of testing to perform additional testing or provide a reperform the Services using a different Security Pentester. This warranty shall not apply during any trial license period. 

    9. Indemnification

    You agree to release, indemnify, and hold Cobalt and its affiliates and subsidiaries, and their officers, directors, employees and agents, harmless from and against any third party claims, liabilities, damages, losses, and expenses, including, without limitation, reasonable legal and accounting fees, arising out of or in any way connected with (i) Your access to or use of the Site or Services; (ii) Customer Data, including without limitation Customer Data that violates third party rights, including intellectual property rights; (iii) Your breach of representations, warranties and/or obligations under this Agreement (iv) Your improper or unlawful interaction with any other persons who access the Site; (v) Your misrepresentation, negligence, or willful misconduct in connection with the performance of this Agreement and (vi) Your violation of Applicable law (collectively the “Indemnified Claims”).

    10. Limitation of Liability

    Except as otherwise expressly provided in this Agreement, by using the Services, You agree that any legal remedy or liability that You seek to obtain for any acts or omissions of, any individuals or other third parties will be limited to a claim against the particular individuals or other third parties who caused You harm and You agree not to attempt to impose any liability on, or seek any legal remedy from Cobalt with respect to the acts or omissions of other individuals or third parties.

    YOU ACKNOWLEDGE AND AGREE THAT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER COBALT NOR ITS LICENSORS, SUPPLIERS, OR CONTRACTORS WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, LOSS OF DATA OR LOSS OF GOODWILL, SERVICE INTERRUPTION, COMPUTER DAMAGE OR SYSTEM FAILURE OR THE COST OF SUBSTITUTE PRODUCTS OR SERVICES, OR FOR ANY DAMAGES FOR PERSONAL OR BODILY INJURY OR EMOTIONAL DISTRESS ARISING OUT OF OR IN CONNECTION WITH THE TERMS, THE USE OF OR INABILITY TO USE THE SITE, SERVICES OR COLLECTIVE CONTENT, FROM ANY COMMUNICATIONS OR INTERACTIONS WITH OTHER USERS OF THE SITE OR SERVICES, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT COBALT HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, EVEN IF A LIMITED REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NO EVENT WILL COBALT’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO WITH THE TERMS AND YOUR USE OF THE SITE AND SERVICES INCLUDING, BUT NOT LIMITED TO, FROM YOUR LISTING OF YOUR SECURITY PROGRAM OR VULNERABILITY REPORT VIA THE SERVICES EXCEED THE TOTAL OF THE AMOUNTS YOU HAVE PAID IN RELATION TO A SPECIFIC SECURITY PROGRAM VIA THE SERVICES AS A CUSTOMER DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE LIABILITY OCCURRED, OR IF YOU ARE A SECURITY PENTESTER, THE AMOUNTS PAID BY COBALT TO YOU IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE LIABILITY, OR ONE HUNDRED DOLLARS ($100) IF NO SUCH PAYMENTS HAVE BEEN MADE OR ARE OWED, AS APPLICABLE. **THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN COBALT AND YOU. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT FULLY APPLY TO YOU, IN WHICH CASE YOU AGREE THIS PROVISION SHOULD BE APPLIED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

    YOU UNDERSTAND AND AGREE THAT THE NATURE OF PENTESTING MAY CAUSE HARM OR DISRUPTION TO PROGRAM(S) AND THAT NEITHER COBALT NOR ANY SECURITY PENTESTER SHALL HAVE ANY LIABILITY OF ANY KIND ARISING OUT OF SUCH TESTING ACTIVITIES, UNLESS THE SECURITY PENTESTER HAS COMMITTED GROSS NEGLIGENCE OR COMMITTED WILLFUL MISCONDUCT IN THE PERFORMANCE OF SUCH TESTING.

    11. Miscellaneous

    Test Drive

    PLEASE NOTE: By signing up for a Test Drive (as defined herein) of the Cobalt platform, You are agreeing to the following terms and conditions, which will govern Your Test Drive. Except where expressly contradicted by the following, the applicable provisions of this Agreement remain fully effective.

    (a) If You sign up for a Test Drive, Cobalt will make certain features of the Cobalt platform available to you on a trial basis only, free of charge, until the earlier of (a) ten days following You signing up for the Test Drive, (b) the start date of any Services subscription purchased by You, or (c) termination of the Test Drive by Cobalt in its sole discretion (the "Trial Period"). A Trial Period may be extended upon mutual agreement between You and Cobalt. Notwithstanding anything to the contrary in this Agreement, a Test Drive is provided "AS IS." Cobalt makes no commitment to maintain the availability of a particular feature or functionality of the Cobalt platform for the duration of a Test Drive. COBALT MAKES NO REPRESENTATION OR WARRANTY AND SHALL HAVE NO INDEMNIFICATION OBLIGATIONS WITH RESPECT TO ANY Test Drive. COBALT SHALL HAVE NO LIABILITY OF ANY TYPE WITH RESPECT TO A Test Drive, UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE COBALT'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO ANY Test Drive IS $100.00. BY PARTICIPATING IN A COBALT Test Drive, YOU AGREE TO REFRAIN FROM USING THE Test Drive IN A MANNER THAT VIOLATES APPLICABLE LAW AND YOU WILL BE FULLY LIABLE FOR ANY DAMAGES CAUSED BY YOUR USE OF A Test Drive.

    (b) You acknowledge that, at the end of the Trial Period, Your access to the Test Drive will be automatically terminated, with or without notice, unless You agree to purchase a paid subscription to the Services pursuant to the applicable provisions of this Agreement. Any data entered by You into the Cobalt platform in connection with Your Test Drive may be permanently lost upon termination of the Test Drive unless you subscribe to the Services.

    (c) "Test Drive" means access to the certain features of the Cobalt Platform that are made available to a prospective customer to facilitate the evaluation of potentially purchasing the Services, which is provided to You at no additional charge, and which is designated as a "Trial," "Test Drive," or similar description. A Test Drive does not include performance of a penetration test or other cybersecurity services, the identification of any security vulnerabilities, the provision of a report relative to Your security vulnerabilities or other aspects of Your security posture, or any other part of the Services offered by Cobalt other than access to the specific platform features that Cobalt, in its sole discretion, chooses to include in the Test Drive. You acknowledge and agree that a Test Drive is for Your internal business purposes only.

    Assignment

    You may not assign, transfer, delegate or subcontract this Agreement or any of Your rights or obligations under this Agreement, in whole or in part, by sale of assets, merger, operation of law or otherwise, without Cobalt’s prior written consent. Any attempt by You to assign, transfer, delegate or subcontract this Agreement or any of Your rights or obligations under this Agreement, without such consent, will be null and of no effect and in such event, and Cobalt shall have the right to immediately terminate Your rights under this Agreement and seek any remedies available to it at law or in equity. Cobalt may assign or transfer this Agreement, at its sole discretion, without restriction. Cobalt has the right to use subcontractors in connection with providing the Services. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their successors and permitted assigns.

    Notices

    Any notices or other communications permitted or required hereunder, including those regarding modifications to this Agreement, will be in writing and given by Cobalt (i) via email (in each case to the address that You provide) or (ii) by posting to the Site. Notices to Cobalt shall be sent to info@cobalt.io. For notices made by e-mail, the date of receipt will be deemed the date on which such notice is transmitted.

    Force Majeure

    If the performance of any obligation hereunder is interfered with by reason of any circumstances beyond a party’s reasonable control, including but not limited to acts of God, labor strikes and other labor disturbances, power surges or failures, or the act or omission of any third party, the party shall be excused from such performance to the extent necessary during the term of any force majeure event, provided the party shall use reasonable efforts to remove such causes of nonperformance.  If an event of force majeure prevents either party from performing its responsibilities under this Agreement for a period of more than thirty (30) days, the other party may terminate this Agreement and any outstanding Sales Order immediately upon written notice.

     

    Controlling Law and Jurisdiction

    This Agreement will be interpreted in accordance with the laws of the State of California and the United States of America, without regard to its conflict-of-law provisions. You and We agree to submit to the personal jurisdiction of a state court or arbitrator located in San Francisco County, San Francisco, California or a United States District Court, Northern District of California located in San Francisco, California for any actions for which the parties retain the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights, as set forth in the Dispute Resolution provision below.

    Arbitration & Dispute Resolution

    You and Cobalt agree that any dispute, claim or controversy arising out of or relating to this Agreement or the breach, termination, enforcement, interpretation or validity thereof, or to the use of the Services or use of the Site (collectively, "Disputes") will be settled by binding arbitration, except that each party retains the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights. You acknowledge and agree that You and Cobalt are each waiving the right to a trial by jury or to participate as a plaintiff or class member in any purported class action or representative proceeding. Further, unless both You and Cobalt otherwise agree in writing, the arbitrator may not consolidate more than one person's claims, and may not otherwise preside over any form of any class or representative proceeding. If this specific paragraph is held unenforceable, then the entirety of this "Dispute Resolution" section will be deemed void. Except as provided in the preceding sentence, this "Dispute Resolution" section will survive any termination of this Agreement.

    Arbitration Rules and Governing Law**.** The arbitration will be administered by the American Arbitration Association ("AAA") in accordance with the Commercial Arbitration Rules and the Supplementary Procedures for Consumer Related Disputes (the "AAA Rules") then in effect, except as modified by this "Dispute Resolution" section. (The AAA Rules are available at http://www.adr.org/arb_med or by calling the AAA at 1-800-778-7879.) The Federal Arbitration Act will govern the interpretation and enforcement of this section.

    Arbitration Process**.** A party who desires to initiate arbitration must provide the other party with a written Demand for Arbitration as specified in the AAA Rules. (The AAA provides a form Demand for Arbitration at http://www.adr.org/aaa/ShowPDF?doc=ADRSTG_004175 and a separate form for California residents at http://adr.org/aaa/ShowPDF?doc=ADRSTG_004314.) The arbitrator will be either a retired judge or an attorney licensed to practice law in the state of California and will be selected by the parties from the AAA’s roster of consumer dispute arbitrators. If the parties are unable to agree upon an arbitrator within seven (7) days of delivery of the Demand for Arbitration, then the AAA will appoint the arbitrator in accordance with the AAA Rules.

    Arbitration Procedure**.** If Your claim does not exceed $10,000, then the arbitration will be conducted solely on the basis of documents You and Cobalt submit to the arbitrator, unless You request a hearing or the arbitrator determines that a hearing is necessary. If Your claim exceeds $10,000, Your right to a hearing will be determined by the AAA Rules. Subject to the AAA Rules, the arbitrator will have the discretion to direct a reasonable exchange of information by the parties, consistent with the expedited nature of the arbitration.

    Arbitrator’s Decision. The arbitrator will render an award within the time frame specified in the AAA Rules. The arbitrator’s decision will include the essential findings and conclusions upon which the arbitrator based the award. Judgment on the arbitration award may be entered in any court having jurisdiction thereof. The arbitrator’s award damages must be consistent with the terms of the "Limitation of Liability" section above as to the types and the amounts of damages for which a party may be held liable. The arbitrator may award declaratory or injunctive relief only in favor of the claimant and only to the extent necessary to provide relief warranted by the claimant’s individual claim. If You prevail in arbitration You will be entitled to an award of attorneys’ fees and expenses, to the extent provided under Applicable Law. Cobalt will not seek, and hereby waives all rights it may have under Applicable Law to recover, attorneys’ fees and expenses if it prevails in arbitration.

    Fees. Your responsibility to pay any AAA filing, administrative and arbitrator fees will be solely as set forth in the AAA Rules. However, if Your claim for damages does not exceed $75,000, Cobalt will pay all such fees unless the arbitrator finds that either the substance of Your claim or the relief sought in Your Demand for Arbitration was frivolous or was brought for an improper purpose (as measured by the standards set forth in Federal Rule of Civil Procedure 11(b)).

    Changes**.** Notwithstanding the provisions of the "Modification" section above, if Cobalt changes this "Dispute Resolution" section after the date You first accepted this Agreement (or accepted any subsequent changes to this Agreement), You may reject any such change by sending Us written notice (including by email to info@cobalt.io) within 30 days of the date such change became effective, as indicated in the "Last Updated Date" above or in the date of Cobalt’s email to You notifying You of such change. By rejecting any change, You are agreeing that You will arbitrate any Dispute between You and Cobalt in accordance with the provisions of this "Dispute Resolution" section as of the date You first accepted this Agreement (or accepted any subsequent changes to this Agreement).

    Independent Parties

    The relationship of the parties is that of independent contracting parties and Cobalt shall not be construed to be an employee, partner or agent of Customer. 

    Entire Agreement and Amendment

    The terms and conditions of this Agreement (including any applicable schedules, referenced documents, or Sales Orders entered into pursuant hereto) provide the complete understanding of the parties with regard to the subject matter hereof and supersede all previous communications, agreements, proposals or representations related to the subject matter hereof.  Except as otherwise expressly provided for herein, any waiver, amendment, or modification of any right or remedy, in whole or in part under this Agreement, or any additional or different terms in, acknowledgments or other documents, will not be effective unless expressly agreed to in writing and signed by the authorized representatives the parties.  Unless the Sales Order expressly amends this Agreement and except as otherwise expressly provided herein, the terms and conditions of this Agreement shall take precedence over any conflicting terms in a Sales Order.  It is expressly agreed that no additional terms and conditions contained in Your purchase order, internet procurement portal or other non-Cobalt document shall apply to the Services ordered.

    Waiver

    The failure of Cobalt to enforce any right or provision of this Agreement will not constitute a waiver of future enforcement of that right or provision. The waiver of any such right or provision will be effective only if in writing and signed by a duly authorized representative of Cobalt. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise. If for any reason an arbitrator or a court of competent jurisdiction finds any provision of this Agreement invalid or unenforceable, that provision will be enforced to the maximum extent permissible and the other provisions of this Agreement will remain in full force and effect.

    Definitions

    Affiliate - Any entity controlled by, controlling, or under common control with a party to this Agreement during the period such control exists.  For the purposes hereof “control” means the power to direct the operation, policies and management of an entity through the ownership of more than fifty percent (50%) of the voting securities of such entity, by contract, or otherwise.

    Applicable Law(s) - Any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, directive, common law, judgment, decree or other requirement or rule of any federal, state, local or foreign government or political subdivision thereof, or any arbitrator, court or tribunal of competent jurisdiction applicable to a party’s performance of its obligations or the exercise of its rights under this Agreement.

    Application(s) - A software application (including a web enabled application, desktop, or mobile application), involved directly or indirectly (through a test system) in a Security Program.

    Cobalt Content - Means all Content that Cobalt makes available through the Services, and includes without limitation any data, documents, screens, templates, and forms of reports.  Cobalt Content expressly excludes Customer Content.

    Collective Content - Customer Data and Cobalt Content.

    Content - Text, graphics, images, music, software, audio, video, information or other materials.

    Credit - The prepaid unit purchased by Customer which can be exchanged for Cobalt Services. Each Credit corresponds to a particular level of effort by one Security Pentester.

    Customer Data - Any Content or information relating to the Applications/Networks, the Applications/Networks and any other data, documents, information or content provided by or made accessible by Customer to Cobalt in connection with Customer’s use of the Services.

    Intellectual Property Rights - Any and all registered and unregistered rights granted, applied for or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.

    Network(s) - Interconnected computers, servers, mainframes, network devices, peripherals, or other devices that share software and hardware resources between many users.

    Personal Information - Any information relating to an identified or identifiable natural person or otherwise defined to be personal information under Applicable Law, including without limitation, “personal data” as used under the EU’s General Data Protection Regulation.

    Professional Services - Cybersecurity services provided by Cobalt to Customer pursuant to a separately executed statement of work (“SOW”) or similar document, excluding penetration testing services provided via the Services and Site. Professional Services are subject to the Cobalt Professional Services Addendum.

    Sales Order - A transactional document (either an order form or statement of work) referencing this Agreement, which has been mutually agreed to by the parties either (i) in a mutually signed writing on Cobalt’s template Sales Order form  or (ii) by a Customer issued purchase order expressly referencing a Cobalt provided Sales Order form (either electronically or in writing as provided above); provided that if Customer purchases the Services through a Cobalt reseller, the Sales Order shall be the transactional document entered into between Cobalt and the Cobalt reseller for Customer’s use.

    Security Pentester - An individual who offers by signing up and/or is invited to be a Security Pentester on the Site in order to engage in testing of an Application/Network within the scope of a Security Program and to submit a Vulnerability Report confidentially to Customer via the Site.

    Security Program - The scope of Services listed on the Site for Customer’s Application(s)/Network(s) to be completed by Security Pentester(s).

    Services - The Cobalt online platform accessible via the Site (including the Site and all Cobalt Content on the Site) connecting Customers with Security Pentesters for Applications/Network testing, and the ensuing cybersecurity testing performed leveraging the Site and the Security Pentesters. The Services specifically exclude all Applications/Network(s) and Customer Data.

    Site - The Cobalt websites where the Services are made available located at cobalt.io.

    User - An employee or contractor of Customer who is authorized by Customer to use the Services via Customer’s Cobalt Account by provisioning access to the Site via the assignable roles associated with use of the Services.

    Vulnerability Report - A confidential report submitted and listed by a Security Pentester containing security vulnerabilities found during the testing of the Application(s)/Network(s) in scope for a given Security Program. 

  • Running a Security Program

    Last update on 29th of April, 2022


    IMPORTANT - READ BEFORE USING THE SITE OR SERVICES FOR RUNNING A SECURITY PROGRAM.

    BY CLICKING TO SIGN IN ON-LINE TO USE THE COBALT SITE AND SERVICES AND BY USING THE SITE AND SERVICES FOR RUNNING A SECURITY PROGRAM, YOU (OR “CUSTOMER”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS (“AGREEMENT” or  “GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE TO RUN A SECURITY PROGRAM AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE SECURITY PENTESTER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO USE THE SITE OR SERVICE TO RUN A SECURITY PROGRAM.

    These Supplemental Terms form a part of the General Terms and you agree that you are a User of the Site and Services and you therefore have already agreed to and accepted the General Terms and Privacy Policy for being a User on the Site and Services. Terms not otherwise defined herein, shall have the meaning set forth in the General Terms.

    Eligibility

    To submit a Security Program, you must either be must be the owner of the Application(s)/Network(s) you list as in scope of the test or have obtained all necessary legal permissions and licenses from the owner to list them and have them tested. You also need to ensure that you have obtained all necessary legal permissions and licenses from any third party service providers applicable to the scope that may be tested pursuant to the terms and conditions of an agreement with such third party, including, but not limited to, a hosting agreement. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including the cost of the activities and that you have the authority to bind such entity to these Supplemental Terms. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

    Security Program Time Period

    The Security Program initiates when it is listed on the Cobalt Security Program list on the Site and Services and has the status Live.

    The Security Program will run until a written deadline agreed between You  and Cobalt. This deadline will be listed on the Security Program.

    It is important to note that

    • Security Pentesters can only engage in testing on programs that are in status Live and the Security Pentesters have been invited to.
    • When a program is past the test deadline, Security Pentesters are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by You.

    The date on which your test will start may depend on the Tier associated with your account. Each Tier permits test start dates within a defined minimum advance notice, measured in days. For purposes of calculating the applicable period associated with your Tier, a “day” is equal to 24 hours excluding holidays and weekends, falling within Cobalt business hours. Cobalt business hours are: for Customers in EMEA, 8 AM - 5 PM Central European Standard Time; for Customers in the Americas, 8 AM - 5 PM Pacific Standard Time.  A Customer must first have their test assigned to “Planned” state within the Cobalt platform in order to select a start date, such that Cobalt’s commitment to initiate a testing within a certain period only begins when a test is listed as “Planned” and a start date is selected. In all circumstances, a start date for Services must be scheduled to be completed before the expiration of the one-year period associated with the applicable Credit(s).  When Services that are scheduled to begin within fourteen days of the expiration of the one-year period associated with the applicable Credit(s), test coverage may be reduced and retesting may be precluded due to time and resource constraints.

    Third Party Integrations

    Services may be configured to facilitate integration with certain third party software products or services leveraged by Cobalt Yous. The availability of such integrations is dependent on the specific Tier assigned to a Customer.

    While Cobalt is constantly investigating new opportunities of third party integrations, a current list of third party integrations can be found on the Tiers FAQ. Notwithstanding the foregoing, Cobalt reserves the right to deprecate any particular third party integration at its discretion.

    By accessing or using Cobalt’s third party integrations, Customer (i) agrees to all applicable terms in this Agreement as well as the specific integration terms applicable to the software or solution to which such integration applies, and (ii) represents and warrants that it has obtained all necessary licenses, credentials, or other rights to facilitate Cobalt’s access to and integration with such software or solution.

    If there is a conflict between the integration terms in this Agreement and the specific integration terms of a third party integration, the specific integration terms will control for that conflict.

    Before using any of the Cobalt third party integrations, Customer is encouraged to (i) review the terms and conditions of the relevant third party provider (“Third Party Terms”) and (ii) review personal and technical security of the third party integration. Cobalt’s provision of third party integrations relies on Customer having conducted the review in accordance with this section and Cobalt hereby disclaims any and all obligations relative to such third party’s privacy or security posture.

    By utilizing any of the third party integrations supported by Cobalt, Customer acknowledges that (i) Cobalt has no control over the service or product that is integrated, (ii) Customer has read and understand the terms of the relevant third party providing the integration, (iii) Customer consents that Cobalt shall transfer the data collected as a result of providing Customer with the Services to the third party, (iv) Customer uses the third party integration at its own risk.

    Cobalt shall not be held liable and shall not accept any liability, obligation, or responsibility for any loss or damage in connection with any third party integration. Cobalt has no control over such third parties and we are not responsible for the content of their services. Cobalt provides Yous with third party integrations only for our Yous’ convenience. This does not imply any endorsement or association with such third parties. Any concern regarding the third party services should be directed to the responsible third party.

    Customer agrees to release, indemnify, and hold Cobalt and its affiliates and subsidiaries, and their officers, directors, employees and agents, harmless from and against any third party claims, liabilities, damages, losses, and expenses, including, without limitation, reasonable legal and accounting fees, arising out of or in any way connected with (i) Customer’s misuse of third party integrations or (ii) violations of the Third Party Terms.

    By using any third party integration, Customer acknowledges that Cobalt does not warrant that the use of the third party integration will be uninterrupted or error free. Customer accepts and understands this risk and waives all rights to hold Cobalt responsible in any qya, financially or otherwise, for such errors and results.

    By using any third party integration, Customer acknowledges that Cobalt does not make any specific promises about the third party integrations. For example, Cobalt does not make any commitments about the content of third party integrations, their specific functions and reliability, availability, or the ability to meet Customer’s needs.

    Cobalt shall retain all rights ( (including but not limited to all patent rights, trademark rights, copyright, trade secrets and any other intellectual property rights) that Cobalt has or may have in connection with the third party integrations.

    Any use of the Cobalt API is subject to the terms and specifications found at https://docs.cobalt.io.

    Retesting

    Cobalt may offer retesting of vulnerabilities, depending on the Tier you purchased. Please see the Tiers FAQ to determine whether you qualify for retesting. Retesting consists of Cobalt Pentesters re-engaging via the same or similar methodologies in testing of specified vulnerabilities that were originally identified in a Cobalt Vulnerability Report. Retesting is applicable only to those vulnerabilities that you have taken steps to remediate and the intent of retesting is to validate the efficacy of your remediation efforts. Timing for retesting is at Cobalt's sole discretion. Only Cobalt Customers with active subscriptions at the time a retest is requested are eligible for retesting. Retesting is subject to all terms and conditions otherwise applicable to the provision of Services by Cobalt.

    Security Program Responsibilities and Liabilities

    • You agree that (i) your creation of the Security Program will not breach any agreements you have entered into with any third parties, (ii) you have all of the necessary right, title and interest to grant the license rights provided by you pursuant to the General Terms and Supplemental Terms, and (iii) you are and will remain in compliance with all Applicable Laws, Tax requirements, and rules and regulations.
    • You agree that you authorize Cobalt to list your program on the Site and Services.
    • You agree that you authorize invited Security Pentesters to perform tests on the Application(s)/Network(s) mentioned in scope in the Security Program.
    • You agree to take the full liability and responsibility if you invite pentesters who are not Security Pentesters to see your Security Program and/or Engage in testing of the scope of the Security Program.
    • You agree that the scope, rules and all other information on the Security Program combined with our Supplemental Terms for Engaging in Testing is the entire scope, rules and information which you expect the Security Pentesters to follow if engaging in activities related to your Security Program.
    • You agree that Cobalt only provides a best practice set of rules as an example and that you as a User are fully responsible and liable for the coverage of the scope and the rules written in the Security Program.
    • You agree that you are responsible for contacting and getting, if needed, acceptance from any and all related third parties who potentially will be impacted by the activities related to the Security Program. This includes but is not limited to hosting providers.
    • You agree that you understand when you initiate the Security Program you will start receiving Vulnerability Report Submissions on the Site and Services. This means that Cobalt will store these Vulnerability Reports on the Site and Services, any vulnerability/Bug submitted against your Security Program will only be visible to You, , the Security Pentesters participating in the Program and Authorized staff at Cobalt.
    • In the event your program has responsible disclosure you agree that you are responsible for informing the Security Pentesters on when he/she can disclose a given vulnerability to the public.
    • As Aligned with the General terms Limitation of Liability section You understand and agree that the nature of penetration testing may cause harm or disruption to Application and/or networks and that neither Cobalt and that neither Cobalt nor the Security Pentesters shall have any liability of any kind arising out of such testing activities unless the Security Pentester has committed gross negligence or committed willful misconduct in performance of such testing.

    Intellectual Property Rights

    See the General Terms for information around Ownership and License grants.

    Privacy

    You agree and understand that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used solely for the purposes and within the context of the Security Program. This data will also be transferred into the United States. By entering, entrants agree to the transmission, processing, sharing and storage of this personal data in the United States. You also understand this data may be used by Cobalt in order to verify your identity and telephone number in the event of a submission. You have the right to access, review, rectify or cancel any personal data held by Cobalt in connection with the Security Program by writing to Cobalt at privacy@cobalt.io. If you do not provide the data required at registration, your submission will be ineligible. Otherwise, all personal information that is collected from you is subject to Cobalt’s Privacy Policy.

    For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:

    • the data controller is Cobalt and the data processor is Cobalt
    • your data is collected for purposes of administration of the promotion and for marketing purposes
    • you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to Cobalt at privacy@cobalt.io
    • your personal data will be transferred to the U.S.

    Warranty and Indemnification

    You represent and warrant that you own or have all necessary right, title and interest in the Application(s)/Network(s) in scope for the Security Program and that the Security Program material and Application(s)/Network(s) submitted by you or on your behalf do not infringe upon or violate any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations, defame any person or violate their rights of publicity or privacy or otherwise violate any Applicable Law.

    To the maximum extent permitted by law, you hereby agree to indemnify and hold harmless Cobalt at all times from and against any liability, claims, demands, losses, damages, costs and expenses (including reasonable attorney’s fees) arising out of or relating to (i) your improper or unlawful use of the Site or Services; (ii) your failure to properly perform your obligations under the Terms; (iii) your negligence or willful misconduct; (iv) your breach of your representations and warranties set forth in the Terms or; (v) your violation of Applicable Law; (vi) any misrepresentation made by you in connection with the Site and Services; (vii) any error made by you in the collection, processing, or retention of submission information or in the printing, offering or announcement of any reward or winners; and (viii) your breach, default or violation of the General Terms, Supplemental Terms or Security Program (collectively as “Indemnified Claims”). You hereby agree to defend Cobalt, at your expense, from and against any and all claims, actions, suits or proceedings brought by a third party arising out or relating to the Indemnified Claims.

    Elimination

    Any false information provided within the context of the Security Program by your concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms and conditions or the like may result in the immediate elimination of the Security Program.

    Network Malfunction

    Cobalt does not give a guarantee against any malfunction of the entire Security Program Site or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed Vulnerability Report submissions due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit the period a program is listed on the Site.

    Recommendation

    Cobalt recommends that you obtain appropriate insurance and backup for your Application(s)/Network(s) and its content. Please review any insurance policy that you may have for your Application(s)/Network(s) and its content carefully, and in particular please make sure that you are familiar with and understand any exclusions to, and any deductibles that may apply for, such insurance policy.

    Complete Agreement and Order of Precedence

    All of the terms set forth in the General Terms shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms and these Supplemental Terms, the Supplemental Terms shall apply.

  • Engaging in Testing

    Last update on 9th of January, 2019

    IMPORTANT - READ BEFORE USING THE SITE OR SERVICES TO ENGAGE IN A TEST AS A PENTESTER.

    BY CLICKING TO SIGN IN ONLINE TO USE THE COBALT SITE AND SERVICES AND USING THE SITE AND SERVICES TO ENGAGE IN A TEST AND/OR SUBMIT A VULNERABILITY REPORT, PENTESTER (“YOU” OR “YOUR”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS/GENERAL (“GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE TO ENGAGE IN A TEST AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE PROGRAM OWNER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO ENGAGE IN ANY TEST ACTIVITY ON THE APPLICATION(S)/NETWORK(S) IN SCOPE FOR THE SECURITY PROGRAM OR SUBMIT A VULNERABILITY REPORT TO THE SECURITY PROGRAM.

    These Supplemental Terms form a part of the General Terms and you agree that you are a Member of the Site and Services pursuant to the General Terms and that you have already agreed to and have accepted the General Terms and Privacy Policy for being a Member on the Site and a user of the Services. Terms not otherwise defined herein, shall have the meaning set forth in the General Terms found at cobalt.io/terms/general.

    Eligibility

    In order to engage in test activities as a Pentester related to the Security Program you must adhere to the rules for who can participate as set by the Program Owner in the Program Rules. If you are acting within the scope of your employment, as an employee, contractor, or agent (each a “Representative”) of another party, and you are entering into the Terms on behalf of such contracting party, you warrant that such party has full knowledge of your actions and has consented thereto, including your potential receipt of payment, and that you have the authority to bind such entity to these Supplemental Terms. You acknowledge and agree that each Representative of the contracting party who will act as Pentester must register individually as a Member of the Service and submit to the required Background Checks (as defined in the General Terms) and other required vetting requirements as determined by Cobalt in its sole discretion. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

    Payments are not given to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.

    Security Program Time Period

    The Security Program initiates when it is listed on the Cobalt Security Program list on the Site and Services and has the status Live.

    The Security Program will be open for testing on Cobalt until a deadline agreed between the Program Owner and Cobalt. This deadline will be listed on the Security Program.

    It is important to note that

    • When a program is past the test deadline, pentesters are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by the Program Owner and/or Program Collaborators.

    How to Engage in a Test for a Security Program

    Go to the Security Program details. Read the instructions, questionnaire and Program Rules for engaging in the test and for submitting a Vulnerability Report.

    Responsibilities and Liabilities

    • You agree that, unless explicitly approved in writing by the Program Owner and Cobalt, you are only allowed to participate in a Security Program if you are a Cobalt Core Pentester who have gone through background checks, signed the Cobalt NDA and been invited to a particular Security Program.
    • You agree that you are responsible for reading and complying with the scope, rules and all other information on the Security Program.
    • You agree to take professional precautions when Engaging in a test and that you may not perform testing that can result in disruption of an Application/Network (Such as DDoS) unless explicitly approved as part of the Security Program Rules.
    • You agree that you are liable and responsible for your negligent, wrongful or improper conduct in connection with your use of the Site and/or Service or the performance of testing activities as further described in the indemnity section of these Supplemental Terms.
    • You understand that Cobalt only provides a best practice set of rules as an example and that it is the Program Owner who is fully responsible and liable for the coverage of the scope and compliance with the Program Rules written in the Security Program.
    • You agree that the Vulnerability Report submission must meet the criteria set by the Program Owner in the Program Rules listed on the Security Program site on the Site and Services.
    • You agree that finding vulnerabilities using any of the following type of methods are not allowed under any circumstance
      • Spam-based
      • Social Engineering

    Payment Management

    As part of engaging in a test you will receive a payment from Cobalt. You will be informed about the size of this payment as well as the related work expected for the given payment before the test begins and you will not receive additional payment other than the stated amount unless Cobalt agrees to it. Payments will be paid within a period (Determined by Cobalt) after the test has been completed.

    Taxes

    You agree that you are solely responsible for determining your applicable Tax reporting requirements in consultation with your tax advisors. Cobalt cannot and does not offer Tax-related advice to any Members of the Site and Services. Additionally, note that each Pentester is responsible for determining local indirect Taxes. Where applicable, or based upon request from a Pentester, Cobalt may issue a valid VAT invoice to such Pentester.

    General Conditions

    You shall comply with all Applicable Laws in connection with the performance of testing activities. Cobalt reserves the right to disqualify you from the Program if, in Cobalt’s sole discretion, it reasonably believe that you have attempted to undermine the legitimate operation of the Program by cheating, deception, or other unfair practices or annoy, abuse, threaten or harass any other users, Cobalt, or the Program Owner.

    Intellectual Property Rights

    See the General Terms for terms around Ownership and License grants related to Vulnerability Reports and Related Methods and Techniques.

    Privacy

    You agree and understand that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used solely for the purposes of and within the context of the Security Program. This data will also be transferred into the United States. By entering the site, you agree to the transmission, processing, sharing and storage of this personal data in the United States. You also understand this data may be used by Cobalt in order to verify your identity and telephone number in the event of a submission. You have the right to access, review, rectify or cancel any personal data held by Cobalt in connection with the Security Program by writing to Cobalt at privacy@cobalt.io. If you do not provide the data required at registration, your submission will be ineligible. Otherwise, all personal information that is collected from you is subject to Cobalt’s Privacy Policy.

    For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:

    • the data controller is Cobalt and the data recipients is Cobalt
    • your data is collected for purposes of administration of the promotion and for marketing purposes
    • you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to Cobalt at privacy@cobalt.io
    • your personal data will be transferred to the U.S.

    Publicity

    By participating in a Security Program, you agree to Cobalt and the Program Owner's use of your name and Vulnerability Report for advertising and promotional purposes without additional compensation, unless prohibited by law.

    Warranty and Indemnification

    You represent and warrant that (i) the Vulnerability Reports you submit are your own original work and you are the sole and exclusive owner and holder of all right, title and interest to the submitted Vulnerability Report; (ii) you have the right to submit the Vulnerability Report in the Security Program and grant all required licenses provided for in the General Terms and these Supplemental Terms; and (iii) the Vulnerability Report submitted by you does not infringe upon or violate any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations otherwise violate the Applicable Law.

    To the maximum extent permitted by law, you hereby agree to indemnify and hold harmless Cobalt at all times from and against any liability, claims, demands, losses, damages, costs and expenses (including reasonable attorneys’ fees) arising out of or relating to (i) your improper or unlawful use of the Site or Services; (ii) your failure to properly perform your obligations under the Terms; (iii) your fraudulent, negligent or willful misconduct in connection with your use of the Site or Services or the performance of your testing activities or other obligations under the Terms; (iv) your breach of your representations and warranties under the Terms; (v) your failure to properly perform your obligations under the Terms; (vi) your violation of Applicable Law; (vii) any misrepresentation made by you in connection with the Site and Services; (viii) any error made by you in the collection, processing, or retention of submission information through the Site or Service including as may be contained in a Vulnerability Report; and (ix) your default, breach or violation of the General Terms, Supplemental Terms or Security Program Rules (collectively as “Indemnified Claims”) .

    You hereby agree to defend Cobalt, at your expense, from and against any and all claims, actions, suits or proceedings brought by a third party or a Program Owner arising out of or relating to the Indemnified Claims.

    Elimination

    Any false information provided within the context of the Security Program by you concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms or the like may result in the immediate elimination from the Security Program and in such event you shall not be entitled to any payment for any services rendered.

    Network

    Cobalt and the Program Owners are not responsible for any malfunction of the entire Site and Services or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed vulnerability reports due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit your ability to participate.

    Right to Cancel, Modify or Disqualify

    If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, Cobalt reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. Cobalt further reserves the right to disqualify any entrant who tampers with the submission process or any other part of the Security Program or the Site and Services. Any attempt by you to deliberately damage the Site and Services or undermine the legitimate operation of the Security Program is a violation of criminal and civil laws and should such an attempt be made, Cobalt reserves the right to seek damages from you to the fullest extent under applicable law.

    Not an offer or contract of employment

    Under no circumstances shall the invitation to a test, or anything in these Supplemental Terms be construed as an offer or contract of employment with either Cobalt, or the Program Owner. You acknowledge that you have engaged in testing voluntarily and not in confidence or in trust. You acknowledge that no confidential, fiduciary, agency or other relationship or implied-in-fact contract now exists between you and Cobalt or the Program Owners and that no such relationship is established by your submission of a vulnerability report under these Supplemental Terms.

    Complete Agreement and Order of Precedence

    All of the terms set forth in the General Terms shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms and these Supplemental Terms, the Supplemental Terms shall apply.

  • Professional Services Addendum

    BY CLICKING TO SIGN IN ON-LINE TO USE THE COBALT SITE AND SERVICES AND BY USING THE SITE AND SERVICES FOR PROFESSIONAL SERVICES, YOU (OR “CUSTOMER”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS (“AGREEMENT” or  “GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE, SERVICES, AND PROFESSIONAL SERVICES AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE SECURITY PENTESTER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO USE THE SITE, SERVICES, OR PROFESSIONAL SERVICES.

    1. PROFESSIONAL SERVICES ​

    “Professional Services” shall include certain security testing, consulting, training, and other similar services, inclusive of any deliverable associated therewith, performed by Cobalt as identified with specificity under the terms of a Cobalt Sales Order or SOW, with such services to be undertaken by Cobalt personnel or contractors. “Professional Services” excludes the offering of penetration testing Services delivered via the Cobalt Site (app.cobalt.io)

    2. SCOPE

    a. Scope. Cobalt will perform the Professional Services and deliver the software and/or documents specified as deliverables in the applicable Sales Order or SOW for Professional Services (the “Deliverables”) in accordance with the requirements in the Sales Order or SOW. Any specific scope or limits to the provision of Professional Services shall be set forth in the Sales Order or SOW, in the absence of which Cobalt shall have the discretion to establish the scope and limits of any such Professional Services. Where specific networks, code, systems, devices or objects are the subject of Professional Services, the such networks, code, systems, devices or objects will be identified by Customer in the Sales Order or SOW with specificity. Cobalt shall have the discretion to select applicable methodologies for conducting Professional Services.

    b. Changes. At any time prior to completion of the Professional Services under a Sales Order or SOW, Customer may request or Cobalt may recommend modifications to the Sales Order or SOW. Cobalt will advise Customer of the likely impact of any such change, including any effect on the fees and time for completion of the Professional Services. The parties will respond in writing or will meet to discuss any such proposed changes as soon as practicable, but (subject to Section 2.4) neither party will be obligated to agree to any such change, and until such time as any change is agreed to in a writing specifying, inter alia, any change to the fees, time for completion or completion criteria, Cobalt will continue to provide the Professional Services as if such change had not been requested or recommended.

    c. Resources. Cobalt will provide appropriately qualified personnel to perform the Professional Services and will use commercially reasonable efforts to minimize changes in such personnel. Cobalt reserves the right to engage independent contractors to perform some or all of the Professional Services, provided that Cobalt remains responsible for the performance of the Professional Services in accordance with this Professional Services Addendum. 

    d. Schedule. Cobalt and Customer shall mutually agree to a schedule for provision of Professional Services, which shall be identified in the Sales Order or SOW. In the absence of a particular schedule, Cobalt shall have discretion to determine the time and place of any Professional Services hereunder. Any delay in meeting the applicable Professional Services schedule caused by Customer may require execution of a change order or revision and payment of additional fees at Cobalt's sole discretion. 

    3. CUSTOMER’S OBLIGATIONS ​

    a. Access. For any Professional Services where access to Customer’s systems, office sites, devices or other objects, or third party systems is necessary, Customer will take all steps necessary to ensure that Cobalt obtains all required credentials or permissions.Where Professional Services concern a particular device or object, such device or object will be delivered to Cobalt at a location to be determined by the parties via courier or similar delivery service, with Customer to retain liability over the condition of such device or object until its delivery to Cobalt.

    b. On-Site. Where Professional Services provided hereunder require Cobalt to be physically present at Customer’s location, Customer shall be responsible for ensuring Cobalt is provided with sufficient space and resources to perform the Professional Services. Customer will be responsible for providing a safe environment where Cobalt personnel and/or contractors are present, and shall obtain adequate insurance to protect Cobalt and its personnel against any physical injury occurring on Customer’s premises.

    c. Customer Personnel. Where Professional Services require engagement of Customer’s personnel, Customer will take all necessary steps to provide Cobalt with reasonable access to such personnel, whether in person or via standard communications tools (i.e. email, Zoom, teleconference, etc.).

    d. Failure to Fulfill Obligations. Failure of Customer to timely fulfill the obligations set forth in this Section 3 may preclude timely provision of Professional Services and may require an adjustment of the Professional Services schedule under Section 2.4 and/or suspension of performance by Cobalt.

    4. ​PAYMENT

    a. Fees In consideration for the Professional Services and Deliverables, Customer will pay Cobalt the fees specified in the applicable Sales Order or SOW.

    b. Expenses. Customer will reimburse Cobalt for all reasonable expenses incurred by Cobalt in performing the Professional Services, including travel, lodging, per-diem and out of pocket expenses, subject to Customer’s pre-approval. In general, expenses will only be incurred for provision of the Professional Services at locations other than Cobalt’s offices, unless otherwise specified in the appliCable Sales Order or SOW.

    c. Invoices. Cobalt shall submit invoices on a monthly basis for all fees, charges and expenses relating to the performance of the Professional Services under the applicable Sales Order or SOW. Payments shall be made in U.S. Dollars, or, if different, the applicable currency as set forth in the Sales Order or SOW, within thirty (30) days of receipt of invoice. Unless otherwise specified in the applicable Sales Order or SOW, the payment terms and conditions shall be as set forth in the payment terms provision of the Agreement.

    5. ​SECURITY AND PRIVACY.

    The parties agree that Cobalt will not be provided access to any production data processed by the Customer through the provision of Professional Services (“PS Customer Data”), whether by way of transfer of PS Customer Data to Cobalt’s systems, access to Customer’s systems or exposure to PS Customer Data through shared screens, screen shots, etc., other than sample, hashed or anonymized data used for development and testing purposes. If and to the extent it is agreed by the parties that Customer will grant Cobalt access to PS Customer Data, Cobalt shall employ and maintain commercially reasonable safeguards to protect the security and confidentiality of PS Customer Data. Those safeguards will include, but will not be limited to, measures for preventing unauthorized access to or disclosure of PS Customer Data. Cobalt will not use or disclose PS Customer Data except (a) as required to provide Professional Services, (b) as required by law, or (c) as Customer expressly permits Cobalt in writing. Customer shall be solely responsible for ensuring that granting Cobalt access to PS Customer Data as set forth in this Section 5 does not violate applicable laws governing the use of PS Customer Data, including but not limited to the rights of data subjects whose information is included in the PS Customer Data. If required, Customer shall be responsible for removing or redacting data subject to security restrictions or anonymizing personally identifiable information. 

    6. OWNERSHIP

    a. Deliverables. All Deliverables and all intellectual property rights in the Deliverables will be the sole and exclusive property of Cobalt, whether or not specifically recognized or perfected under the laws of the jurisdiction in which the Professional Services are used or licensed. No work product of Cobalt shall be construed as or deemed to be a “work made for hire”. Accordingly, Customer acknowledges that Cobalt retains sole and exclusive ownership of all right, title and interest to all Deliverables. Cobalt shall own all rights in any copy, translation, modification, adaptation or derivation of the Deliverables, including any improvement or development thereof. At no time will Customer dispute or contest Cobalt’s exclusive ownership rights in any Deliverables. Notwithstanding the above, Cobalt grants to Customer a perpetual, worldwide, non-exclusive license in the Deliverables for Customer’s internal use only. Cobalt shall have no obligation to provide support services or otherwise maintain any Deliverables delivered hereunder.

    b. Materials. Cobalt may furnish Customer with reports, analyses or other such materials (the "Materials"). Customer understands and agrees that any such Materials will be furnished solely for its internal use and may not be furnished in whole or in part to any other person other than its directors, officers, employees or advisors without the prior written consent of Cobalt. Cobalt grants to Customer a perpetual, irrevocable, nontransferable, paid-up right and license to use and copy such Materials and prepare derivative works based on such Materials for its internal use, subject to the terms of this Section. All other rights in such Materials, excluding any Confidential Information of Customer, remain in and/or are assigned to Cobalt.

    c. Cooperation. The parties will cooperate with each other and execute such other documents as may be appropriate to achieve the objectives of this Section.

    7. WARRANTY​
    a. Warranty. Cobalt warrants that it shall use commercially reasonable efforts in performing the Professional Services. Cobalt further warrants that any Deliverable provided through the Professional Services shall substantially conform to the specification for such Deliverable as set out in the applicable Sales Order or SOW. If Customer notifies Cobalt that Professional Services or any Deliverable fails to conform to the aforestated warranties within thirty (30) days of the acceptance of the Deliverable, Cobalt shall (as Customer’s sole and exclusive remedy), re-perform the Professional Services and/or correct any defects with the Deliverable in question. 

    b. Disclaimer. COBALT’S OBLIGATION UNDER THE ABOVE WARRANTY SHALL BE ITS SOLE LIABILITY AND IT SHALL HAVE NO OTHER LIABILITY WHATSOEVER WITH RESPECT TO THE QUALITY, FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY OF THE PROFESSIONAL SERVICES OR ANY DELIVERABLES AND ALL OTHER REPRESENTATIONS, STATUTORY OR OTHERWISE ARE EXCLUDED. 
  • Pentest Management Platform Pilot

    These terms and conditions (the “Pilot T&Cs”) constitute the sole and entire agreement of Cobalt Labs, Inc (“Cobalt”). and its customer (the “Customer”) concerning the use of and evaluation of the Cobalt Pentest Management Platform (“PMP”), and supersede all prior or contemporaneous understandings, agreements, negotiations, representations and warranties, and communications, both written and oral.  These Pilot T&Cs prevail over any terms or conditions contained in any other documentation. To the extent not directly contradictory herewith, all other Cobalt Terms and Conditions (including without limitation, the Cobalt Privacy Policy) continue to apply with full force and effect.

    Access to Platform.  During the Pilot Term,  Cobalt will provide the Customer access to and use of the PMP, in accordance with these Pilot T&Cs. All use of the PMP will be for the purpose of Customer managing and administering pentests for Customer’s benefit alone. By using the PMP, Customer represents that it has obtained all rights and/or licenses necessary to undertake any and all pentests for which PMP is leveraged. Customer is prohibited from using the PMP in any way that violates applicable law, regulation, contract, or in any way injures the rights of any third party.

    Pilot Term. The period for which Customer may access the PMP (the “Pilot Term”) shall be determined by and between Cobalt and each Customer.  Cobalt reserves the right to terminate the Pilot at any time and for any reason, with notice to Customer.  Cobalt will delete or return, at Customer’s discretion, all data created and stored on the PMP after the conclusion of the PMP; provided, that in the Cobalt has (at such time as the Pilot Term ends) developed a paid version of PMP and Customer desires to transition to such paid version, Cobalt and Customer may provide for continued access to, use of and storage of Customer PMP data on terms and conditions to be agreed upon by and between Cobalt and Customer at such time.

    Restrictions on Use. Customer shall not (a) demonstrate, copy, sell, rent, lease, lend, sublicense, distribute, or otherwise transfer or provide access to the PMP to any third party; (b) publish or otherwise disclose information relating to the performance, quality, or capability of PMP to any third party; (c) modify, reuse, disassemble, decompile, reverse engineer or otherwise translate any software contained within the PMP or any portion thereof; or (d) create derivative works based on the PMP.

    Legal Compliance.  Customer and Cobalt shall each comply with all applicable laws and regulations with respect to the use of the PMP.  Cobalt may suspend Customer’s access to the PMP, in its sole discretion, for: (i) use of the PMP in a way that violates applicable laws and regulations or these Pilot T&Cs, or (ii) any instance of posting or uploading material that infringes or is alleged to infringe on the copyright or trademark rights of any person or entity.

    Intellectual Property.  Cobalt owns and shall retain all right, title and interest in and to all intellectual property rights embodied in and appertaining to the PMP, including, without limitation, all such rights in the software and content, together with all improvements, enhancements, developments, derivative works, and other modifications thereto.  As between Customer and PMP,  Customer will own and retain all rights to its own materials and previously existing intellectual property, including confidential and proprietary information and data.

    Feedback. Customer may give feedback on the performance and utility of the PMP. Customer hereby grants to Cobalt a perpetual, irrevocable, worldwide license to such feedback, and Customer expressly acknowledges that any product modifications, upgrades, features or functionality made by Cobalt that incorporate such feedback are the sole intellectual property of Cobalt.

    Disclaimer.  EXCEPT AS SPECIFICALLY SET FORTH HEREIN, COBALT PROVIDES THE PMP “AS IS” WITHOUT WARRANTY OF ANY KIND.  COBALT MAKES NO OTHER WARRANTY, EXPRESS OR IMPLIED, WITH RESPECT TO THE PMP, AND ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, ARE HEREBY DISCLAIMED, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

    Limitations on Liability.  To the extent permitted by law, in no event shall either Cobalt or Customer be liable for any indirect, punitive, or consequential damages, including lost profits or business opportunities.

  • Hak5 Pineapple Bundle Terms

    If you are purchasing a pentest through the Hak5/Cobalt bundle offer, these terms supplement the Cobalt Terms of Use. All applicable terms of the Cobalt Terms of Use remain effective except, where contradictory, the terms of this Hak5 Pineapple Test Supplement govern in lieu of such other terms.

    Services Description

    The Hak5/Cobalt bundle includes a limited, four-credit pentest of your Hak5 Pineapple device (a “Hak5 Pentest”). The Hak5 Pentest is non-customizable. Cobalt has sole discretion to determine the appropriate scope of a Hak5 Pentest. While findings derived from a Hak5 Pentest will be delivered via the Cobalt Platform, no report will be provided.  Cobalt will notify you when your Hak5 Pentest has concluded.

    Device

    By purchasing the Hak5 Pentest, you acknowledge that Cobalt does not manufacture, design, or deliver Hak5 devices.  Failure to select an appropriate or compatible device, failure of a Hak5 device to operate per specifications, or non-delivery of a Hak5 device you may have purchased, may interfere with your ability to receive a Hak5 Pentest. Cobalt does not make any representation or warranty concerning the quality, fitness, compatibility, or deliverability of the Hak5 device you have purchased.

    Timing

    Cobalt’s obligation to undertake a Hak5 Pentest is contingent upon your successful installation and configuration of the applicable Hak5 device.  After completion of device installation and configuration, your Hak5 Pentest may take up to two (2) weeks to schedule.

    Staffing

    Cobalt reserves the right to staff your Hak5 Pentest with personnel from (a) the Core Community, or (b) other qualified professionals, including but not limited to Cobalt employees and/or contractors.

    Methodology

    Hak5 Pentests will follow a standard methodology based on the Penetration and Testing Execution Standard (PTES) and National Institute of Standards and Technology (NIST) Technical Guide to Information Security Testing and Assessment (NIST 800-115).

    Pricing and Tier

    The price and Cobalt Tier associated with a Hak5 Pentest will be determined by whether the Customer is a new or existing Cobalt Customer, as follows: (a) for new Cobalt Customers, the price associated with each Cobalt Credit is itemized on the Hak5 page where you purchased the Hak5/Cobalt bundle, and the Tier associated with your Hak5 Pentest is “Standard,” and (b) for existing Cobalt Customers, the price associated with each Cobalt Credit is the per-Credit price to which you have previously agreed, and the Tier associated with your Hak5 Pentest is the Tier associated with your existing Cobalt subscription.” Notwithstanding Cobalt Tier offerings, Hak5 Pentests exclude the following features (a) the selection of pentesters based on location, (b) retesting, and (c) customer attestation.

  • Privacy Policy

    Effective Date: March 31, 2023

    1. INTRODUCTION

    This Privacy Policy is intended for all Cobalt products and services, including our website (www.cobalt.io); our applications; and our marketing and promotional content (collectively, the “Services”). 

    We are Cobalt Labs, Inc., a Delaware corporation, doing business at 575 Market St, 4th Floor, San Francisco, CA 94105-USA, together with our affiliates (referred to herein as “Cobalt”, “us”, “our” or “we”). 

    For the purposes of EU GDPR, Cobalt acts as a Data Controller for the data we process for our own business purposes. If you have any questions relating to this Privacy Policy, please contact us by email at privacy@cobalt.io.

    2. PURPOSE OF THIS POLICY 

    At Cobalt, we are committed to safeguarding and maintaining your personal data, in line with all applicable data protection laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states (“EU GDPR”), Switzerland, the United Kingdom (Data Protection Act 2018 (“UK GDPR”)) and the United States federal and/or state data protection or privacy statutes including but not limited to the California Consumer Protection Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”).

    This policy aims to promote transparency and facilitate you in making informed decisions about your personal data. In some circumstances, where we process personal data for a new purpose not contained herein, we may provide additional or revised privacy policies so that you fully understand the reason for and purpose of the new activity. 

    Cobalt maintains this policy on a regular basis and updates it where necessary. You are encouraged to check back regularly, however, if we make a substantial amendment to the current version, we will keep you informed and where you are our customer, we may notify you by email.

    3. WHAT DATA DO WE COLLECT

    Cobalt’s products and services are designed and intended for use by businesses and their representatives. We do not provide services or products that are aimed at individuals or consumers in a personal capacity.

    When we refer to ‘personal information’ or ‘personal data’ in this Privacy Policy, we mean information that identifies or which could be reasonably used to identify any individual. We process different categories of personal data and this will depend on our relationship with you or your organization.

    Information you provide to us

    Contact Data: Any personal data you share when you contact us, for example, by sending us an email, by attending or engaging with us at an event, or through our website using live chat, contact forms or downloading content and can include any information shared by you.

    Account Data: If you have a Cobalt account or where you are our prospective or actual customer, we collect first name, last name, job title/function, work email address, work phone number, user identifier and password.

    Marketing Data: Your instructions as to whether you wish to receive email marketing, newsletters and other promotional material from Cobalt, including your marketing permissions and opt-in status. 

    Transactional Data: Where you are our Customer, or one of our vendors, or otherwise establish a relationship with us that involves financial transactions, we collect information relating to those transactions. This may include data like credit/debit card information, account and authentication information, tax identifiers and other billing, delivery and invoice details. For automated/digital transactions, we may outsource this activity to one of our selected third-party payment card processors, all of which maintain PCI-DSS compliance.

    Organizational Data: When you engage with us on our website, or are our customer, we may collect non-personal data relating to your organization, including but not limited to number of employees, industry type, company name and size, growth trends, registered business address, location (city, state, country).

    Information we collect automatically

    Technical and Analytical Data: 
    - Information about how you use our services, such as, content downloaded or requested, intent data, Cobalt services or products searched, viewed or used, page response times, website performance analytics, download errors, timestamp of visit or interaction, length of visits or sessions, referral site or source, email activity (opens/clicks), page interaction information (such as scrolling, clicks, and mouse-overs); and

    - Information about your device, such as, IP address, browser version, browser language, operating system and version, unique device identifiers, geo-location (city, state/province, country), operating system and platform, marketing cookie permissions.

    Where accepted by you - we use cookies and similar tracking technologies to collect some of the information listed above; for more information, please see the Cookies and Tracking Technologies section below. 

    Data from other sources: We combine data that you provide to us (and that we may collect across our services) with information that we receive from third parties, including but not limited to B2B lead generation and professional Linkedin profiles. We may use demographic information about you in your professional capacity, such as your job title or function (that Cobalt obtains from sources like Linked-in) which is used for segmenting and profiling for B2B marketing purposes. You can opt-out of having your data used in this way at any time.   

    Please note that if you provide Personal Information to us about any individual other than yourself, you represent and warrant that you are legally authorized to provide such Personal Information to us for our use and disclosure as described in this Policy.

    4. THE SOURCE OF THE PERSONAL DATA

    If the personal data we process about you has not been given to us directly by you, Cobalt may obtain it from the following sources:

    • From your organization, on your behalf;
    • From yourself directly;
    • From publicly available sources, such as public websites, the internet;
    • From social media platforms such as Linkedin.
    • From organizations we work with who are specialists in B2B lead generation, B2B intent data, who have obtained your permission to share some of your organization's data with us, such as B2B data clearinghouses. 
    • From website analytical data that is collected automatically by cookies and other similar technologies when you use our services.

    5. THE PURPOSE OF OUR DATA PROCESSING

    Cobalt is permitted to process personal data only where we have identified a lawful basis for doing so. The main lawful bases upon which Cobalt relies are: 

    Legitimate interests: the processing is necessary for the purpose of the legitimate interest pursued by us or our third parties. For example, we may have a legitimate interest in processing Personal Information to send B2B marketing communications and promote our business.

    Consent: Where the data subject (you) has freely given your consent to the processing taking place. If you've provided us with your express consent for our processing of your Personal Information, we may process your Personal Information based on such consent, until such time where that processing is no longer necessary or your consent is withdrawn.

    Legal Obligation: Where the processing is necessary for us to comply with a legal obligation to which we are subject as data controller. For example, if you have purchased our services and we are required by applicable law to process Personal Information to meet certain tax obligations, we may process your Personal Information to comply with such legal obligations;

    Contract: Where the processing is necessary for the performance of a contract to which we are a party. For example, when you purchase our services, you enter into a contract with us and in such circumstances, we process your Personal Information in order to perform this contact or to take required measures prior to entering into the contract

    We process personal data for the following purposes and rely on the following legal bases:

    Processing purpose
    Lawful Basis 
    Category of personal data

    To manage or establish a relationship with you, such as:

    • Respond to any enquiry, comment or request submitted by you;

    • To provide you with alerts and services messages, notifying you about material changes to our services and our terms, policies and notices.

    • Provide downloadable content to you, as requested on our website.

    • Where you engage with us at an event where we are participating.
    • Performance of a contract (including negotiation)

    • Legal obligation (updates to terms and policies)

    • Legitimate Interests (networking at events, provide downloadable content)
    • Contact Data
    • Account Data
    • Organizational Data

    Creating and maintaining your Cobalt account and providing services as requested, including:

    • Administering services access

    • Processing order forms and contractual agreements

    • Facilitating integrations, as requested

    • Password and 2FA management

    • Personalize our online services at your selection
    • Performance of a contract (including negotiation)
    • Contact Data
    • Account Data
    • Technical and Analytical data
    • Subscription Data
    • Organizational Data

    To review, monitor and protect the performance of our services, including:

    • Troubleshooting and error management
    • System maintenance
    • Security monitoring and reporting
    • System performance analysis
    • Analyzing trends and usage
    • Legitimate Interests

    • Legal Obligation (system security)
    • Contact Data
    • Technical and Analytical data
    • Account Data
    • Organizational Data

    Where we have a financial relationship with you, to process payments for services and settle invoices payable.
    • Performance of a contract
    • Contact Data
    • Account Data
    • Subscription Data
    • Organizational Data

    To maintain our existing relationship with established customers and to promote our products and services and identify new-customer opportunities. 


    We may use public information about you, in combination with other personal information we may have about you, to identify products and services that we believe may be of interest to your business.

    You may opt-out of receiving these emails at any time by clicking “unsubscribe” found in the emails we send you or by clicking here. 
    • Legitimate Interests 
    • Contact Data
    • Account Data
    • Marketing Data
    • Technical and Analytical data
    • Data from other sources
    • Organizational Data

    Cobalt uses a combination of firmographic data to perform segmentation on the organizations of our customers based on various factors for sales and promotional purposes.

    To identify organizations who may be interested in working with Cobalt, including: 

    • Using firmographic information about prospective organizations, such as, industry specialism, size of company, location of country. Please see ‘Non-personal data’ above. 
    • Using firmographic data to identify organizations who are in our target market and who we believe may be interested in Cobalt products and services.
    • Legitimate Interests
    • Contact Data
    • Account Data
    • Marketing Data
    • Technical and Analytical Data
    • Organizational Data

    To share data with third party organizations who process data on our behalf as a data processor or subprocessor, and enable us to provide our services. For example, data hosting providers, CRMs, payment card processors and vendors who deliver technical services to us. 
    • Performance of a contract

    • Legitimate Interests
    • Contact Data
    • Account Data
    • Marketing Data
    • Technical and Analytical data
    • Data from other sources
    • Organizational Data

     

    6. RECIPIENTS OF PERSONAL DATA

    We will share data with and receive data through Cobalt’s Partners who lead in the cybersecurity space. For example, Cobalt may assist them in providing their services or Partners may assist Cobalt in generating new business opportunities.

    Cobalt engages third party service providers to assist us in providing our services and conducting our business, which means any service provider may process personal data on our behalf, depending on the nature of the services supplied. These organizations deliver to us specific functionality on which we rely to do business.  We require every organization that processes personal data on our behalf to ensure its security, adhere to confidentiality requirements equal to those herein, and only in accordance with our strict instructions. These organizations may be located or have servers which are located outside of the EU, and Cobalt has entered into strict data protection agreements to safeguard personal data when transferred out of the EU or EEA. 

    You or your organization may choose to add new integrations or change the functionality of the services by using third party apps within the services.  This means giving third-party apps access to your account and information like your name, email address, and any content you elect or are required to provide in connection with those apps. 

    To third parties providing services to us or on our behalf who require access to personal information (e.g., our professional advisors, including but not limited to auditors, insurers, legal counsel) to protect our business interests. 

    In the event we are involved in a merger, reorganization, acquisition or other fundamental corporate change, or if all or part of our assets are acquired by a third party, we may be required to share your personal data with relevant third parties involved in the transaction. We will endeavor to notify you of any transfer of personal data in this event and the recipient will be informed of the requirement to protect your personal data as per the terms of this Policy. 

    7. INTERNATIONAL DATA TRANSFERS

    Cobalt is a global organization. This means that when you engage with us, your personal data may be transferred to or stored in countries that may not have equivalent privacy and data protection laws to the country where you are based. Cobalt hosts all data in the United States. Third-party vendors and service providers Cobalt works with may also be based in countries outside of the European Economic Area, including but not limited to the US. 

    Cobalt makes use of Standard Contractual Clauses, approved by the European Commission (and the equivalent Standard Contractual Clauses for the UK, where applicable) to safeguard restricted transfers made to countries without an adequacy decision. 

    8. HOW WE KEEP YOUR DATA SECURE

    Cobalt is a security-centric company. This means that the security and integrity of your personal data is our paramount concern. We have heavily invested in our security infrastructure to ensure that we have appropriate technical and organizational measures to protect the personal data we process, and keep it from being accidentally lost, used or accessed, altered or disclosed in an unauthorized way.

    For more information on how Cobalt keeps data secure, please see our security practices and certifications here

    9. HOW LONG DO WE STORE YOUR DATA

    As part of our commitment to purpose limitation, Cobalt only retains personal data for as long as it is required for the purpose in which it was originally collected. For example, if you are an active customer of ours, we will retain your personal data, in connection with the services, for the duration of our agreement or relationship with you. 

    Cobalt has incorporated retention policies and schedules into our business to ensure that the data we retain is relevant to its purpose and is limited to only the data necessary to achieve said purpose. 

    You may request the deletion of some or all of your personal data by contacting privacy@cobalt.io or by clicking here. However, please note that this is not an absolute right and only where certain circumstances are satisfied, and we may need to retain certain information for record keeping purposes, to complete transactions or to comply with a legal obligation.

    10. MARKETING

    To promote our business to new and existing customers and promote services that we believe may be of interest to your organization, we occasionally share marketing communications and promotional material with our B2B customers. For example, when you engage with us on our website by completing a form or downloading content, or where you have told us you would like to receive it.

    You have the right to opt-out of receiving marketing communications at any time by clicking the ‘unsubscribe’ link in the footer of any promotional email from us. Alternatively, you can request this by email at privacy@cobalt.io.

    Please note that this will not affect Services Messages which we are required to communicate to you, for example when we update our terms and conditions, or where we make material changes to our existing services that impact functionality or user experience. 

    11. CHILDREN UNDER 13

    Our site and services are not directed to or intended to be used by individuals under the age of 13 and we do not knowingly collect Personal Information from children under 13. If you become aware or reasonably suspect that we have collected Personal Information from any child under the age of 13, please contact us at privacy@cobalt.io and we will seek to delete such Personal Information as soon as possible.

    12. COOKIES AND TRACKING TECHNOLOGIES

    Cobalt relies on cookies, web beacons and other similar tracking technologies to customize and improve our websites and services, personalize and enhance user experience, to understand the usage and performance levels of our services, determine what content is being engaged with and the levels of engagement. We also use cookies and other tracking technologies to determine things about our website visitor’s interests, based on things like browsing activity, interactions and preferences.

    You have the right to reject the use of cookies on our Website for marketing purposes, however functional and essential cookies are used to make our website function or offer our services. These cookies cannot be switched off. You will be served with a prompt to accept, reject or configure cookies when you visit our website on a desktop or mobile. You can also reject marketing cookies at any time by clicking ‘My Privacy Settings’ on our website’s footer.

    Cookies

    Web Beacons

    Device recognition technology

    Like many websites, we use cookies on a user's hard drive to collect information. A cookie is a small piece of information that is placed on your device when you visit the site and other websites. We use cookies to identify your authenticated interaction with the site, to enable certain features of the site, to better understand how you interact with the site, and to monitor aggregate usage by site users and web traffic routing on the site. you can instruct your browser to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. However, if you do not accept cookies, that may limit your use of certain features of the site.

    Our site may contain electronic images known as Web beacons (sometimes called single-pixel gifs) and are used along with cookies to compile aggregated statistics to analyze how our site is used and may be used in some of our emails to let us know which emails and links have been opened by recipients. This allows us to gauge the effectiveness of our customer communications and marketing campaigns. As with cookies, you may disable web beacons by changing your browser settings or the settings in your email services/program.

    Device detection technology recognizes the devices being used to access a website, app, or mobile network, using the User-Agent or other HTTP request headers. These headers include detailed information across hundreds of categories, including device model, operating system, processing power, browser type, screen resolution, 


    Websites and apps enhanced with device detection can make smarter decisions (in real-time) about what content to send to a given device.

     

    13. LINKS TO OTHER SITES

    Our site may include links to third party websites. We do not endorse or recommend such third party websites or the content therein and we are not responsible for the privacy practices of the operators of such websites. Please be aware that when you access links on our site to a third party website, you are bound by the privacy policies and practices of that third party. We encourage you to read the privacy policies governing your use of any third party website.

    14. YOUR RIGHTS UNDER GDPR

    As defined under the EU GDPR, included as retained by the UK (“UK GDPR”) individuals are granted eight (8) individual rights over the personal data:

    • Right to be informed: you have the right to be informed about the collection and use of your personal data. you also have the right to be provided with certain information including: our purposes for processing your personal data, our retention periods for that personal data, and who we will share with.

    • Right of Access: you have the right to request confirmation that data about you is being processed, and receive a copy of some or all of the personal data processed about you from a Data Controller. 

    • Right to Rectification: you have the right to request the rectification of any personal data that is inaccurate or incomplete;

    • Right to Erasure (or the ‘right to be forgotten’): you have the right to request the erasure of your personal data from the Data Controller’s records, including back-ups. This is not an absolute right and can only be fulfilled if one of the grounds under Article 17(1) GDPR apply;

    • Right to Restriction of Processing: you have the right to request the restriction of processing of your personal data. This is not an absolute right, and can only be fulfilled if one of the grounds under Article 18(1) GDPR apply; 

    • Right to Data Portability: you have the right to receive the personal data concerning you, as provided to the Data Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the first controller.

    • Right to Object: you have the right to object to an organization processing (using) your personal data at any time. This effectively means that you can stop or prevent the organization from using your data. An objection may be in relation to some or all of the personal data. The right to object only applies in certain circumstances outlined by Article 21 GDPR, including where processing is based exclusively on your consent, or processed for the purposes of direct marketing.

    • Automated decision making and profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects on you. Automated individual decision-making is a decision made by automated means without any human involvement. Cobalt does not use, in connection with our services, automated decision-making in a way that produces legal effects concerning you or that significantly affect you.

    You have the right to make any of the above requests at any time. To do so, please complete our Privacy Request Form or contact us at privacy@cobalt.io. Upon receiving your request, we will confirm receipt and aim to action your request without undue delay and no later than one month from the date we receive your request.

    Please note that in order to fulfill your request, we may need to request identification from you (or your appointed representative) to confirm your identity or their authorization to make the request. We will inform you of any necessary identification checks after we receive your request. If for any reason we are unable to fulfill your request, we will inform you of our decision in writing and any further rights available to you. 

    15. YOUR RIGHTS UNDER CCPA

    The California Consumer Privacy Act ("CCPA") provides certain rights to individuals who reside in California ("Consumers"). Below is a description of Consumers' rights concerning their Personal Information and Cobalt's practices regarding the collection, use, disclosure and sale of Personal Information about Consumers.

    Consumers have the right to request that we disclose what Personal Information we collect, use, disclose and sell. A Consumer may exercise the following rights:

    • Right to Know: Consumers may request that businesses disclose what personal information they have collected, used, shared, or sold about you in the last 12 months, and why they collected, used, shared, or sold that information. Specifically, you may request:
      - The categories of personal information collected;
      - Specific pieces of personal information collected
      - The categories of sources from which the business collected personal information
      - The purposes for which the business uses the personal information
      - The categories of third parties with whom the business shares the personal information
      - The categories of information that the business sells or discloses to third parties

    • Right to Delete: Consumers have the right to request the deletion of personal information that a business holds on the consumer. However, this right does not apply where the business needs to retain the personal information in order to do any of the following:
      - Provide goods or services to the consumer
      - Detect or resolve issues security or functionality-related issues
      - Comply with the law
      - Conduct research in the public interest
      - Safeguard the right to free speech

    • Right to opt-out: Consumers have the right to opt out of their personal information being sold by a Company. you can do so by emailing privacy@cobalt.io, or by clicking do not sell my info.

    The right to non-discrimination: Consumers have the right not to be discriminated against for having exercised their rights under the CCPA.

    As of January 2023, Consumers are granted the following additional rights under the California Privacy Rights Act (“CPRA”):

    • The right to request that inaccurate personal information be corrected by the Company responsible. This type of request should be fulfilled within 45 days however, where necessary, an additional 45 days may be necessary. If the deadline changes to 90 days, we will inform you without delay and explain our reasoning.
    • The right to limit the use and disclosure of sensitive personal information collected about them. This means you can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested. Please note that Cobalt does not process sensitive personal data about you for any purpose.

    You may exercise your Consumer Rights at any time by emailing privacy@cobalt.io or clicking here.

    We will confirm receipt of any consumer rights request within 10 days, and move to action your request within 45 days following initial receipt (except when the deadline has been properly extended, in which case the timeframe is 90 days).

    Please note that we will need to verify your identity or your Authorized Agent’s (which may be a person or a business entity registered with the California Secretary of State) permission to submit the request on your behalf. We will inform you of additional information we require (if any) to verify your identity after we have received your request. If for any reason we are unable to fulfill your request, we will inform you of our decision in writing. 

    In no event will Cobalt discriminate against any Consumer for exercising their CCPA rights.

    Sale, collection & use of Personal Information about Consumers

    Please be advised that Cobalt engages in limited data transfers to third parties that may be considered a data sale under applicable law. Such transfers occur only in the context of presentations, panels, and other events arranged or sponsored by Cobalt, that may be presented or co-sponsored with other third parties. In such cases, event attendees will be prompted to provide certain identifying information to register for the event in question.
    Such information will be shared for marketing purposes with all parties presenting or sponsoring the event, including third parties with whom the attendee may not have a pre-existing relationship. Such third parties will be identified in materials accompanying any prompt to provide information. 

    You have the right to opt out of your data being shared in this manner. you can do so by emailing privacy@cobalt.io, or by clicking here: do not sell my info.

    CCPA: Descriptions of processing

    The table below includes information on the categories of Consumers' Personal Information we collected within the last twelve (12) months, categories of sources from which such Personal Information was collected and the business or commercial purpose for which the Personal Information was collected:

    Category of Personal Information we Collected

    Category of Source from which Personal Information was Collected

    Business or Commercial Purpose for which Personal Information was Collected

    Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, etc.

    • the Consumer directly;

    • data analytics providers;

    • operating systems and platforms;

    • social networks; and

    • data brokers

    Performing services for the Consumer, including maintaining or servicing accounts, providing customer services and verifying customer information and fulfilling orders and transactions

    Commercial information, such as records of services purchased

    • the Consumer directly

    Processing payments; fulfilling orders and transactions; providing financial documents

    Internet or other electronic network activity information, including information regarding a Consumer’s interaction with our site

    • the Consumer directly;

    • data analytics providers;

    • operating systems and platforms;

    • social networks; and

    • data brokers

    Providing advertising or marketing services; for analytics activities

     

    The table below describes the categories of Personal Information about Consumers we have disclosed to third parties for a business purpose and the corresponding categories of third parties to whom such Personal Information was disclosed within the last twelve (12) months:

    Category of Personal Information we Disclosed for a Business Purpose

    Category of Third Party to whom Personal Information was Disclosed

    Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, etc.

    Cobalt's vendors who assist us in providing our products and services, including access to the services

    Commercial information, such as records of services purchased

    Cobalt’s vendors who assist us in providing our products and services, including completing transactions and for accounting purposes. 

    Internet or other electronic network activity information, including information regarding a Consumer's interaction with our site

    Cobalt’s vendors who assist us in providing our products and services, including promotion and marketing activities. 

     

    16. CHANGES TO THIS POLICY

    Cobalt reserves the right to update and amend this Policy from time to time, in order to reflect any changes to our data processing activities or advancements in laws and regulations. Any changes we may make to our Policy in the future will be published on this page. Please review this page frequently to check for any updates or changes to our Policy.

    17. CONTACT US

    If you have any questions, comments or feedback about this privacy policy, or the ways in which we collect and process your personal information, or wish to exercise your rights under GDPR or CCPA please do not hesitate to contact us at privacy@cobalt.io.

    Last updated: March 2023

  • Licenses

     

    Name License Homepage
    The OWASP Foundation License Homepage
    Bugcrowd VRT License Homepage
    CWE Common Weakness Enumeration License Homepage

     

General

Last Updated on April 29, 2022

Introduction

PLEASE NOTE: These Terms of Use (together with the Policies, as further defined, named in Section 1, the “Agreement”) form a binding contract between Us and You; by using the Services, You are agreeing to enter into a legal contract with Us, and to comply with the terms and conditions described here, which govern any use of the Services.

If You do not agree to the terms presented in this Agreement, or if You do not meet the eligibility requirements described in Section 1 of this Agreement, You have no right to use the Services, and should terminate Your access, including use of the Cobalt website, immediately.

Please be aware that Cobalt reserves the right, at its sole discretion, to change this Agreement (and the Services, including any fees), at any time and without giving advance notice. If We change this Agreement, the Privacy Policy, the Terms for Running a Security Program and/or the Terms for Engaging in a test, We will post the change on the Site or Services or provide You with notice of the change. We will also update the "Last Updated Date" at the top of this Agreement. By continuing to access or use the Site or Services after We have posted such a change, or have provided You with notice of it, You are agreeing to be bound by the Agreement as updated. If the Agreement as updated is not acceptable to You, You should stop using the Services, as the new terms will govern regardless.

Please also be aware that disputes arising hereunder will be resolved by binding arbitration, and BY ACCEPTING THIS AGREEMENT, YOU AND COBALT ARE EACH WAIVING THE RIGHT TO A TRIAL BY JURY OR TO PARTICIPATE IN A CLASS ACTION. YOU AGREE TO GIVE UP YOUR RIGHT TO GO TO COURT to assert or defend Your rights under this contract (except for matters that may be taken to small claims court). Your rights will be determined by a NEUTRAL ARBITRATOR and NOT a judge or jury and Your claims cannot be brought as a class action. Please review the Arbitration Agreement in Section 9 below for the details regarding Your agreement to arbitrate any disputes with Cobalt.

 

1. Parties and Scope of Agreement

Parties, Authority, and Eligibility

“You” or “Your” or “Customer” refers to you as an end user of the Services, and, if you are accessing the Services on behalf of a legal organization, that legal organization; You agree that You have the authority to enter into this Agreement and to bind that legal organization to the terms of this Agreement. You further agree that You are 18 years of age or older (if You want to use the Services but You are under 18 years of age, please contact info@cobalt.io).

“Us”, “We”, “Our” or “Cobalt” means Cobalt Labs, Inc., a Delaware Corporation.

Scope of this Agreement, Other Agreements, and Definitions.

This Agreement makes reference to a number of other agreements which You may also be agreeing to by agreeing to this Agreement, and which You can find here (the “Policies”):

In the event that the terms of this Agreement conflict with the terms of any other agreement named here, the terms of this Agreement will govern (except with respect to a mutually executed Sales Order, in which case the terms of that Sales Order will govern in the event of conflict).

Finally, please note that, where not defined throughout this Agreement, capitalized terms having the meaning ascribed to the Definitions Section.

 

2. Feedback, Credits, Tiers, Reports, and Security Pentesters

Feedback
We welcome and encourage You to provide feedback, comments and suggestions for improvements to the Services ("Feedback"). You may submit Feedback by emailing Us at info@cobalt.io or through the about section of the Site. By submitting Feedback, you irrevocably transfer all ownership in such Feedback to Cobalt, and waive any and all rights, including intellectual property rights to the extent such attach to the Feedback under applicable law, in favor of Cobalt. 

Credits

Upon purchase, your Cobalt Account will be updated to reflect the amount of Credits purchased.  Cobalt will scope Services based on projected level of effort as expressed in Credits. The level of Services associated with each Credit will vary depending on the applicable Tier to which a Customer has subscribed. The price and other applicable details associated with a purchased Credit will be set forth on your Cobalt Sales Order. Please note that the Services for which Credits may be used excludes certain professional services offerings (such as, without limitation, red team services, IOT/device testing, etc.), unless otherwise expressly agreed to by Cobalt (and subject to such additional terms and conditions as Cobalt may require relative to performing professional services). Credits may only be consumed within the service period on an applicable Sales Order, of up to one calendar year, and may not be extended beyond said service period(i.e. “rolled over”) unless otherwise mutually agreed in writing, or unless the Tier of Services you have purchased provides for some degree of Credit roll over.

Tiers

Access to Cobalt’s Services is provisioned across tiers that define the features and functionality associated with your Cobalt Account (“Tiers”). The Tiers offered by Cobalt are Standard, Premium, and Enterprise. The features and functionality associated with each Tier is more fully set out here. The Tier associated with your Cobalt Account will be selected by you at the time you engage Cobalt to provide Services, and will be reflected on the applicable Sales Order. A Customer may only be affiliated with one Tier at a time during their subscription. Tiers may be upgraded, but not downgraded, prior to the end of your subscription period. Cobalt reserves the right, at its sole discretion, to modify, enhance, or remove features of the Tiers, at any time upon prior notice (electronically via the Site), provided that such modifications do not materially diminish the functionality of the Tier associated with Customer’s Cobalt Account.

Vulnerability Report

Cobalt will produce a Vulnerability Report detailing findings uncovered during performance of the Services. The contents and format of the Vulnerability Report will be determined by Cobalt at its discretion, and Vulnerability Reports are not customizable, except where the Tier you purchased includes customizable Vulnerability Reports. By using Cobalt’s Services, you are acknowledging that Cobalt acts as a third-party assessor and possesses a degree of independence in formulating its findings (as articulated via a Vulnerability Report) and as such, Cobalt will not remove or minimize findings in a Vulnerability Report at a Customer’s request without a sufficient factual basis for so doing. Customer may remove Cobalt’s logo and any other marks from a Vulnerability Report and use the Vulnerability Report for Customer’s own, non-commercial, business purposes.

Security Pentesters

Customer understands and agrees that the Security Pentesters are independent third parties who are retained by Cobalt to assist in providing Services. .  The Security Pentesters’ use of the Site and their performance of any testing at Customer’s request is governed by the General Terms found at https://www.cobalt.io/terms, including the “Supplemental Terms for Engaging in a Test.” These terms must be accepted and agreed to by a Security Pentester prior to engaging in any testing activities on an Application/Network or providing a Vulnerability Report.

Pentest Regions

Security Pentesters are globally distributed. Cobalt cannot guarantee that a particular Service will leverage only Security Pentesters from a specific country, region, or other geographic specification, except where the Tier that you purchased provides you with choice in Security Pentester region selection. Please be aware that, if you have Security Pentester region selection available per your Cobalt Tier features, Cobalt may require additional time to initiate a test beyond the period articulated in “Security Program Time Period.”

Customer acknowledges that Security Pentesters are not contingent workers engaged directly by the Customer. Security Pentesters provide Services through Cobalt and as such, do not and shall not enter into contracts directly with Customer. Cobalt will not facilitate the exchange of, or execution of, any agreements directly between a Security Pentester and Customer, including without limitation, any non-disclosure agreement or similar document. 

Professional Services

The Services provided via the Site exclude Professional Services provided pursuant to an SOW. Cobalt Professional Services are not delivered via the Site or via work performed by Security Pentesters. Any provision of Professional Services will be scoped on a per engagement basis via SOW and shall be subject to additional terms set forth in the Cobalt Professional Services Addendum

Pentesting Types

Cobalt offers its Services through two distinct penetration testing types: (1) Comprehensive testing, constituting a traditional pentest (subject to the conditions and restrictions established herein and in related documentation ), and (2) Agile testing, which consists of a more limited pentest. Agile testing is designed for (a) feature changes or new features added to an asset that has previously been tested by Cobalt, or (b) where the asset sought to be tested has not previously been tested by Cobalt, a narrowly targeted test of an asset of limited size where specific context or knowledge of environment is not required to undertake the test. Cobalt has the discretion to determine whether a particular asset or test scope is appropriate for Agile testing or Comprehensive testing. Agile test Vulnerability Reports are automated and not subject to customization opportunities, even at Premium or Enterprise Tiers. Cobalt requires a three-credit minimum to obtain an Agile test and a five-credit minimum to obtain a Comprehensive test.

Customer Pentester Requests

At the Enterprise Tier, Cobalt will accommodate special requests regarding the pentesters performing Services for the Customer. This includes requests that Cobalt (a) staff a test with pentesters from a specific region or time zone, or (b) ensure that pentesters communicate with customer and/or perform testing at specified times. Other requests may be facilitated on a case-by-case basis. All custom requests are subject to Cobalt availability. Cobalt may not be able to accommodate more than one such request per test. Customers should check with their Cobalt-assigned CSM to determine whether a particular request may be accommodated.

3. Sales Orders, Invoicing and Payment.  

Sales Orders
If Customer wishes to order the Services, the parties shall enter into one or more Sales Orders, each of which shall be deemed to be incorporated herein by reference.  Each Sales Order shall specify, as applicable, the particular Services ordered (including a description thereof), the quantity of Service(s) ordered, the fees for the Service(s) and the term of the Sales Order (“Order Term”).  A Customer Affiliate may enter into a Sales Order pursuant to this Agreement and, in such case, by entering into the Sales Order, the Affiliate agrees to be bound by the terms and conditions of this Agreement with respect to such Sales Order and such Affiliate shall be considered to be the Customer, as such term is used herein, with respect to such Sales Order. The Customer entity signing the Sales Order shall be responsible for any of its Affiliates’ who use the Services compliance with the terms and conditions of this Agreement. 

Invoicing and Payment

Cobalt will invoice in accordance with the invoicing schedule set forth in the Sales Order. Customer will pay all fees within thirty (30) days of the date of the invoice unless otherwise set forth in the Sales Order.  All fees are stated as exclusive of taxes and Customer shall be responsible for the payment of all use, services, withholding or similar taxes on the use or sale of the Services. Any overdue invoices will accrue late interest at the rate of 1.5% of the outstanding balance per month or the greatest amount allowed by applicable laws, whichever is lower, plus all expenses of collection.

Price Changes

Customer acknowledges that future renewals of Services purchased under any particular Sales Order will occur at the then-current per-Credit price applicable at the time of such renewal. Cobalt reserves the right to change its per-Credit pricing at its discretion, such that future renewals of Services purchased under any particular Sales Order may reflect per-Credit price increases.

4. Account & Use

Creating an Account

In order to access certain features of the Services, You must register as a User on the Site and create a  Customer account and profile page ("Cobalt Account"). You may do so directly via the Site or as described in this section.

You can also register on the Site by logging into your Cobalt Account using certain third party social networking sites for which log-in support has been provided by Cobalt, including, but not limited to, Google (each a, “Third Party Service Provider”); each such account, a "Third Party Account", via the Site, as described below. As part of the functionality of the Site and Services, Customer can link a Cobalt Account with Third Party Accounts, by either: (i) providing the applicable Third Party Account login information to Cobalt through the Site or Services; or (ii) allowing Cobalt to access Customer’s Third Party Account, as is permitted under the applicable terms and conditions that govern the use of such Third Party Accounts. Customer represent that it is entitled to disclose Third Party Account login information to Cobalt and/or grant Cobalt access to such Third Party Accounts (including, but not limited to, for use for the purposes described herein), without breach of any of the terms and conditions that govern use of the applicable Third Party Accounts and without obligating Cobalt to pay any fees or making Cobalt subject to any terms and conditions imposed by such Third Party Service Providers. By granting Cobalt access to any Third Party Accounts, Customer understand that Cobalt may access, make available and store (if applicable) any Content that Customer has provided to and stored in such Third Party Accounts ("Third Party Content") so that it is available on and through the Site and Services via Customer’s Cobalt Account and Cobalt Account profile page. Unless otherwise specified in this Agreement, all Third Party Content, if any, will be considered to be Customer Data for the purposes of this Agreement. Depending on the Third Party Accounts Customer chooses, and subject to the privacy settings that Customer has set within such Third Party Accounts, personally identifiable information that Customer posts to such Third Party Accounts may be available on and through Customer’s Cobalt Account on the Site. If a Third Party Account or associated service becomes unavailable or Cobalt’s access to such Third Party Account is terminated by the Third Party Service Provider, then Third Party Content will no longer be available on and through the Site and Services. Customer has the ability to disable the connection between Customer’s Cobalt Account and any such Third Party Accounts, at any time, by accessing the "Settings" section of the Site.  CUSTOMER’S RELATIONSHIP WITH THE THIRD PARTY SERVICE PROVIDERS ASSOCIATED WITH THIRD PARTY ACCOUNTS IS GOVERNED SOLELY BY CUSTOMER’S AGREEMENT(S) WITH SUCH THIRD PARTY SERVICE PROVIDERS. Cobalt makes no effort to review any Third Party Content for any purpose, including but not limited to, for accuracy, legality or non-infringement and Cobalt is not responsible for any Third Party Content and is not responsible or liable for the acts or omissions of such Third Party Service Providers.

User Eligibility

Customer represents and warrants that each User is not: (a) a resident or national of any country subject to a United States embargo or other similar United States export restrictions; (b) on the United States Treasury Department’s list of Specifically Designated Nationals as defined under Applicable Laws; (c) on the United States Department of Commerce’s Denied Persons List or Entity List as defined under Applicable Laws; or (d) identified by the United States government as a prohibited end user of United States export controlled items or otherwise subject to sanctions or similar laws, regulations, or executive orders.

Suspension of Cobalt Services

Cobalt may, in its sole discretion, immediately suspend or terminate Customer’s Cobalt Account and/or access to or use of the Cobalt Services by Customer generally or as to any specific User if, in Cobalt’s reasonable judgment: (i) any information provided during the registration process or thereafter proves to be materially inaccurate, to the detriment of Cobalt; (ii)  the Cobalt Services or any component thereof may suffer a significant threat to security or functionality caused by continued access to or use of the Cobalt Services by Customer; or (iii) continued provision of the Services may have a deleterious effect on Cobalt or any other Customer. In the event Services are suspended pursuant to this paragraph, Cobalt shall endeavor to provide notice of the suspension and of the cause underlying the suspension as soon as practicable.  Cobalt shall use reasonable efforts to re-establish the affected Cobalt Services promptly after Cobalt determines, in its reasonable discretion, that the situation giving rise to the suspension has been cured. Where the cause underlying suspension of Services is a subject that Customer or a third party reasonably within the control of Customer is able to rectify, Cobalt may permanently terminate the Cobalt Services under a Sales Order if any of the foregoing causes of suspension is not cured within thirty (30) days after Cobalt’s initial notice to Customer thereof and such failure shall be deemed a material breach by Customer. Any suspension or termination by Cobalt under this Section will not excuse or release Customer from its obligation to make payment(s) under any Sales Orders in effect at the time of termination.

Security Program

Customer shall comply with the terms and obligations set forth in the Supplemental Terms “Running a Security Program.

If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, Cobalt reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. Cobalt further reserves the right to disqualify any User who tampers with the submission process or any other part of the Security Program or Site. Any attempt by a User to deliberately damage any web site, including the Site, or undermine the legitimate operation of the Security Program is a violation of criminal and civil laws and should such an attempt be made, Cobalt reserves the right to seek damages from you to the fullest extent under Applicable law.

Acceptable Use

Prohibited Use. In connection with Your use of our Services, You agree that You will not:

  • violate any Applicable Laws, including, without limitation, privacy laws;
  • use manual or automated software, devices, scripts robots, other means or processes to access, "scrape," "crawl" or "spider" any web pages or other services contained in the Site, Services or Content;
  • use the Services or Cobalt Content on behalf of for the benefit of any third party, including in a service bureau, time sharing or other arrangement, except where expressly authorized in writing by Cobalt, including without limitation, where undertaken pursuant to a valid Cobalt reseller agreement or similar agreement;
  • copy, store, modify, prepare derivative works based upon, distribute, license, sell, transfer, publicly display, publicly perform, transmit, broadcast or otherwise exploit any software forming a part of the Site r the Cobalt Content except as expressly permitted under this Agreement or attempt to expose the source code of or attempt to recreate any software which forms a part of the Site;
  • infringe the rights of any person or entity, including without limitation, their intellectual property, privacy, publicity or contractual rights;
  • interfere with or damage Cobalt’s Site or Services, including, without limitation, through the use of viruses, cancel bots, Trojan horses, harmful code, flood pings, denial-of-service attacks, packet or IP spoofing, forged routing or electronic mail address information or similar methods or technology;
  • contact a Security Pentester for any purpose other than communication related to a Security Program;
  • attempt to probe, scan, or test the vulnerability of any Cobalt system or network or breach any security or authentication measures;
  • avoid, bypass, remove, deactivate, impair, descramble, or otherwise circumvent any technological measure implemented by Cobalt or any of Cobalt’s providers or any other third party (including another User) to protect the Site, Services or Collective Content;
  • forge any TCP/IP packet header or any part of the header information in any email or newsgroup posting, or in any way use the Site, Services or Collective Content to send altered, deceptive or false source-identifying information;(b) attempt to decipher, decompile, disassemble or reverse engineer any of the software used to provide the Services or Collective Content; (c) attempt to expose the software or use the software used to provide the Services to recreate such software; or advocate, encourage, or assist any third party in doing any of the foregoing;
  • use the Site or Services in any way not contemplated by this Agreement.

 

A violation of any of the use restrictions and obligations set forth in this Section 3 shall constitute a material breach of this Agreement.  Customer acknowledges and agrees that Cobalt has no obligation to monitor Customer’s access to or use of the Services or Collective Content or to review or edit any Customer Data. Cobalt reserves the right, at any time and without prior notice, to remove or disable access to any Customer Data that Cobalt, at its sole discretion, considers to be objectionable, in violation of this Agreement or otherwise harmful to the Services.

 

Affirmative Obligations. In connection with Your use of the Services, You agree that:

  • You are solely responsible for compliance with any and all Applicable Laws, rules, regulations, and tax obligations that may apply to Your use of the Site, Services and Content.
  • You will provide accurate, current accurate, current and complete information during the registration process and to update such information to keep it accurate, current and complete.
  • You are responsible for safeguarding Your password and other sensitive credentials and Content; You also agree that You will not disclose Your password to any third party and that You will take sole responsibility for any activities or actions under Your Cobalt Account, whether or not You have authorized such activities or actions.
  • You are responsible for only using those Third Party Accounts that You deem to be secure for usage in connection with the Services, and You assume the risk of any privacy or security violations arising thereto.
  • You are responsible for managing security permissions, and for deleting sensitive data in a timely fashion to mitigate the risk of security breaches.
  • You will immediately notify Cobalt of any unauthorized use of Your Cobalt Account.
  • If You interact with anyone who You feel is acting or has acted inappropriately, including but not limited to, anyone who (i) engages in offensive, violent or sexually inappropriate behavior, (ii) You suspect of stealing from You, or (iii) engages in any other disturbing conduct, You should immediately report such person to the appropriate authorities and then to Cobalt by contacting Us with Your police station and report number at info@cobalt.io; provided that Your report will not obligate Us to take any action beyond that required by law (if any) or cause Us to incur any liability to You.
Remedial Action

We may, in Our sole discretion and at any time, with or without cause, and with or without prior notice: (a) terminate or modify this Agreement, (b) terminate, modify or restrict Your access to the Services, (c) deactivate or cancel Your Cobalt Account, and (d) take other actions as We see fit in our sole discretion (collectively, such actions being “Remedial Actions”). In the event of Remedial Actions, You will remain liable for all amounts due hereunder, or under an applicable Sales Order.

Notwithstanding the foregoing, We will not cancel Your account if there is an active Sales Order in effect unless such termination is for Cause. Unless otherwise specified in the Sales Order, “Cause” shall mean (a) a material breach by You of this Agreement, including but not limited to any breach of the restrictions described herein, (b) a material breach of a Sales Order, where such breach is not cured within 30 days following Your receipt of e-mail or other notice of such breach, and (c) violation of any third party right or of Applicable Law, as determined in Our sole discretion.

Cancellation

You may cancel Your Cobalt Account at any time via the "Cancel Account" feature of the Services or by sending an email to info@cobalt.io, provided that any such cancellation by You shall not affect any obligations by You under an active Sales Order including any payment obligations unless otherwise expressly agreed by the parties in the Sales Order. Please note that if Your Cobalt Account is canceled, We do not have an obligation to delete or return to You any Customer DataYou have posted to the Services, including, but not limited to, any reviews or Feedback unless explicitly agreed in a Sales Order.

5. Privacy 

See Cobalt’s Privacy Policy, which is hereby incorporated by reference, and to which You agree to be bound.

6. Confidentiality

Definition

During the Term the parties may need to exchange or make available confidential and proprietary information to the other party in connection with this Agreement, whether disclosed in written, oral, electronic or visual form, which is identified as confidential at the time of disclosure or should reasonably be understood to be confidential given the nature of the information or the circumstances surrounding the disclosure, including without limitation business, operations, finances, technologies, products and services, pricing, personnel, customers and suppliers (“Confidential Information”). Without limiting the foregoing, (i) Cobalt Confidential Information shall include Cobalt Property; and (ii) Customer Confidential Information shall include Customer Data and the Applications/Networks except to the extent Customer posts Customer Data on the Site for the purpose of making it available to Cobalt, Security Pentesters, or any other User.

Non-Use

During the Term, and continuing after expiration or termination of the Agreement, each party shall retain in confidence, and not use (except for the purposes described in this Agreement), the Confidential Information of the other party. The receiving party will use the same degree of care and discretion (but not less than reasonable care) to avoid disclosure, publication or dissemination of the disclosing party’s Confidential Information as it uses with its own confidential or proprietary information of a similar nature.  Except as authorized in this Agreement or a Sales Order, the receiving party will not disclose the Confidential Information of the disclosing party to a third party other than to its or its Affiliates’ employees, contractors, agents or advisors in connection with its performance of this Agreement who are bound by terms no less protective of a disclosing party’s rights as those set forth in this Agreement and the receiving party shall be liable to the disclosing party for any violation of this Agreement by such persons. 

Exclusions

Confidential Information shall not include information that (a) is publicly known at the time of disclosure, (b) is lawfully received from a third party not bound in a confidential relationship with the disclosing party, (c) is published or otherwise made known to the public by the disclosing party, or (d) was or is generated independently without use of the disclosing party’s Confidential Information.  The receiving party may disclose Confidential Information as required to comply with orders of governmental entities that have jurisdiction over it or as otherwise required by law, provided that the receiving party (i) gives the disclosing party reasonable advance written notice to allow the disclosing party to seek a protective order or other appropriate remedy (except to the extent that compliance with the foregoing would cause it to violate an order of the governmental entity or other legal requirement), (ii) discloses only that portion of the Confidential Information as is required, and (iii) cooperates with the disclosing party to obtain confidential treatment for any Confidential Information so disclosed.  Notwithstanding anything herein to the contrary, provided that Cobalt does not use or disclose Customer Confidential Information, Cobalt shall be free to use, exploit and disclose its general skills, concepts, ideas, know-how, and expertise gained or learned during the course of this Agreement, and Cobalt shall not be restricted from creating output for other Customers which is similar to that provided to Customer.

 

Remedies

Due to the unique nature of Confidential Information gained through the Services, the Parties acknowledge that the breach of this Section 6 could cause irreparable harm, which monetary damages would be insufficient to remedy. Accordingly, the Parties agree and acknowledge that any such violation or threatened violation may cause irreparable injury to Us, Security Pentesters, or to third parties, and that, in addition to any other remedies available at law, such other Parties shall be entitled to seek injunctive relief against the threatened or continuing breach of this Agreement.

 

7. Intellectual Property

 

Cobalt Rights, Licenses

The Services, and Collective Content are protected by copyright, trademark, and other laws of the United States of America and foreign countries.

Cobalt Property Ownership: You acknowledge and agree that Cobalt and/or its licensors own all right, title and interest to the Site, Services and Cobalt Content, including without limitation any techniques, ideas, concepts, methods, processes, software, utilities, data, documents, directories, designs, user interfaces, know-how, graphics, video content or other data or information acquired, created, developed or licensed by Cobalt prior to or outside the scope of the Services and all modifications, improvements and derivative works thereof and all associated Intellectual Property Rights (collectively as “Cobalt Property”).

Cobalt License. Subject to Your compliance with the terms and conditions of this Agreement, Cobalt grants You a limited, world-wide, non-exclusive, non-transferable, non-sublicensable right and license, during the subscription term specified in a Sales Order, to (i) access and use the Site and Services in accordance with the terms of this Agreement; and (ii) access and view any Cobalt Content contained on the Site solely for Your internal use in connection with Your use of the Services. Except as provided herein, You shall have no right to make the Site, Services or Cobalt Content available to, use the Site, Services or Cobalt Content on behalf of, or for the benefit of any third party without Cobalt’s express written authorization.  Except for the rights expressly licensed to You hereunder, Cobalt and its licensors reserve and retain all right, title and interest to the Site, Services and Cobalt Content. You shall not (i) remove or alter any proprietary notices included on the Services(s) and/or Cobalt Content; or (ii) modify or attempt to expose the source code of or attempt to recreate any software which forms a part of the Site. 

No title, licenses, or other rights or interests are granted to You by implication or otherwise under any intellectual property rights owned or controlled by Cobalt or its licensors, except for the licenses and rights expressly granted in this Agreement.

 

Customer Rights, Licenses

The parties acknowledge and agree that You and/or Your licensors own all right, title and interest to the Applications/Networks and any Customer Data made available by the You through the Site or Services and any findings contained in the Vulnerability Reports created specifically and uniquely for the You, but excluding Security Pentester Property (as defined below) and any Intellectual Property Rights therein.

Customer License Grants

Statistical Data

You acknowledge and agree that (i) Cobalt has the right to  collect and create high level, generic, anonymous, statistical and/or benchmarking data derived from Customer’s use of the Site and the Services  that is aggregated with other findings, results and information (the “Statistical Data”), (ii) all such Statistical Data is the sole and exclusive intellectual property of Cobalt, except to the extent such Statistical Data includes Customer Data, and (iii) to the extent such Statistical Data includes any Customer Data, Customer hereby grants to Cobalt a perpetual, worldwide, irrevocable license to use, reproduce, store, modify, create derivative works of, exploit, publish, license and transmit such Customer Data; provided, that Cobalt shall in all cases refrain from publishing any Statistical Data, Customer Data, or any insights or work derived therefrom in a manner that reveals or   allows to be inferred the identity of identify any specific person, Customer’s name, Customer Data, Application, Customer Confidential Information or Network.  Except as expressly licensed herein, Customer shall retain all right, title and/or interest to the Customer Data and Customer Confidential Information and all intellectual property rights therein, and except as expressly licensed herein, Cobalt shall obtain no right or license thereto.

 

You understand and agree that Cobalt shall have the right to share Customer contact details with third party partners and service providers in connection with the delivery of the Services and enabling such partners to offer other software and/or services as related to the Services.

Customer Data License Grant

You grant to Cobalt a worldwide, non-exclusive, non-transferable (except by assignment or as otherwise expressly permitted under this Agreement), royalty-free license and right to, during the Order Term, (i) use, access, view, copy, display, transmit and store Customer Data on, through or by means of the Site and Services solely to the extent necessary to operate, maintain, perform, and provide the Site and Services, (ii) use, access, view, copy,  and display, information relating to the Applications/Networks solely to the extent necessary to engage in testing and/or create the Vulnerability Reports or otherwise perform tasks in connection with the Security Program; and (iiii) create, view, display, transmit and store Vulnerability Reports relating to the Applications/Networks. You acknowledge that this license grant extends, to the extent necessary to facilitate performance of the Services, to Cobalt’s personnel and Security Pentesters. Except as expressly licensed herein, You shall retain all right, title and/or interest to the Applications/Network and all intellectual property rights therein, and except as expressly licensed herein, Cobalt shall obtain no right or license thereto.

Pentester Rights, Licenses

The parties acknowledge and agree that as between the parties, the Security Pentesters and/or their licensors reserve all right, title and interest to any techniques, methods, processes, or technical information contained in any Customer Data acquired, created, developed or licensed by the Security Pentester prior to, independently of, and outside the scope of of Your specific Security Program and Vulnerability Report(s) thereto, and any intellectual property rights therein (“Security Pentester Property”), except as described in this Agreement.

 

All Parties

We may, in our sole discretion, permit Users to post, upload, publish, submit or transmit Customer Data, including Security Program(s). This License grant section covers the license grant for Customer Data.

Subject to the license rights and restrictions otherwise expressly provided for in this Agreement and the Cobalt Privacy Policy, by making available any Customer Data on or through the Services, You hereby grant to Cobalt a worldwide, irrevocable, perpetual, non-exclusive, transferable, royalty-free license, with the right to sublicense, to use, view, copy, adapt, modify, distribute, license, sell, transfer, publicly display, publicly perform, transmit, stream, broadcast, access, view, and otherwise exploit such Customer Data on, through, or by means of the Services, for the purpose of providing or enjoying the Services and pursuant to the terms of this Agreement.

Except as provided for in this Agreement, Cobalt does not claim any ownership rights in any such Customer Data and nothing in this Agreement will be deemed to restrict any rights that You may have to use and exploit any such Customer Data that You are otherwise entitled to use and exploit.

Other Third Party Rights, Licenses

Links. The Services may contain links to third-party websites or resources. You acknowledge and agree that Cobalt is not responsible or liable for: (i) the availability or accuracy of such websites or resources; or (ii) the content, products, or services on or available from such websites or resources. Links to such websites or resources do not imply any endorsement by Cobalt of such websites or resources or the content, products, or services available from such websites or resources. You acknowledge sole responsibility for and assume all risk arising from Your use of any such websites or resources or the Content, products or services on or available from such websites or resources.

Proprietary Rights Notice. All trademarks, service marks, logos, trade names and any other proprietary designations of Cobalt used herein are trademarks or registered trademarks of Cobalt. Any other trademarks, service marks, logos, trade names and any other proprietary designations are the trademarks or registered trademarks of their respective parties.

Digital Millennium Copyright Act. If You believe that Your copyrighted work has been copied in a way that constitutes copyright infringement and is accessible via the Services, please notify our copyright agent, as set forth in the Digital Millennium Copyright Act of 1998 ("DMCA"). For Your complaint to be valid under the DMCA, You must provide the following information in writing to info@cobalt.io:

  • An electronic or physical signature of a person authorized to act on behalf of the copyright owner;
  • Identification of the copyrighted work that You claim has been infringed;
  • Identification of the material that is claimed to be infringing and where it is located on the Service;
  • Information reasonably sufficient to permit Us to contact You, such as Your address, telephone number, and, e-mail address;
  • A statement that You have a good faith belief that use of the material in the manner complained of is not authorized by the copyright owner, its agent, or law; and
  • A statement, made under penalty of perjury, that the above information is accurate, and that You are the copyright owner or are authorized to act on behalf of the owner.

Use of Customer Name and Logo.  Cobalt may use Customer's name and logo to identify Customer as a customer of Cobalt, unless you object in writing to Cobalt's use thereof.  Cobalt's use of the name and logo does not create any ownership right therein and all rights not granted to Cobalt are preserved by Customer.

8. Representations & Warranties

Warranty

Your Warranty. You acknowledge and agree that You are solely responsible for (a) all activity occurring through Your Cobalt Account, whether authorized or not, and (b) all Customer Data that You make available through the Services. Accordingly, You represent and warrant that: (i) You either are the sole and exclusive owner of all Customer Data that You make available through the Services or You have all necessary legal rights, licenses, consents and releases to grant to Cobalt its Security Pentesters the rights in such Customer Data, as contemplated under this Agreement, and that You have a process to manage alleged infringements of third party rights thereto, including processes to ensure compliance with the DMCA; and (ii) neither the Customer Data nor Your posting, uploading, publication, sublicensing, submission or transmittal of the Customer Data or Cobalt’s or Security Pentester’s use of the Customer Data(or any portion thereof) on, through or by means of the Site and the Services will infringe, misappropriate or violate any third party patent, copyright, trademark, trade secret, moral rights or other proprietary or intellectual property rights, or rights of publicity or privacy, or result in the violation of any Applicable Law. 

Cobalt Warranty

Cobalt represents and Warrants that: (i) Cobalt either is the sole and exclusive owner of all Cobalt Content and the Site or Cobalt has obtained all necessary legal rights, licenses, consents, permissions, approvals and releases to grant You the right to such Cobalt Content and the Site, as contemplated under this Agreement; and (ii) Cobalt shall comply with all applicable laws relating to its performance under this Agreement.

Express Waivers of Warranties

YOU ACKNOWLEDGE AND AGREE THAT EXCEPT AS EXPRESSLY SET FORTH IN THIS AGREEMENT, THE SERVICES ARE PROVIDED "AS IS", WITHOUT ANY REPRESENTATIONS OR WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. WITHOUT LIMITING THE FOREGOING, COBALT EXPLICITLY DISCLAIMS ANY WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT, AND ANY WARRANTIES ARISING OUT OF COURSE OF DEALING OR USAGE OF TRADE. COBALT MAKES NO WARRANTY THAT THE SERVICES, INCLUDING, BUT NOT LIMITED TO, THE SECURITY PROGRAMS OR ANY VULNERABILITY REPORTS WILL MEET YOUR REQUIREMENTS, BE EXHAUSTIVE IN DOCUMENTING SECURITY RISKS, OR BE AVAILABLE ON AN UNINTERRUPTED, SECURE, OR ERROR-FREE BASIS. COBALT MAKES NO WARRANTY REGARDING THE QUALITY OF ANY SECURITY PROGRAMS AND VULNERABILITY REPORTS, THE SERVICES, OR THE ACCURACY, TIMELINESS, TRUTHFULNESS, COMPLETENESS OR RELIABILITY OF ANY SECURITY PROGRAMS, VULNERABILITY REPORTS OR OTHER COLLECTIVE CONTENT OBTAINED THROUGH THE SITE OR SERVICES.

NO ADVICE OR INFORMATION, WHETHER ORAL OR WRITTEN, OBTAINED FROM COBALT OR THROUGH THE SITE, SERVICES OR COLLECTIVE CONTENT, WILL CREATE ANY WARRANTY NOT EXPRESSLY MADE HEREIN.

COBALT MAKES NO GUARANTEE AGAINST ANY MALFUNCTION OF THE ENTIRE SECURITY PROGRAM SITE OR ANY LATE, LOST, DAMAGED, MISDIRECTED, INCOMPLETE, ILLEGIBLE, UNDELIVERABLE, OR DESTROYED VULNERABILITY REPORT SUBMISSIONS DUE TO SYSTEM ERRORS, FAILED, INCOMPLETE OR DISTORTED COMPUTER OR OTHER TELECOMMUNICATION TRANSMISSION MALFUNCTIONS, HARDWARE OR SOFTWARE FAILURES OF ANY KIND, LOST OR UNAVAILABLE NETWORK CONNECTIONS, TYPOGRAPHICAL OR SYSTEM/HUMAN ERRORS AND FAILURES, TECHNICAL MALFUNCTION(S) OF ANY TELEPHONE NETWORK OR LINES, CABLE CONNECTIONS, SATELLITE TRANSMISSIONS, SERVERS OR PROVIDERS, OR COMPUTER EQUIPMENT, TRAFFIC CONGESTION ON THE INTERNET OR AT THE SITE, OR ANY COMBINATION THEREOF, INCLUDING OTHER TELECOMMUNICATION, CABLE, DIGITAL OR SATELLITE MALFUNCTIONS WHICH MAY LIMIT THE PERIOD A PROGRAM IS LISTED ON THE SITE.

YOU ARE SOLELY RESPONSIBLE FOR ALL OF YOUR COMMUNICATIONS AND INTERACTIONS WITH OTHER USERS OF THE SERVICES, WITH OTHER PERSONS WITH WHOM YOU COMMUNICATE OR INTERACT AS A RESULT OF YOUR USE OF THE SITE OR SERVICES. YOU UNDERSTAND THAT COBALT DOES NOT MAKE ANY ATTEMPT TO VERIFY THE STATEMENTS OF USERS OF THE SITE OR SERVICES OR TO VERIFY ANY SECURITY PROGRAMS OR VULNERABILITY REPORTS, OR THE SECURITY OF ANY THIRD PARTY ACCOUNT USAGE. YOU AGREE TO TAKE REASONABLE PRECAUTIONS IN ALL COMMUNICATIONS AND INTERACTIONS WITH OTHER USERS OF THE SITE OR SERVICES AND WITH OTHER PERSONS WITH WHOM YOU COMMUNICATE OR INTERACT AS A RESULT OF YOUR USE OF THE SITE OR SERVICES, INCLUDING, BUT NOT LIMITED TO, SECURITY PENTESTERS.

YOU UNDERSTAND AND AGREE THAT THE NATURE OF PENETRATION TESTING MAY CAUSE SIGNIFICANT HARM OR DISRUPTION TO PROGRAM(S) AND YOUR BUSINESS, AND YOU ASSUME SUCH RISK, TOGETHER WITH THE RISK OF AN INCOMPLETE OR UNRELIABLE VULNERABILITY REPORT.

Limited Warranties

Cobalt represents and warrants that (i) it shall provide the Services in a professional manner and will provide a standard of care consistent with that used by service providers similar to Cobalt; and (ii) that the Security Pentesters have the general skills and expertise necessary to perform the Services. In order to state a claim for breach of the foregoing warranty, You must provide notice of such non-compliance within the thirty (30) day period following the delivery of a Vulnerability Report, specifying the details of such noncompliance. If You provides Cobalt with the required notice, as Your sole and exclusive remedy and Cobalt’s sole and exclusive liability for breach of warranty, Cobalt shall, at the Your request and option, either extend the period of testing to perform additional testing or provide a reperform the Services using a different Security Pentester. This warranty shall not apply during any trial license period. 

9. Indemnification

You agree to release, indemnify, and hold Cobalt and its affiliates and subsidiaries, and their officers, directors, employees and agents, harmless from and against any third party claims, liabilities, damages, losses, and expenses, including, without limitation, reasonable legal and accounting fees, arising out of or in any way connected with (i) Your access to or use of the Site or Services; (ii) Customer Data, including without limitation Customer Data that violates third party rights, including intellectual property rights; (iii) Your breach of representations, warranties and/or obligations under this Agreement (iv) Your improper or unlawful interaction with any other persons who access the Site; (v) Your misrepresentation, negligence, or willful misconduct in connection with the performance of this Agreement and (vi) Your violation of Applicable law (collectively the “Indemnified Claims”).

10. Limitation of Liability

Except as otherwise expressly provided in this Agreement, by using the Services, You agree that any legal remedy or liability that You seek to obtain for any acts or omissions of, any individuals or other third parties will be limited to a claim against the particular individuals or other third parties who caused You harm and You agree not to attempt to impose any liability on, or seek any legal remedy from Cobalt with respect to the acts or omissions of other individuals or third parties.

YOU ACKNOWLEDGE AND AGREE THAT, TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NEITHER COBALT NOR ITS LICENSORS, SUPPLIERS, OR CONTRACTORS WILL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, PUNITIVE, OR CONSEQUENTIAL DAMAGES, INCLUDING LOST PROFITS, LOSS OF DATA OR LOSS OF GOODWILL, SERVICE INTERRUPTION, COMPUTER DAMAGE OR SYSTEM FAILURE OR THE COST OF SUBSTITUTE PRODUCTS OR SERVICES, OR FOR ANY DAMAGES FOR PERSONAL OR BODILY INJURY OR EMOTIONAL DISTRESS ARISING OUT OF OR IN CONNECTION WITH THE TERMS, THE USE OF OR INABILITY TO USE THE SITE, SERVICES OR COLLECTIVE CONTENT, FROM ANY COMMUNICATIONS OR INTERACTIONS WITH OTHER USERS OF THE SITE OR SERVICES, WHETHER BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), PRODUCT LIABILITY OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT COBALT HAS BEEN INFORMED OF THE POSSIBILITY OF SUCH DAMAGE, EVEN IF A LIMITED REMEDY SET FORTH HEREIN IS FOUND TO HAVE FAILED OF ITS ESSENTIAL PURPOSE.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, NO EVENT WILL COBALT’S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO WITH THE TERMS AND YOUR USE OF THE SITE AND SERVICES INCLUDING, BUT NOT LIMITED TO, FROM YOUR LISTING OF YOUR SECURITY PROGRAM OR VULNERABILITY REPORT VIA THE SERVICES EXCEED THE TOTAL OF THE AMOUNTS YOU HAVE PAID IN RELATION TO A SPECIFIC SECURITY PROGRAM VIA THE SERVICES AS A CUSTOMER DURING THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE LIABILITY OCCURRED, OR IF YOU ARE A SECURITY PENTESTER, THE AMOUNTS PAID BY COBALT TO YOU IN THE TWELVE (12) MONTH PERIOD PRECEDING THE EVENT GIVING RISE TO THE LIABILITY, OR ONE HUNDRED DOLLARS ($100) IF NO SUCH PAYMENTS HAVE BEEN MADE OR ARE OWED, AS APPLICABLE. **THE LIMITATIONS OF DAMAGES SET FORTH ABOVE ARE FUNDAMENTAL ELEMENTS OF THE BASIS OF THE BARGAIN BETWEEN COBALT AND YOU. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, SO THE ABOVE LIMITATION MAY NOT FULLY APPLY TO YOU, IN WHICH CASE YOU AGREE THIS PROVISION SHOULD BE APPLIED TO THE MAXIMUM EXTENT PERMITTED BY LAW.

YOU UNDERSTAND AND AGREE THAT THE NATURE OF PENTESTING MAY CAUSE HARM OR DISRUPTION TO PROGRAM(S) AND THAT NEITHER COBALT NOR ANY SECURITY PENTESTER SHALL HAVE ANY LIABILITY OF ANY KIND ARISING OUT OF SUCH TESTING ACTIVITIES, UNLESS THE SECURITY PENTESTER HAS COMMITTED GROSS NEGLIGENCE OR COMMITTED WILLFUL MISCONDUCT IN THE PERFORMANCE OF SUCH TESTING.

11. Miscellaneous

Test Drive

PLEASE NOTE: By signing up for a Test Drive (as defined herein) of the Cobalt platform, You are agreeing to the following terms and conditions, which will govern Your Test Drive. Except where expressly contradicted by the following, the applicable provisions of this Agreement remain fully effective.

(a) If You sign up for a Test Drive, Cobalt will make certain features of the Cobalt platform available to you on a trial basis only, free of charge, until the earlier of (a) ten days following You signing up for the Test Drive, (b) the start date of any Services subscription purchased by You, or (c) termination of the Test Drive by Cobalt in its sole discretion (the "Trial Period"). A Trial Period may be extended upon mutual agreement between You and Cobalt. Notwithstanding anything to the contrary in this Agreement, a Test Drive is provided "AS IS." Cobalt makes no commitment to maintain the availability of a particular feature or functionality of the Cobalt platform for the duration of a Test Drive. COBALT MAKES NO REPRESENTATION OR WARRANTY AND SHALL HAVE NO INDEMNIFICATION OBLIGATIONS WITH RESPECT TO ANY Test Drive. COBALT SHALL HAVE NO LIABILITY OF ANY TYPE WITH RESPECT TO A Test Drive, UNLESS SUCH EXCLUSION OF LIABILITY IS NOT ENFORCEABLE UNDER APPLICABLE LAW IN WHICH CASE COBALT'S TOTAL AGGREGATE LIABILITY ARISING OUT OF OR RELATING TO ANY Test Drive IS $100.00. BY PARTICIPATING IN A COBALT Test Drive, YOU AGREE TO REFRAIN FROM USING THE Test Drive IN A MANNER THAT VIOLATES APPLICABLE LAW AND YOU WILL BE FULLY LIABLE FOR ANY DAMAGES CAUSED BY YOUR USE OF A Test Drive.

(b) You acknowledge that, at the end of the Trial Period, Your access to the Test Drive will be automatically terminated, with or without notice, unless You agree to purchase a paid subscription to the Services pursuant to the applicable provisions of this Agreement. Any data entered by You into the Cobalt platform in connection with Your Test Drive may be permanently lost upon termination of the Test Drive unless you subscribe to the Services.

(c) "Test Drive" means access to the certain features of the Cobalt Platform that are made available to a prospective customer to facilitate the evaluation of potentially purchasing the Services, which is provided to You at no additional charge, and which is designated as a "Trial," "Test Drive," or similar description. A Test Drive does not include performance of a penetration test or other cybersecurity services, the identification of any security vulnerabilities, the provision of a report relative to Your security vulnerabilities or other aspects of Your security posture, or any other part of the Services offered by Cobalt other than access to the specific platform features that Cobalt, in its sole discretion, chooses to include in the Test Drive. You acknowledge and agree that a Test Drive is for Your internal business purposes only.

Assignment

You may not assign, transfer, delegate or subcontract this Agreement or any of Your rights or obligations under this Agreement, in whole or in part, by sale of assets, merger, operation of law or otherwise, without Cobalt’s prior written consent. Any attempt by You to assign, transfer, delegate or subcontract this Agreement or any of Your rights or obligations under this Agreement, without such consent, will be null and of no effect and in such event, and Cobalt shall have the right to immediately terminate Your rights under this Agreement and seek any remedies available to it at law or in equity. Cobalt may assign or transfer this Agreement, at its sole discretion, without restriction. Cobalt has the right to use subcontractors in connection with providing the Services. Subject to the foregoing, this Agreement will bind and inure to the benefit of the parties, their successors and permitted assigns.

Notices

Any notices or other communications permitted or required hereunder, including those regarding modifications to this Agreement, will be in writing and given by Cobalt (i) via email (in each case to the address that You provide) or (ii) by posting to the Site. Notices to Cobalt shall be sent to info@cobalt.io. For notices made by e-mail, the date of receipt will be deemed the date on which such notice is transmitted.

Force Majeure

If the performance of any obligation hereunder is interfered with by reason of any circumstances beyond a party’s reasonable control, including but not limited to acts of God, labor strikes and other labor disturbances, power surges or failures, or the act or omission of any third party, the party shall be excused from such performance to the extent necessary during the term of any force majeure event, provided the party shall use reasonable efforts to remove such causes of nonperformance.  If an event of force majeure prevents either party from performing its responsibilities under this Agreement for a period of more than thirty (30) days, the other party may terminate this Agreement and any outstanding Sales Order immediately upon written notice.

 

Controlling Law and Jurisdiction

This Agreement will be interpreted in accordance with the laws of the State of California and the United States of America, without regard to its conflict-of-law provisions. You and We agree to submit to the personal jurisdiction of a state court or arbitrator located in San Francisco County, San Francisco, California or a United States District Court, Northern District of California located in San Francisco, California for any actions for which the parties retain the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights, as set forth in the Dispute Resolution provision below.

Arbitration & Dispute Resolution

You and Cobalt agree that any dispute, claim or controversy arising out of or relating to this Agreement or the breach, termination, enforcement, interpretation or validity thereof, or to the use of the Services or use of the Site (collectively, "Disputes") will be settled by binding arbitration, except that each party retains the right to seek injunctive or other equitable relief in a court of competent jurisdiction to prevent the actual or threatened infringement, misappropriation or violation of a party’s copyrights, trademarks, trade secrets, patents, or other intellectual property rights. You acknowledge and agree that You and Cobalt are each waiving the right to a trial by jury or to participate as a plaintiff or class member in any purported class action or representative proceeding. Further, unless both You and Cobalt otherwise agree in writing, the arbitrator may not consolidate more than one person's claims, and may not otherwise preside over any form of any class or representative proceeding. If this specific paragraph is held unenforceable, then the entirety of this "Dispute Resolution" section will be deemed void. Except as provided in the preceding sentence, this "Dispute Resolution" section will survive any termination of this Agreement.

Arbitration Rules and Governing Law**.** The arbitration will be administered by the American Arbitration Association ("AAA") in accordance with the Commercial Arbitration Rules and the Supplementary Procedures for Consumer Related Disputes (the "AAA Rules") then in effect, except as modified by this "Dispute Resolution" section. (The AAA Rules are available at http://www.adr.org/arb_med or by calling the AAA at 1-800-778-7879.) The Federal Arbitration Act will govern the interpretation and enforcement of this section.

Arbitration Process**.** A party who desires to initiate arbitration must provide the other party with a written Demand for Arbitration as specified in the AAA Rules. (The AAA provides a form Demand for Arbitration at http://www.adr.org/aaa/ShowPDF?doc=ADRSTG_004175 and a separate form for California residents at http://adr.org/aaa/ShowPDF?doc=ADRSTG_004314.) The arbitrator will be either a retired judge or an attorney licensed to practice law in the state of California and will be selected by the parties from the AAA’s roster of consumer dispute arbitrators. If the parties are unable to agree upon an arbitrator within seven (7) days of delivery of the Demand for Arbitration, then the AAA will appoint the arbitrator in accordance with the AAA Rules.

Arbitration Procedure**.** If Your claim does not exceed $10,000, then the arbitration will be conducted solely on the basis of documents You and Cobalt submit to the arbitrator, unless You request a hearing or the arbitrator determines that a hearing is necessary. If Your claim exceeds $10,000, Your right to a hearing will be determined by the AAA Rules. Subject to the AAA Rules, the arbitrator will have the discretion to direct a reasonable exchange of information by the parties, consistent with the expedited nature of the arbitration.

Arbitrator’s Decision. The arbitrator will render an award within the time frame specified in the AAA Rules. The arbitrator’s decision will include the essential findings and conclusions upon which the arbitrator based the award. Judgment on the arbitration award may be entered in any court having jurisdiction thereof. The arbitrator’s award damages must be consistent with the terms of the "Limitation of Liability" section above as to the types and the amounts of damages for which a party may be held liable. The arbitrator may award declaratory or injunctive relief only in favor of the claimant and only to the extent necessary to provide relief warranted by the claimant’s individual claim. If You prevail in arbitration You will be entitled to an award of attorneys’ fees and expenses, to the extent provided under Applicable Law. Cobalt will not seek, and hereby waives all rights it may have under Applicable Law to recover, attorneys’ fees and expenses if it prevails in arbitration.

Fees. Your responsibility to pay any AAA filing, administrative and arbitrator fees will be solely as set forth in the AAA Rules. However, if Your claim for damages does not exceed $75,000, Cobalt will pay all such fees unless the arbitrator finds that either the substance of Your claim or the relief sought in Your Demand for Arbitration was frivolous or was brought for an improper purpose (as measured by the standards set forth in Federal Rule of Civil Procedure 11(b)).

Changes**.** Notwithstanding the provisions of the "Modification" section above, if Cobalt changes this "Dispute Resolution" section after the date You first accepted this Agreement (or accepted any subsequent changes to this Agreement), You may reject any such change by sending Us written notice (including by email to info@cobalt.io) within 30 days of the date such change became effective, as indicated in the "Last Updated Date" above or in the date of Cobalt’s email to You notifying You of such change. By rejecting any change, You are agreeing that You will arbitrate any Dispute between You and Cobalt in accordance with the provisions of this "Dispute Resolution" section as of the date You first accepted this Agreement (or accepted any subsequent changes to this Agreement).

Independent Parties

The relationship of the parties is that of independent contracting parties and Cobalt shall not be construed to be an employee, partner or agent of Customer. 

Entire Agreement and Amendment

The terms and conditions of this Agreement (including any applicable schedules, referenced documents, or Sales Orders entered into pursuant hereto) provide the complete understanding of the parties with regard to the subject matter hereof and supersede all previous communications, agreements, proposals or representations related to the subject matter hereof.  Except as otherwise expressly provided for herein, any waiver, amendment, or modification of any right or remedy, in whole or in part under this Agreement, or any additional or different terms in, acknowledgments or other documents, will not be effective unless expressly agreed to in writing and signed by the authorized representatives the parties.  Unless the Sales Order expressly amends this Agreement and except as otherwise expressly provided herein, the terms and conditions of this Agreement shall take precedence over any conflicting terms in a Sales Order.  It is expressly agreed that no additional terms and conditions contained in Your purchase order, internet procurement portal or other non-Cobalt document shall apply to the Services ordered.

Waiver

The failure of Cobalt to enforce any right or provision of this Agreement will not constitute a waiver of future enforcement of that right or provision. The waiver of any such right or provision will be effective only if in writing and signed by a duly authorized representative of Cobalt. Except as expressly set forth in this Agreement, the exercise by either party of any of its remedies under this Agreement will be without prejudice to its other remedies under this Agreement or otherwise. If for any reason an arbitrator or a court of competent jurisdiction finds any provision of this Agreement invalid or unenforceable, that provision will be enforced to the maximum extent permissible and the other provisions of this Agreement will remain in full force and effect.

Definitions

Affiliate - Any entity controlled by, controlling, or under common control with a party to this Agreement during the period such control exists.  For the purposes hereof “control” means the power to direct the operation, policies and management of an entity through the ownership of more than fifty percent (50%) of the voting securities of such entity, by contract, or otherwise.

Applicable Law(s) - Any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, directive, common law, judgment, decree or other requirement or rule of any federal, state, local or foreign government or political subdivision thereof, or any arbitrator, court or tribunal of competent jurisdiction applicable to a party’s performance of its obligations or the exercise of its rights under this Agreement.

Application(s) - A software application (including a web enabled application, desktop, or mobile application), involved directly or indirectly (through a test system) in a Security Program.

Cobalt Content - Means all Content that Cobalt makes available through the Services, and includes without limitation any data, documents, screens, templates, and forms of reports.  Cobalt Content expressly excludes Customer Content.

Collective Content - Customer Data and Cobalt Content.

Content - Text, graphics, images, music, software, audio, video, information or other materials.

Credit - The prepaid unit purchased by Customer which can be exchanged for Cobalt Services. Each Credit corresponds to a particular level of effort by one Security Pentester.

Customer Data - Any Content or information relating to the Applications/Networks, the Applications/Networks and any other data, documents, information or content provided by or made accessible by Customer to Cobalt in connection with Customer’s use of the Services.

Intellectual Property Rights - Any and all registered and unregistered rights granted, applied for or otherwise now or hereafter in existence under or related to any patent, copyright, trademark, trade secret, database protection or other intellectual property rights laws, and all similar or equivalent rights or forms of protection, in any part of the world.

Network(s) - Interconnected computers, servers, mainframes, network devices, peripherals, or other devices that share software and hardware resources between many users.

Personal Information - Any information relating to an identified or identifiable natural person or otherwise defined to be personal information under Applicable Law, including without limitation, “personal data” as used under the EU’s General Data Protection Regulation.

Professional Services - Cybersecurity services provided by Cobalt to Customer pursuant to a separately executed statement of work (“SOW”) or similar document, excluding penetration testing services provided via the Services and Site. Professional Services are subject to the Cobalt Professional Services Addendum.

Sales Order - A transactional document (either an order form or statement of work) referencing this Agreement, which has been mutually agreed to by the parties either (i) in a mutually signed writing on Cobalt’s template Sales Order form  or (ii) by a Customer issued purchase order expressly referencing a Cobalt provided Sales Order form (either electronically or in writing as provided above); provided that if Customer purchases the Services through a Cobalt reseller, the Sales Order shall be the transactional document entered into between Cobalt and the Cobalt reseller for Customer’s use.

Security Pentester - An individual who offers by signing up and/or is invited to be a Security Pentester on the Site in order to engage in testing of an Application/Network within the scope of a Security Program and to submit a Vulnerability Report confidentially to Customer via the Site.

Security Program - The scope of Services listed on the Site for Customer’s Application(s)/Network(s) to be completed by Security Pentester(s).

Services - The Cobalt online platform accessible via the Site (including the Site and all Cobalt Content on the Site) connecting Customers with Security Pentesters for Applications/Network testing, and the ensuing cybersecurity testing performed leveraging the Site and the Security Pentesters. The Services specifically exclude all Applications/Network(s) and Customer Data.

Site - The Cobalt websites where the Services are made available located at cobalt.io.

User - An employee or contractor of Customer who is authorized by Customer to use the Services via Customer’s Cobalt Account by provisioning access to the Site via the assignable roles associated with use of the Services.

Vulnerability Report - A confidential report submitted and listed by a Security Pentester containing security vulnerabilities found during the testing of the Application(s)/Network(s) in scope for a given Security Program. 

Running a Security Program

Last update on 29th of April, 2022


IMPORTANT - READ BEFORE USING THE SITE OR SERVICES FOR RUNNING A SECURITY PROGRAM.

BY CLICKING TO SIGN IN ON-LINE TO USE THE COBALT SITE AND SERVICES AND BY USING THE SITE AND SERVICES FOR RUNNING A SECURITY PROGRAM, YOU (OR “CUSTOMER”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS (“AGREEMENT” or  “GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE TO RUN A SECURITY PROGRAM AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE SECURITY PENTESTER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO USE THE SITE OR SERVICE TO RUN A SECURITY PROGRAM.

These Supplemental Terms form a part of the General Terms and you agree that you are a User of the Site and Services and you therefore have already agreed to and accepted the General Terms and Privacy Policy for being a User on the Site and Services. Terms not otherwise defined herein, shall have the meaning set forth in the General Terms.

Eligibility

To submit a Security Program, you must either be must be the owner of the Application(s)/Network(s) you list as in scope of the test or have obtained all necessary legal permissions and licenses from the owner to list them and have them tested. You also need to ensure that you have obtained all necessary legal permissions and licenses from any third party service providers applicable to the scope that may be tested pursuant to the terms and conditions of an agreement with such third party, including, but not limited to, a hosting agreement. If you are acting within the scope of your employment, as an employee, contractor, or agent of another party, you warrant that such party has full knowledge of your actions and has consented thereto, including the cost of the activities and that you have the authority to bind such entity to these Supplemental Terms. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

Security Program Time Period

The Security Program initiates when it is listed on the Cobalt Security Program list on the Site and Services and has the status Live.

The Security Program will run until a written deadline agreed between You  and Cobalt. This deadline will be listed on the Security Program.

It is important to note that

  • Security Pentesters can only engage in testing on programs that are in status Live and the Security Pentesters have been invited to.
  • When a program is past the test deadline, Security Pentesters are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by You.

The date on which your test will start may depend on the Tier associated with your account. Each Tier permits test start dates within a defined minimum advance notice, measured in days. For purposes of calculating the applicable period associated with your Tier, a “day” is equal to 24 hours excluding holidays and weekends, falling within Cobalt business hours. Cobalt business hours are: for Customers in EMEA, 8 AM - 5 PM Central European Standard Time; for Customers in the Americas, 8 AM - 5 PM Pacific Standard Time.  A Customer must first have their test assigned to “Planned” state within the Cobalt platform in order to select a start date, such that Cobalt’s commitment to initiate a testing within a certain period only begins when a test is listed as “Planned” and a start date is selected. In all circumstances, a start date for Services must be scheduled to be completed before the expiration of the one-year period associated with the applicable Credit(s).  When Services that are scheduled to begin within fourteen days of the expiration of the one-year period associated with the applicable Credit(s), test coverage may be reduced and retesting may be precluded due to time and resource constraints.

Third Party Integrations

Services may be configured to facilitate integration with certain third party software products or services leveraged by Cobalt Yous. The availability of such integrations is dependent on the specific Tier assigned to a Customer.

While Cobalt is constantly investigating new opportunities of third party integrations, a current list of third party integrations can be found on the Tiers FAQ. Notwithstanding the foregoing, Cobalt reserves the right to deprecate any particular third party integration at its discretion.

By accessing or using Cobalt’s third party integrations, Customer (i) agrees to all applicable terms in this Agreement as well as the specific integration terms applicable to the software or solution to which such integration applies, and (ii) represents and warrants that it has obtained all necessary licenses, credentials, or other rights to facilitate Cobalt’s access to and integration with such software or solution.

If there is a conflict between the integration terms in this Agreement and the specific integration terms of a third party integration, the specific integration terms will control for that conflict.

Before using any of the Cobalt third party integrations, Customer is encouraged to (i) review the terms and conditions of the relevant third party provider (“Third Party Terms”) and (ii) review personal and technical security of the third party integration. Cobalt’s provision of third party integrations relies on Customer having conducted the review in accordance with this section and Cobalt hereby disclaims any and all obligations relative to such third party’s privacy or security posture.

By utilizing any of the third party integrations supported by Cobalt, Customer acknowledges that (i) Cobalt has no control over the service or product that is integrated, (ii) Customer has read and understand the terms of the relevant third party providing the integration, (iii) Customer consents that Cobalt shall transfer the data collected as a result of providing Customer with the Services to the third party, (iv) Customer uses the third party integration at its own risk.

Cobalt shall not be held liable and shall not accept any liability, obligation, or responsibility for any loss or damage in connection with any third party integration. Cobalt has no control over such third parties and we are not responsible for the content of their services. Cobalt provides Yous with third party integrations only for our Yous’ convenience. This does not imply any endorsement or association with such third parties. Any concern regarding the third party services should be directed to the responsible third party.

Customer agrees to release, indemnify, and hold Cobalt and its affiliates and subsidiaries, and their officers, directors, employees and agents, harmless from and against any third party claims, liabilities, damages, losses, and expenses, including, without limitation, reasonable legal and accounting fees, arising out of or in any way connected with (i) Customer’s misuse of third party integrations or (ii) violations of the Third Party Terms.

By using any third party integration, Customer acknowledges that Cobalt does not warrant that the use of the third party integration will be uninterrupted or error free. Customer accepts and understands this risk and waives all rights to hold Cobalt responsible in any qya, financially or otherwise, for such errors and results.

By using any third party integration, Customer acknowledges that Cobalt does not make any specific promises about the third party integrations. For example, Cobalt does not make any commitments about the content of third party integrations, their specific functions and reliability, availability, or the ability to meet Customer’s needs.

Cobalt shall retain all rights ( (including but not limited to all patent rights, trademark rights, copyright, trade secrets and any other intellectual property rights) that Cobalt has or may have in connection with the third party integrations.

Any use of the Cobalt API is subject to the terms and specifications found at https://docs.cobalt.io.

Retesting

Cobalt may offer retesting of vulnerabilities, depending on the Tier you purchased. Please see the Tiers FAQ to determine whether you qualify for retesting. Retesting consists of Cobalt Pentesters re-engaging via the same or similar methodologies in testing of specified vulnerabilities that were originally identified in a Cobalt Vulnerability Report. Retesting is applicable only to those vulnerabilities that you have taken steps to remediate and the intent of retesting is to validate the efficacy of your remediation efforts. Timing for retesting is at Cobalt's sole discretion. Only Cobalt Customers with active subscriptions at the time a retest is requested are eligible for retesting. Retesting is subject to all terms and conditions otherwise applicable to the provision of Services by Cobalt.

Security Program Responsibilities and Liabilities

  • You agree that (i) your creation of the Security Program will not breach any agreements you have entered into with any third parties, (ii) you have all of the necessary right, title and interest to grant the license rights provided by you pursuant to the General Terms and Supplemental Terms, and (iii) you are and will remain in compliance with all Applicable Laws, Tax requirements, and rules and regulations.
  • You agree that you authorize Cobalt to list your program on the Site and Services.
  • You agree that you authorize invited Security Pentesters to perform tests on the Application(s)/Network(s) mentioned in scope in the Security Program.
  • You agree to take the full liability and responsibility if you invite pentesters who are not Security Pentesters to see your Security Program and/or Engage in testing of the scope of the Security Program.
  • You agree that the scope, rules and all other information on the Security Program combined with our Supplemental Terms for Engaging in Testing is the entire scope, rules and information which you expect the Security Pentesters to follow if engaging in activities related to your Security Program.
  • You agree that Cobalt only provides a best practice set of rules as an example and that you as a User are fully responsible and liable for the coverage of the scope and the rules written in the Security Program.
  • You agree that you are responsible for contacting and getting, if needed, acceptance from any and all related third parties who potentially will be impacted by the activities related to the Security Program. This includes but is not limited to hosting providers.
  • You agree that you understand when you initiate the Security Program you will start receiving Vulnerability Report Submissions on the Site and Services. This means that Cobalt will store these Vulnerability Reports on the Site and Services, any vulnerability/Bug submitted against your Security Program will only be visible to You, , the Security Pentesters participating in the Program and Authorized staff at Cobalt.
  • In the event your program has responsible disclosure you agree that you are responsible for informing the Security Pentesters on when he/she can disclose a given vulnerability to the public.
  • As Aligned with the General terms Limitation of Liability section You understand and agree that the nature of penetration testing may cause harm or disruption to Application and/or networks and that neither Cobalt and that neither Cobalt nor the Security Pentesters shall have any liability of any kind arising out of such testing activities unless the Security Pentester has committed gross negligence or committed willful misconduct in performance of such testing.

Intellectual Property Rights

See the General Terms for information around Ownership and License grants.

Privacy

You agree and understand that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used solely for the purposes and within the context of the Security Program. This data will also be transferred into the United States. By entering, entrants agree to the transmission, processing, sharing and storage of this personal data in the United States. You also understand this data may be used by Cobalt in order to verify your identity and telephone number in the event of a submission. You have the right to access, review, rectify or cancel any personal data held by Cobalt in connection with the Security Program by writing to Cobalt at privacy@cobalt.io. If you do not provide the data required at registration, your submission will be ineligible. Otherwise, all personal information that is collected from you is subject to Cobalt’s Privacy Policy.

For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:

  • the data controller is Cobalt and the data processor is Cobalt
  • your data is collected for purposes of administration of the promotion and for marketing purposes
  • you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to Cobalt at privacy@cobalt.io
  • your personal data will be transferred to the U.S.

Warranty and Indemnification

You represent and warrant that you own or have all necessary right, title and interest in the Application(s)/Network(s) in scope for the Security Program and that the Security Program material and Application(s)/Network(s) submitted by you or on your behalf do not infringe upon or violate any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations, defame any person or violate their rights of publicity or privacy or otherwise violate any Applicable Law.

To the maximum extent permitted by law, you hereby agree to indemnify and hold harmless Cobalt at all times from and against any liability, claims, demands, losses, damages, costs and expenses (including reasonable attorney’s fees) arising out of or relating to (i) your improper or unlawful use of the Site or Services; (ii) your failure to properly perform your obligations under the Terms; (iii) your negligence or willful misconduct; (iv) your breach of your representations and warranties set forth in the Terms or; (v) your violation of Applicable Law; (vi) any misrepresentation made by you in connection with the Site and Services; (vii) any error made by you in the collection, processing, or retention of submission information or in the printing, offering or announcement of any reward or winners; and (viii) your breach, default or violation of the General Terms, Supplemental Terms or Security Program (collectively as “Indemnified Claims”). You hereby agree to defend Cobalt, at your expense, from and against any and all claims, actions, suits or proceedings brought by a third party arising out or relating to the Indemnified Claims.

Elimination

Any false information provided within the context of the Security Program by your concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms and conditions or the like may result in the immediate elimination of the Security Program.

Network Malfunction

Cobalt does not give a guarantee against any malfunction of the entire Security Program Site or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed Vulnerability Report submissions due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit the period a program is listed on the Site.

Recommendation

Cobalt recommends that you obtain appropriate insurance and backup for your Application(s)/Network(s) and its content. Please review any insurance policy that you may have for your Application(s)/Network(s) and its content carefully, and in particular please make sure that you are familiar with and understand any exclusions to, and any deductibles that may apply for, such insurance policy.

Complete Agreement and Order of Precedence

All of the terms set forth in the General Terms shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms and these Supplemental Terms, the Supplemental Terms shall apply.

Engaging in Testing

Last update on 9th of January, 2019

IMPORTANT - READ BEFORE USING THE SITE OR SERVICES TO ENGAGE IN A TEST AS A PENTESTER.

BY CLICKING TO SIGN IN ONLINE TO USE THE COBALT SITE AND SERVICES AND USING THE SITE AND SERVICES TO ENGAGE IN A TEST AND/OR SUBMIT A VULNERABILITY REPORT, PENTESTER (“YOU” OR “YOUR”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS/GENERAL (“GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE TO ENGAGE IN A TEST AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE PROGRAM OWNER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO ENGAGE IN ANY TEST ACTIVITY ON THE APPLICATION(S)/NETWORK(S) IN SCOPE FOR THE SECURITY PROGRAM OR SUBMIT A VULNERABILITY REPORT TO THE SECURITY PROGRAM.

These Supplemental Terms form a part of the General Terms and you agree that you are a Member of the Site and Services pursuant to the General Terms and that you have already agreed to and have accepted the General Terms and Privacy Policy for being a Member on the Site and a user of the Services. Terms not otherwise defined herein, shall have the meaning set forth in the General Terms found at cobalt.io/terms/general.

Eligibility

In order to engage in test activities as a Pentester related to the Security Program you must adhere to the rules for who can participate as set by the Program Owner in the Program Rules. If you are acting within the scope of your employment, as an employee, contractor, or agent (each a “Representative”) of another party, and you are entering into the Terms on behalf of such contracting party, you warrant that such party has full knowledge of your actions and has consented thereto, including your potential receipt of payment, and that you have the authority to bind such entity to these Supplemental Terms. You acknowledge and agree that each Representative of the contracting party who will act as Pentester must register individually as a Member of the Service and submit to the required Background Checks (as defined in the General Terms) and other required vetting requirements as determined by Cobalt in its sole discretion. You further warrant that your actions do not violate your employer’s or company’s policies and procedures.

Payments are not given to individuals who are on sanctions lists, or who are in countries (e.g. Cuba, Iran, North Korea, Sudan and Syria) on sanctions lists.

Security Program Time Period

The Security Program initiates when it is listed on the Cobalt Security Program list on the Site and Services and has the status Live.

The Security Program will be open for testing on Cobalt until a deadline agreed between the Program Owner and Cobalt. This deadline will be listed on the Security Program.

It is important to note that

  • When a program is past the test deadline, pentesters are not allowed to engage in test activities other than re-testing / Patch verification specifically requested by the Program Owner and/or Program Collaborators.

How to Engage in a Test for a Security Program

Go to the Security Program details. Read the instructions, questionnaire and Program Rules for engaging in the test and for submitting a Vulnerability Report.

Responsibilities and Liabilities

  • You agree that, unless explicitly approved in writing by the Program Owner and Cobalt, you are only allowed to participate in a Security Program if you are a Cobalt Core Pentester who have gone through background checks, signed the Cobalt NDA and been invited to a particular Security Program.
  • You agree that you are responsible for reading and complying with the scope, rules and all other information on the Security Program.
  • You agree to take professional precautions when Engaging in a test and that you may not perform testing that can result in disruption of an Application/Network (Such as DDoS) unless explicitly approved as part of the Security Program Rules.
  • You agree that you are liable and responsible for your negligent, wrongful or improper conduct in connection with your use of the Site and/or Service or the performance of testing activities as further described in the indemnity section of these Supplemental Terms.
  • You understand that Cobalt only provides a best practice set of rules as an example and that it is the Program Owner who is fully responsible and liable for the coverage of the scope and compliance with the Program Rules written in the Security Program.
  • You agree that the Vulnerability Report submission must meet the criteria set by the Program Owner in the Program Rules listed on the Security Program site on the Site and Services.
  • You agree that finding vulnerabilities using any of the following type of methods are not allowed under any circumstance
    • Spam-based
    • Social Engineering

Payment Management

As part of engaging in a test you will receive a payment from Cobalt. You will be informed about the size of this payment as well as the related work expected for the given payment before the test begins and you will not receive additional payment other than the stated amount unless Cobalt agrees to it. Payments will be paid within a period (Determined by Cobalt) after the test has been completed.

Taxes

You agree that you are solely responsible for determining your applicable Tax reporting requirements in consultation with your tax advisors. Cobalt cannot and does not offer Tax-related advice to any Members of the Site and Services. Additionally, note that each Pentester is responsible for determining local indirect Taxes. Where applicable, or based upon request from a Pentester, Cobalt may issue a valid VAT invoice to such Pentester.

General Conditions

You shall comply with all Applicable Laws in connection with the performance of testing activities. Cobalt reserves the right to disqualify you from the Program if, in Cobalt’s sole discretion, it reasonably believe that you have attempted to undermine the legitimate operation of the Program by cheating, deception, or other unfair practices or annoy, abuse, threaten or harass any other users, Cobalt, or the Program Owner.

Intellectual Property Rights

See the General Terms for terms around Ownership and License grants related to Vulnerability Reports and Related Methods and Techniques.

Privacy

You agree and understand that personal data entered during the registration, including name, mailing address, phone number, and email address may be processed, stored, shared and otherwise used solely for the purposes of and within the context of the Security Program. This data will also be transferred into the United States. By entering the site, you agree to the transmission, processing, sharing and storage of this personal data in the United States. You also understand this data may be used by Cobalt in order to verify your identity and telephone number in the event of a submission. You have the right to access, review, rectify or cancel any personal data held by Cobalt in connection with the Security Program by writing to Cobalt at privacy@cobalt.io. If you do not provide the data required at registration, your submission will be ineligible. Otherwise, all personal information that is collected from you is subject to Cobalt’s Privacy Policy.

For residents of the EU: pursuant to EU law pertaining to data collection and processing, you are informed that:

  • the data controller is Cobalt and the data recipients is Cobalt
  • your data is collected for purposes of administration of the promotion and for marketing purposes
  • you have a right of access to and withdrawal of your personal data. You also have a right of opposition to the data collection, under certain circumstances. To exercise such right, you may write to Cobalt at privacy@cobalt.io
  • your personal data will be transferred to the U.S.

Publicity

By participating in a Security Program, you agree to Cobalt and the Program Owner's use of your name and Vulnerability Report for advertising and promotional purposes without additional compensation, unless prohibited by law.

Warranty and Indemnification

You represent and warrant that (i) the Vulnerability Reports you submit are your own original work and you are the sole and exclusive owner and holder of all right, title and interest to the submitted Vulnerability Report; (ii) you have the right to submit the Vulnerability Report in the Security Program and grant all required licenses provided for in the General Terms and these Supplemental Terms; and (iii) the Vulnerability Report submitted by you does not infringe upon or violate any third party proprietary rights, intellectual property rights, industrial property rights, personal or moral rights or any other rights, including without limitation, copyright, trademark, patent, trade secret, privacy, publicity or confidentiality obligations otherwise violate the Applicable Law.

To the maximum extent permitted by law, you hereby agree to indemnify and hold harmless Cobalt at all times from and against any liability, claims, demands, losses, damages, costs and expenses (including reasonable attorneys’ fees) arising out of or relating to (i) your improper or unlawful use of the Site or Services; (ii) your failure to properly perform your obligations under the Terms; (iii) your fraudulent, negligent or willful misconduct in connection with your use of the Site or Services or the performance of your testing activities or other obligations under the Terms; (iv) your breach of your representations and warranties under the Terms; (v) your failure to properly perform your obligations under the Terms; (vi) your violation of Applicable Law; (vii) any misrepresentation made by you in connection with the Site and Services; (viii) any error made by you in the collection, processing, or retention of submission information through the Site or Service including as may be contained in a Vulnerability Report; and (ix) your default, breach or violation of the General Terms, Supplemental Terms or Security Program Rules (collectively as “Indemnified Claims”) .

You hereby agree to defend Cobalt, at your expense, from and against any and all claims, actions, suits or proceedings brought by a third party or a Program Owner arising out of or relating to the Indemnified Claims.

Elimination

Any false information provided within the context of the Security Program by you concerning identity, mailing address, telephone number, email address, ownership of right or non-compliance with these terms or the like may result in the immediate elimination from the Security Program and in such event you shall not be entitled to any payment for any services rendered.

Network

Cobalt and the Program Owners are not responsible for any malfunction of the entire Site and Services or any late, lost, damaged, misdirected, incomplete, illegible, undeliverable, or destroyed vulnerability reports due to system errors, failed, incomplete or distorted computer or other telecommunication transmission malfunctions, hardware or software failures of any kind, lost or unavailable network connections, typographical or system/human errors and failures, technical malfunction(s) of any telephone network or lines, cable connections, satellite transmissions, servers or providers, or computer equipment, traffic congestion on the Internet or at the Program Site, or any combination thereof, including other telecommunication, cable, digital or satellite malfunctions which may limit your ability to participate.

Right to Cancel, Modify or Disqualify

If for any reason the Security Program is not capable of running as planned, including infection by computer virus, bugs, tampering, unauthorized intervention, fraud, technical failures, or any other causes which corrupt or affect the administration, security, fairness, integrity, or proper conduct of the Security Program, Cobalt reserves the right at its sole discretion to cancel, terminate, modify or suspend the Security Program. Cobalt further reserves the right to disqualify any entrant who tampers with the submission process or any other part of the Security Program or the Site and Services. Any attempt by you to deliberately damage the Site and Services or undermine the legitimate operation of the Security Program is a violation of criminal and civil laws and should such an attempt be made, Cobalt reserves the right to seek damages from you to the fullest extent under applicable law.

Not an offer or contract of employment

Under no circumstances shall the invitation to a test, or anything in these Supplemental Terms be construed as an offer or contract of employment with either Cobalt, or the Program Owner. You acknowledge that you have engaged in testing voluntarily and not in confidence or in trust. You acknowledge that no confidential, fiduciary, agency or other relationship or implied-in-fact contract now exists between you and Cobalt or the Program Owners and that no such relationship is established by your submission of a vulnerability report under these Supplemental Terms.

Complete Agreement and Order of Precedence

All of the terms set forth in the General Terms shall apply to these Supplemental Terms including without limitation confidentiality, liability, controlling law and jurisdiction, dispute resolution and arbitration and costs. In the event of a conflict between the General Terms and these Supplemental Terms, the Supplemental Terms shall apply.

Professional Services Addendum

BY CLICKING TO SIGN IN ON-LINE TO USE THE COBALT SITE AND SERVICES AND BY USING THE SITE AND SERVICES FOR PROFESSIONAL SERVICES, YOU (OR “CUSTOMER”) AGREE TO COMPLY WITH AND BE LEGALLY BOUND BY THESE SUPPLEMENTAL TERMS (“SUPPLEMENTAL TERMS”). THESE SUPPLEMENTAL TERMS ARE INCORPORATED INTO AND FORM A PART OF THE GENERAL TERMS FOUND AT COBALT.IO/TERMS (“AGREEMENT” or  “GENERAL TERMS”) AND GOVERN YOUR ACCESS TO AND USE OF THE SITE, SERVICES, AND PROFESSIONAL SERVICES AND CONSTITUTE A BINDING LEGAL AGREEMENT BETWEEN YOU, COBALT AND THE SECURITY PENTESTER. IF YOU DO NOT AGREE TO THESE SUPPLEMENTAL TERMS, YOU HAVE NO RIGHT TO USE THE SITE, SERVICES, OR PROFESSIONAL SERVICES.

1. PROFESSIONAL SERVICES ​

“Professional Services” shall include certain security testing, consulting, training, and other similar services, inclusive of any deliverable associated therewith, performed by Cobalt as identified with specificity under the terms of a Cobalt Sales Order or SOW, with such services to be undertaken by Cobalt personnel or contractors. “Professional Services” excludes the offering of penetration testing Services delivered via the Cobalt Site (app.cobalt.io)

2. SCOPE

a. Scope. Cobalt will perform the Professional Services and deliver the software and/or documents specified as deliverables in the applicable Sales Order or SOW for Professional Services (the “Deliverables”) in accordance with the requirements in the Sales Order or SOW. Any specific scope or limits to the provision of Professional Services shall be set forth in the Sales Order or SOW, in the absence of which Cobalt shall have the discretion to establish the scope and limits of any such Professional Services. Where specific networks, code, systems, devices or objects are the subject of Professional Services, the such networks, code, systems, devices or objects will be identified by Customer in the Sales Order or SOW with specificity. Cobalt shall have the discretion to select applicable methodologies for conducting Professional Services.

b. Changes. At any time prior to completion of the Professional Services under a Sales Order or SOW, Customer may request or Cobalt may recommend modifications to the Sales Order or SOW. Cobalt will advise Customer of the likely impact of any such change, including any effect on the fees and time for completion of the Professional Services. The parties will respond in writing or will meet to discuss any such proposed changes as soon as practicable, but (subject to Section 2.4) neither party will be obligated to agree to any such change, and until such time as any change is agreed to in a writing specifying, inter alia, any change to the fees, time for completion or completion criteria, Cobalt will continue to provide the Professional Services as if such change had not been requested or recommended.

c. Resources. Cobalt will provide appropriately qualified personnel to perform the Professional Services and will use commercially reasonable efforts to minimize changes in such personnel. Cobalt reserves the right to engage independent contractors to perform some or all of the Professional Services, provided that Cobalt remains responsible for the performance of the Professional Services in accordance with this Professional Services Addendum. 

d. Schedule. Cobalt and Customer shall mutually agree to a schedule for provision of Professional Services, which shall be identified in the Sales Order or SOW. In the absence of a particular schedule, Cobalt shall have discretion to determine the time and place of any Professional Services hereunder. Any delay in meeting the applicable Professional Services schedule caused by Customer may require execution of a change order or revision and payment of additional fees at Cobalt's sole discretion. 

3. CUSTOMER’S OBLIGATIONS ​

a. Access. For any Professional Services where access to Customer’s systems, office sites, devices or other objects, or third party systems is necessary, Customer will take all steps necessary to ensure that Cobalt obtains all required credentials or permissions.Where Professional Services concern a particular device or object, such device or object will be delivered to Cobalt at a location to be determined by the parties via courier or similar delivery service, with Customer to retain liability over the condition of such device or object until its delivery to Cobalt.

b. On-Site. Where Professional Services provided hereunder require Cobalt to be physically present at Customer’s location, Customer shall be responsible for ensuring Cobalt is provided with sufficient space and resources to perform the Professional Services. Customer will be responsible for providing a safe environment where Cobalt personnel and/or contractors are present, and shall obtain adequate insurance to protect Cobalt and its personnel against any physical injury occurring on Customer’s premises.

c. Customer Personnel. Where Professional Services require engagement of Customer’s personnel, Customer will take all necessary steps to provide Cobalt with reasonable access to such personnel, whether in person or via standard communications tools (i.e. email, Zoom, teleconference, etc.).

d. Failure to Fulfill Obligations. Failure of Customer to timely fulfill the obligations set forth in this Section 3 may preclude timely provision of Professional Services and may require an adjustment of the Professional Services schedule under Section 2.4 and/or suspension of performance by Cobalt.

4. ​PAYMENT

a. Fees In consideration for the Professional Services and Deliverables, Customer will pay Cobalt the fees specified in the applicable Sales Order or SOW.

b. Expenses. Customer will reimburse Cobalt for all reasonable expenses incurred by Cobalt in performing the Professional Services, including travel, lodging, per-diem and out of pocket expenses, subject to Customer’s pre-approval. In general, expenses will only be incurred for provision of the Professional Services at locations other than Cobalt’s offices, unless otherwise specified in the appliCable Sales Order or SOW.

c. Invoices. Cobalt shall submit invoices on a monthly basis for all fees, charges and expenses relating to the performance of the Professional Services under the applicable Sales Order or SOW. Payments shall be made in U.S. Dollars, or, if different, the applicable currency as set forth in the Sales Order or SOW, within thirty (30) days of receipt of invoice. Unless otherwise specified in the applicable Sales Order or SOW, the payment terms and conditions shall be as set forth in the payment terms provision of the Agreement.

5. ​SECURITY AND PRIVACY.

The parties agree that Cobalt will not be provided access to any production data processed by the Customer through the provision of Professional Services (“PS Customer Data”), whether by way of transfer of PS Customer Data to Cobalt’s systems, access to Customer’s systems or exposure to PS Customer Data through shared screens, screen shots, etc., other than sample, hashed or anonymized data used for development and testing purposes. If and to the extent it is agreed by the parties that Customer will grant Cobalt access to PS Customer Data, Cobalt shall employ and maintain commercially reasonable safeguards to protect the security and confidentiality of PS Customer Data. Those safeguards will include, but will not be limited to, measures for preventing unauthorized access to or disclosure of PS Customer Data. Cobalt will not use or disclose PS Customer Data except (a) as required to provide Professional Services, (b) as required by law, or (c) as Customer expressly permits Cobalt in writing. Customer shall be solely responsible for ensuring that granting Cobalt access to PS Customer Data as set forth in this Section 5 does not violate applicable laws governing the use of PS Customer Data, including but not limited to the rights of data subjects whose information is included in the PS Customer Data. If required, Customer shall be responsible for removing or redacting data subject to security restrictions or anonymizing personally identifiable information. 

6. OWNERSHIP

a. Deliverables. All Deliverables and all intellectual property rights in the Deliverables will be the sole and exclusive property of Cobalt, whether or not specifically recognized or perfected under the laws of the jurisdiction in which the Professional Services are used or licensed. No work product of Cobalt shall be construed as or deemed to be a “work made for hire”. Accordingly, Customer acknowledges that Cobalt retains sole and exclusive ownership of all right, title and interest to all Deliverables. Cobalt shall own all rights in any copy, translation, modification, adaptation or derivation of the Deliverables, including any improvement or development thereof. At no time will Customer dispute or contest Cobalt’s exclusive ownership rights in any Deliverables. Notwithstanding the above, Cobalt grants to Customer a perpetual, worldwide, non-exclusive license in the Deliverables for Customer’s internal use only. Cobalt shall have no obligation to provide support services or otherwise maintain any Deliverables delivered hereunder.

b. Materials. Cobalt may furnish Customer with reports, analyses or other such materials (the "Materials"). Customer understands and agrees that any such Materials will be furnished solely for its internal use and may not be furnished in whole or in part to any other person other than its directors, officers, employees or advisors without the prior written consent of Cobalt. Cobalt grants to Customer a perpetual, irrevocable, nontransferable, paid-up right and license to use and copy such Materials and prepare derivative works based on such Materials for its internal use, subject to the terms of this Section. All other rights in such Materials, excluding any Confidential Information of Customer, remain in and/or are assigned to Cobalt.

c. Cooperation. The parties will cooperate with each other and execute such other documents as may be appropriate to achieve the objectives of this Section.

7. WARRANTY​
a. Warranty. Cobalt warrants that it shall use commercially reasonable efforts in performing the Professional Services. Cobalt further warrants that any Deliverable provided through the Professional Services shall substantially conform to the specification for such Deliverable as set out in the applicable Sales Order or SOW. If Customer notifies Cobalt that Professional Services or any Deliverable fails to conform to the aforestated warranties within thirty (30) days of the acceptance of the Deliverable, Cobalt shall (as Customer’s sole and exclusive remedy), re-perform the Professional Services and/or correct any defects with the Deliverable in question. 

b. Disclaimer. COBALT’S OBLIGATION UNDER THE ABOVE WARRANTY SHALL BE ITS SOLE LIABILITY AND IT SHALL HAVE NO OTHER LIABILITY WHATSOEVER WITH RESPECT TO THE QUALITY, FITNESS FOR A PARTICULAR PURPOSE OR MERCHANTABILITY OF THE PROFESSIONAL SERVICES OR ANY DELIVERABLES AND ALL OTHER REPRESENTATIONS, STATUTORY OR OTHERWISE ARE EXCLUDED. 
Pentest Management Platform Pilot

These terms and conditions (the “Pilot T&Cs”) constitute the sole and entire agreement of Cobalt Labs, Inc (“Cobalt”). and its customer (the “Customer”) concerning the use of and evaluation of the Cobalt Pentest Management Platform (“PMP”), and supersede all prior or contemporaneous understandings, agreements, negotiations, representations and warranties, and communications, both written and oral.  These Pilot T&Cs prevail over any terms or conditions contained in any other documentation. To the extent not directly contradictory herewith, all other Cobalt Terms and Conditions (including without limitation, the Cobalt Privacy Policy) continue to apply with full force and effect.

Access to Platform.  During the Pilot Term,  Cobalt will provide the Customer access to and use of the PMP, in accordance with these Pilot T&Cs. All use of the PMP will be for the purpose of Customer managing and administering pentests for Customer’s benefit alone. By using the PMP, Customer represents that it has obtained all rights and/or licenses necessary to undertake any and all pentests for which PMP is leveraged. Customer is prohibited from using the PMP in any way that violates applicable law, regulation, contract, or in any way injures the rights of any third party.

Pilot Term. The period for which Customer may access the PMP (the “Pilot Term”) shall be determined by and between Cobalt and each Customer.  Cobalt reserves the right to terminate the Pilot at any time and for any reason, with notice to Customer.  Cobalt will delete or return, at Customer’s discretion, all data created and stored on the PMP after the conclusion of the PMP; provided, that in the Cobalt has (at such time as the Pilot Term ends) developed a paid version of PMP and Customer desires to transition to such paid version, Cobalt and Customer may provide for continued access to, use of and storage of Customer PMP data on terms and conditions to be agreed upon by and between Cobalt and Customer at such time.

Restrictions on Use. Customer shall not (a) demonstrate, copy, sell, rent, lease, lend, sublicense, distribute, or otherwise transfer or provide access to the PMP to any third party; (b) publish or otherwise disclose information relating to the performance, quality, or capability of PMP to any third party; (c) modify, reuse, disassemble, decompile, reverse engineer or otherwise translate any software contained within the PMP or any portion thereof; or (d) create derivative works based on the PMP.

Legal Compliance.  Customer and Cobalt shall each comply with all applicable laws and regulations with respect to the use of the PMP.  Cobalt may suspend Customer’s access to the PMP, in its sole discretion, for: (i) use of the PMP in a way that violates applicable laws and regulations or these Pilot T&Cs, or (ii) any instance of posting or uploading material that infringes or is alleged to infringe on the copyright or trademark rights of any person or entity.

Intellectual Property.  Cobalt owns and shall retain all right, title and interest in and to all intellectual property rights embodied in and appertaining to the PMP, including, without limitation, all such rights in the software and content, together with all improvements, enhancements, developments, derivative works, and other modifications thereto.  As between Customer and PMP,  Customer will own and retain all rights to its own materials and previously existing intellectual property, including confidential and proprietary information and data.

Feedback. Customer may give feedback on the performance and utility of the PMP. Customer hereby grants to Cobalt a perpetual, irrevocable, worldwide license to such feedback, and Customer expressly acknowledges that any product modifications, upgrades, features or functionality made by Cobalt that incorporate such feedback are the sole intellectual property of Cobalt.

Disclaimer.  EXCEPT AS SPECIFICALLY SET FORTH HEREIN, COBALT PROVIDES THE PMP “AS IS” WITHOUT WARRANTY OF ANY KIND.  COBALT MAKES NO OTHER WARRANTY, EXPRESS OR IMPLIED, WITH RESPECT TO THE PMP, AND ALL OTHER WARRANTIES, WHETHER EXPRESS OR IMPLIED, ARE HEREBY DISCLAIMED, INCLUDING, WITHOUT LIMITATION, ANY IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

Limitations on Liability.  To the extent permitted by law, in no event shall either Cobalt or Customer be liable for any indirect, punitive, or consequential damages, including lost profits or business opportunities.

Hak5 Pineapple Bundle Terms

If you are purchasing a pentest through the Hak5/Cobalt bundle offer, these terms supplement the Cobalt Terms of Use. All applicable terms of the Cobalt Terms of Use remain effective except, where contradictory, the terms of this Hak5 Pineapple Test Supplement govern in lieu of such other terms.

Services Description

The Hak5/Cobalt bundle includes a limited, four-credit pentest of your Hak5 Pineapple device (a “Hak5 Pentest”). The Hak5 Pentest is non-customizable. Cobalt has sole discretion to determine the appropriate scope of a Hak5 Pentest. While findings derived from a Hak5 Pentest will be delivered via the Cobalt Platform, no report will be provided.  Cobalt will notify you when your Hak5 Pentest has concluded.

Device

By purchasing the Hak5 Pentest, you acknowledge that Cobalt does not manufacture, design, or deliver Hak5 devices.  Failure to select an appropriate or compatible device, failure of a Hak5 device to operate per specifications, or non-delivery of a Hak5 device you may have purchased, may interfere with your ability to receive a Hak5 Pentest. Cobalt does not make any representation or warranty concerning the quality, fitness, compatibility, or deliverability of the Hak5 device you have purchased.

Timing

Cobalt’s obligation to undertake a Hak5 Pentest is contingent upon your successful installation and configuration of the applicable Hak5 device.  After completion of device installation and configuration, your Hak5 Pentest may take up to two (2) weeks to schedule.

Staffing

Cobalt reserves the right to staff your Hak5 Pentest with personnel from (a) the Core Community, or (b) other qualified professionals, including but not limited to Cobalt employees and/or contractors.

Methodology

Hak5 Pentests will follow a standard methodology based on the Penetration and Testing Execution Standard (PTES) and National Institute of Standards and Technology (NIST) Technical Guide to Information Security Testing and Assessment (NIST 800-115).

Pricing and Tier

The price and Cobalt Tier associated with a Hak5 Pentest will be determined by whether the Customer is a new or existing Cobalt Customer, as follows: (a) for new Cobalt Customers, the price associated with each Cobalt Credit is itemized on the Hak5 page where you purchased the Hak5/Cobalt bundle, and the Tier associated with your Hak5 Pentest is “Standard,” and (b) for existing Cobalt Customers, the price associated with each Cobalt Credit is the per-Credit price to which you have previously agreed, and the Tier associated with your Hak5 Pentest is the Tier associated with your existing Cobalt subscription.” Notwithstanding Cobalt Tier offerings, Hak5 Pentests exclude the following features (a) the selection of pentesters based on location, (b) retesting, and (c) customer attestation.

Privacy Policy

Effective Date: March 31, 2023

1. INTRODUCTION

This Privacy Policy is intended for all Cobalt products and services, including our website (www.cobalt.io); our applications; and our marketing and promotional content (collectively, the “Services”). 

We are Cobalt Labs, Inc., a Delaware corporation, doing business at 575 Market St, 4th Floor, San Francisco, CA 94105-USA, together with our affiliates (referred to herein as “Cobalt”, “us”, “our” or “we”). 

For the purposes of EU GDPR, Cobalt acts as a Data Controller for the data we process for our own business purposes. If you have any questions relating to this Privacy Policy, please contact us by email at privacy@cobalt.io.

2. PURPOSE OF THIS POLICY 

At Cobalt, we are committed to safeguarding and maintaining your personal data, in line with all applicable data protection laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states (“EU GDPR”), Switzerland, the United Kingdom (Data Protection Act 2018 (“UK GDPR”)) and the United States federal and/or state data protection or privacy statutes including but not limited to the California Consumer Protection Act of 2018 (“CCPA”) and the California Privacy Rights Act of 2020 (“CPRA”).

This policy aims to promote transparency and facilitate you in making informed decisions about your personal data. In some circumstances, where we process personal data for a new purpose not contained herein, we may provide additional or revised privacy policies so that you fully understand the reason for and purpose of the new activity. 

Cobalt maintains this policy on a regular basis and updates it where necessary. You are encouraged to check back regularly, however, if we make a substantial amendment to the current version, we will keep you informed and where you are our customer, we may notify you by email.

3. WHAT DATA DO WE COLLECT

Cobalt’s products and services are designed and intended for use by businesses and their representatives. We do not provide services or products that are aimed at individuals or consumers in a personal capacity.

When we refer to ‘personal information’ or ‘personal data’ in this Privacy Policy, we mean information that identifies or which could be reasonably used to identify any individual. We process different categories of personal data and this will depend on our relationship with you or your organization.

Information you provide to us

Contact Data: Any personal data you share when you contact us, for example, by sending us an email, by attending or engaging with us at an event, or through our website using live chat, contact forms or downloading content and can include any information shared by you.

Account Data: If you have a Cobalt account or where you are our prospective or actual customer, we collect first name, last name, job title/function, work email address, work phone number, user identifier and password.

Marketing Data: Your instructions as to whether you wish to receive email marketing, newsletters and other promotional material from Cobalt, including your marketing permissions and opt-in status. 

Transactional Data: Where you are our Customer, or one of our vendors, or otherwise establish a relationship with us that involves financial transactions, we collect information relating to those transactions. This may include data like credit/debit card information, account and authentication information, tax identifiers and other billing, delivery and invoice details. For automated/digital transactions, we may outsource this activity to one of our selected third-party payment card processors, all of which maintain PCI-DSS compliance.

Organizational Data: When you engage with us on our website, or are our customer, we may collect non-personal data relating to your organization, including but not limited to number of employees, industry type, company name and size, growth trends, registered business address, location (city, state, country).

Information we collect automatically

Technical and Analytical Data: 
- Information about how you use our services, such as, content downloaded or requested, intent data, Cobalt services or products searched, viewed or used, page response times, website performance analytics, download errors, timestamp of visit or interaction, length of visits or sessions, referral site or source, email activity (opens/clicks), page interaction information (such as scrolling, clicks, and mouse-overs); and

- Information about your device, such as, IP address, browser version, browser language, operating system and version, unique device identifiers, geo-location (city, state/province, country), operating system and platform, marketing cookie permissions.

Where accepted by you - we use cookies and similar tracking technologies to collect some of the information listed above; for more information, please see the Cookies and Tracking Technologies section below. 

Data from other sources: We combine data that you provide to us (and that we may collect across our services) with information that we receive from third parties, including but not limited to B2B lead generation and professional Linkedin profiles. We may use demographic information about you in your professional capacity, such as your job title or function (that Cobalt obtains from sources like Linked-in) which is used for segmenting and profiling for B2B marketing purposes. You can opt-out of having your data used in this way at any time.   

Please note that if you provide Personal Information to us about any individual other than yourself, you represent and warrant that you are legally authorized to provide such Personal Information to us for our use and disclosure as described in this Policy.

4. THE SOURCE OF THE PERSONAL DATA

If the personal data we process about you has not been given to us directly by you, Cobalt may obtain it from the following sources:

  • From your organization, on your behalf;
  • From yourself directly;
  • From publicly available sources, such as public websites, the internet;
  • From social media platforms such as Linkedin.
  • From organizations we work with who are specialists in B2B lead generation, B2B intent data, who have obtained your permission to share some of your organization's data with us, such as B2B data clearinghouses. 
  • From website analytical data that is collected automatically by cookies and other similar technologies when you use our services.

5. THE PURPOSE OF OUR DATA PROCESSING

Cobalt is permitted to process personal data only where we have identified a lawful basis for doing so. The main lawful bases upon which Cobalt relies are: 

Legitimate interests: the processing is necessary for the purpose of the legitimate interest pursued by us or our third parties. For example, we may have a legitimate interest in processing Personal Information to send B2B marketing communications and promote our business.

Consent: Where the data subject (you) has freely given your consent to the processing taking place. If you've provided us with your express consent for our processing of your Personal Information, we may process your Personal Information based on such consent, until such time where that processing is no longer necessary or your consent is withdrawn.

Legal Obligation: Where the processing is necessary for us to comply with a legal obligation to which we are subject as data controller. For example, if you have purchased our services and we are required by applicable law to process Personal Information to meet certain tax obligations, we may process your Personal Information to comply with such legal obligations;

Contract: Where the processing is necessary for the performance of a contract to which we are a party. For example, when you purchase our services, you enter into a contract with us and in such circumstances, we process your Personal Information in order to perform this contact or to take required measures prior to entering into the contract

We process personal data for the following purposes and rely on the following legal bases:

Processing purpose
Lawful Basis 
Category of personal data

To manage or establish a relationship with you, such as:

  • Respond to any enquiry, comment or request submitted by you;

  • To provide you with alerts and services messages, notifying you about material changes to our services and our terms, policies and notices.

  • Provide downloadable content to you, as requested on our website.

  • Where you engage with us at an event where we are participating.
  • Performance of a contract (including negotiation)

  • Legal obligation (updates to terms and policies)

  • Legitimate Interests (networking at events, provide downloadable content)
  • Contact Data
  • Account Data
  • Organizational Data

Creating and maintaining your Cobalt account and providing services as requested, including:

  • Administering services access

  • Processing order forms and contractual agreements

  • Facilitating integrations, as requested

  • Password and 2FA management

  • Personalize our online services at your selection
  • Performance of a contract (including negotiation)
  • Contact Data
  • Account Data
  • Technical and Analytical data
  • Subscription Data
  • Organizational Data

To review, monitor and protect the performance of our services, including:

  • Troubleshooting and error management
  • System maintenance
  • Security monitoring and reporting
  • System performance analysis
  • Analyzing trends and usage
  • Legitimate Interests

  • Legal Obligation (system security)
  • Contact Data
  • Technical and Analytical data
  • Account Data
  • Organizational Data

Where we have a financial relationship with you, to process payments for services and settle invoices payable.
  • Performance of a contract
  • Contact Data
  • Account Data
  • Subscription Data
  • Organizational Data

To maintain our existing relationship with established customers and to promote our products and services and identify new-customer opportunities. 


We may use public information about you, in combination with other personal information we may have about you, to identify products and services that we believe may be of interest to your business.

You may opt-out of receiving these emails at any time by clicking “unsubscribe” found in the emails we send you or by clicking here. 
  • Legitimate Interests 
  • Contact Data
  • Account Data
  • Marketing Data
  • Technical and Analytical data
  • Data from other sources
  • Organizational Data

Cobalt uses a combination of firmographic data to perform segmentation on the organizations of our customers based on various factors for sales and promotional purposes.

To identify organizations who may be interested in working with Cobalt, including: 

  • Using firmographic information about prospective organizations, such as, industry specialism, size of company, location of country. Please see ‘Non-personal data’ above. 
  • Using firmographic data to identify organizations who are in our target market and who we believe may be interested in Cobalt products and services.
  • Legitimate Interests
  • Contact Data
  • Account Data
  • Marketing Data
  • Technical and Analytical Data
  • Organizational Data

To share data with third party organizations who process data on our behalf as a data processor or subprocessor, and enable us to provide our services. For example, data hosting providers, CRMs, payment card processors and vendors who deliver technical services to us. 
  • Performance of a contract

  • Legitimate Interests
  • Contact Data
  • Account Data
  • Marketing Data
  • Technical and Analytical data
  • Data from other sources
  • Organizational Data

 

6. RECIPIENTS OF PERSONAL DATA

We will share data with and receive data through Cobalt’s Partners who lead in the cybersecurity space. For example, Cobalt may assist them in providing their services or Partners may assist Cobalt in generating new business opportunities.

Cobalt engages third party service providers to assist us in providing our services and conducting our business, which means any service provider may process personal data on our behalf, depending on the nature of the services supplied. These organizations deliver to us specific functionality on which we rely to do business.  We require every organization that processes personal data on our behalf to ensure its security, adhere to confidentiality requirements equal to those herein, and only in accordance with our strict instructions. These organizations may be located or have servers which are located outside of the EU, and Cobalt has entered into strict data protection agreements to safeguard personal data when transferred out of the EU or EEA. 

You or your organization may choose to add new integrations or change the functionality of the services by using third party apps within the services.  This means giving third-party apps access to your account and information like your name, email address, and any content you elect or are required to provide in connection with those apps. 

To third parties providing services to us or on our behalf who require access to personal information (e.g., our professional advisors, including but not limited to auditors, insurers, legal counsel) to protect our business interests. 

In the event we are involved in a merger, reorganization, acquisition or other fundamental corporate change, or if all or part of our assets are acquired by a third party, we may be required to share your personal data with relevant third parties involved in the transaction. We will endeavor to notify you of any transfer of personal data in this event and the recipient will be informed of the requirement to protect your personal data as per the terms of this Policy. 

7. INTERNATIONAL DATA TRANSFERS

Cobalt is a global organization. This means that when you engage with us, your personal data may be transferred to or stored in countries that may not have equivalent privacy and data protection laws to the country where you are based. Cobalt hosts all data in the United States. Third-party vendors and service providers Cobalt works with may also be based in countries outside of the European Economic Area, including but not limited to the US. 

Cobalt makes use of Standard Contractual Clauses, approved by the European Commission (and the equivalent Standard Contractual Clauses for the UK, where applicable) to safeguard restricted transfers made to countries without an adequacy decision. 

8. HOW WE KEEP YOUR DATA SECURE

Cobalt is a security-centric company. This means that the security and integrity of your personal data is our paramount concern. We have heavily invested in our security infrastructure to ensure that we have appropriate technical and organizational measures to protect the personal data we process, and keep it from being accidentally lost, used or accessed, altered or disclosed in an unauthorized way.

For more information on how Cobalt keeps data secure, please see our security practices and certifications here

9. HOW LONG DO WE STORE YOUR DATA

As part of our commitment to purpose limitation, Cobalt only retains personal data for as long as it is required for the purpose in which it was originally collected. For example, if you are an active customer of ours, we will retain your personal data, in connection with the services, for the duration of our agreement or relationship with you. 

Cobalt has incorporated retention policies and schedules into our business to ensure that the data we retain is relevant to its purpose and is limited to only the data necessary to achieve said purpose. 

You may request the deletion of some or all of your personal data by contacting privacy@cobalt.io or by clicking here. However, please note that this is not an absolute right and only where certain circumstances are satisfied, and we may need to retain certain information for record keeping purposes, to complete transactions or to comply with a legal obligation.

10. MARKETING

To promote our business to new and existing customers and promote services that we believe may be of interest to your organization, we occasionally share marketing communications and promotional material with our B2B customers. For example, when you engage with us on our website by completing a form or downloading content, or where you have told us you would like to receive it.

You have the right to opt-out of receiving marketing communications at any time by clicking the ‘unsubscribe’ link in the footer of any promotional email from us. Alternatively, you can request this by email at privacy@cobalt.io.

Please note that this will not affect Services Messages which we are required to communicate to you, for example when we update our terms and conditions, or where we make material changes to our existing services that impact functionality or user experience. 

11. CHILDREN UNDER 13

Our site and services are not directed to or intended to be used by individuals under the age of 13 and we do not knowingly collect Personal Information from children under 13. If you become aware or reasonably suspect that we have collected Personal Information from any child under the age of 13, please contact us at privacy@cobalt.io and we will seek to delete such Personal Information as soon as possible.

12. COOKIES AND TRACKING TECHNOLOGIES

Cobalt relies on cookies, web beacons and other similar tracking technologies to customize and improve our websites and services, personalize and enhance user experience, to understand the usage and performance levels of our services, determine what content is being engaged with and the levels of engagement. We also use cookies and other tracking technologies to determine things about our website visitor’s interests, based on things like browsing activity, interactions and preferences.

You have the right to reject the use of cookies on our Website for marketing purposes, however functional and essential cookies are used to make our website function or offer our services. These cookies cannot be switched off. You will be served with a prompt to accept, reject or configure cookies when you visit our website on a desktop or mobile. You can also reject marketing cookies at any time by clicking ‘My Privacy Settings’ on our website’s footer.

Cookies

Web Beacons

Device recognition technology

Like many websites, we use cookies on a user's hard drive to collect information. A cookie is a small piece of information that is placed on your device when you visit the site and other websites. We use cookies to identify your authenticated interaction with the site, to enable certain features of the site, to better understand how you interact with the site, and to monitor aggregate usage by site users and web traffic routing on the site. you can instruct your browser to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. However, if you do not accept cookies, that may limit your use of certain features of the site.

Our site may contain electronic images known as Web beacons (sometimes called single-pixel gifs) and are used along with cookies to compile aggregated statistics to analyze how our site is used and may be used in some of our emails to let us know which emails and links have been opened by recipients. This allows us to gauge the effectiveness of our customer communications and marketing campaigns. As with cookies, you may disable web beacons by changing your browser settings or the settings in your email services/program.

Device detection technology recognizes the devices being used to access a website, app, or mobile network, using the User-Agent or other HTTP request headers. These headers include detailed information across hundreds of categories, including device model, operating system, processing power, browser type, screen resolution, 


Websites and apps enhanced with device detection can make smarter decisions (in real-time) about what content to send to a given device.

 

13. LINKS TO OTHER SITES

Our site may include links to third party websites. We do not endorse or recommend such third party websites or the content therein and we are not responsible for the privacy practices of the operators of such websites. Please be aware that when you access links on our site to a third party website, you are bound by the privacy policies and practices of that third party. We encourage you to read the privacy policies governing your use of any third party website.

14. YOUR RIGHTS UNDER GDPR

As defined under the EU GDPR, included as retained by the UK (“UK GDPR”) individuals are granted eight (8) individual rights over the personal data:

  • Right to be informed: you have the right to be informed about the collection and use of your personal data. you also have the right to be provided with certain information including: our purposes for processing your personal data, our retention periods for that personal data, and who we will share with.

  • Right of Access: you have the right to request confirmation that data about you is being processed, and receive a copy of some or all of the personal data processed about you from a Data Controller. 

  • Right to Rectification: you have the right to request the rectification of any personal data that is inaccurate or incomplete;

  • Right to Erasure (or the ‘right to be forgotten’): you have the right to request the erasure of your personal data from the Data Controller’s records, including back-ups. This is not an absolute right and can only be fulfilled if one of the grounds under Article 17(1) GDPR apply;

  • Right to Restriction of Processing: you have the right to request the restriction of processing of your personal data. This is not an absolute right, and can only be fulfilled if one of the grounds under Article 18(1) GDPR apply; 

  • Right to Data Portability: you have the right to receive the personal data concerning you, as provided to the Data Controller, in a structured, commonly used and machine-readable format, and have the right to transmit those data to another controller without hindrance from the first controller.

  • Right to Object: you have the right to object to an organization processing (using) your personal data at any time. This effectively means that you can stop or prevent the organization from using your data. An objection may be in relation to some or all of the personal data. The right to object only applies in certain circumstances outlined by Article 21 GDPR, including where processing is based exclusively on your consent, or processed for the purposes of direct marketing.

  • Automated decision making and profiling: you have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal or similar effects on you. Automated individual decision-making is a decision made by automated means without any human involvement. Cobalt does not use, in connection with our services, automated decision-making in a way that produces legal effects concerning you or that significantly affect you.

You have the right to make any of the above requests at any time. To do so, please complete our Privacy Request Form or contact us at privacy@cobalt.io. Upon receiving your request, we will confirm receipt and aim to action your request without undue delay and no later than one month from the date we receive your request.

Please note that in order to fulfill your request, we may need to request identification from you (or your appointed representative) to confirm your identity or their authorization to make the request. We will inform you of any necessary identification checks after we receive your request. If for any reason we are unable to fulfill your request, we will inform you of our decision in writing and any further rights available to you. 

15. YOUR RIGHTS UNDER CCPA

The California Consumer Privacy Act ("CCPA") provides certain rights to individuals who reside in California ("Consumers"). Below is a description of Consumers' rights concerning their Personal Information and Cobalt's practices regarding the collection, use, disclosure and sale of Personal Information about Consumers.

Consumers have the right to request that we disclose what Personal Information we collect, use, disclose and sell. A Consumer may exercise the following rights:

  • Right to Know: Consumers may request that businesses disclose what personal information they have collected, used, shared, or sold about you in the last 12 months, and why they collected, used, shared, or sold that information. Specifically, you may request:
    - The categories of personal information collected;
    - Specific pieces of personal information collected
    - The categories of sources from which the business collected personal information
    - The purposes for which the business uses the personal information
    - The categories of third parties with whom the business shares the personal information
    - The categories of information that the business sells or discloses to third parties

  • Right to Delete: Consumers have the right to request the deletion of personal information that a business holds on the consumer. However, this right does not apply where the business needs to retain the personal information in order to do any of the following:
    - Provide goods or services to the consumer
    - Detect or resolve issues security or functionality-related issues
    - Comply with the law
    - Conduct research in the public interest
    - Safeguard the right to free speech

  • Right to opt-out: Consumers have the right to opt out of their personal information being sold by a Company. you can do so by emailing privacy@cobalt.io, or by clicking do not sell my info.

The right to non-discrimination: Consumers have the right not to be discriminated against for having exercised their rights under the CCPA.

As of January 2023, Consumers are granted the following additional rights under the California Privacy Rights Act (“CPRA”):

  • The right to request that inaccurate personal information be corrected by the Company responsible. This type of request should be fulfilled within 45 days however, where necessary, an additional 45 days may be necessary. If the deadline changes to 90 days, we will inform you without delay and explain our reasoning.
  • The right to limit the use and disclosure of sensitive personal information collected about them. This means you can direct businesses to only use your sensitive personal information (for example, your social security number, financial account information, your precise geolocation data, or your genetic data) for limited purposes, such as providing you with the services you requested. Please note that Cobalt does not process sensitive personal data about you for any purpose.

You may exercise your Consumer Rights at any time by emailing privacy@cobalt.io or clicking here.

We will confirm receipt of any consumer rights request within 10 days, and move to action your request within 45 days following initial receipt (except when the deadline has been properly extended, in which case the timeframe is 90 days).

Please note that we will need to verify your identity or your Authorized Agent’s (which may be a person or a business entity registered with the California Secretary of State) permission to submit the request on your behalf. We will inform you of additional information we require (if any) to verify your identity after we have received your request. If for any reason we are unable to fulfill your request, we will inform you of our decision in writing. 

In no event will Cobalt discriminate against any Consumer for exercising their CCPA rights.

Sale, collection & use of Personal Information about Consumers

Please be advised that Cobalt engages in limited data transfers to third parties that may be considered a data sale under applicable law. Such transfers occur only in the context of presentations, panels, and other events arranged or sponsored by Cobalt, that may be presented or co-sponsored with other third parties. In such cases, event attendees will be prompted to provide certain identifying information to register for the event in question.
Such information will be shared for marketing purposes with all parties presenting or sponsoring the event, including third parties with whom the attendee may not have a pre-existing relationship. Such third parties will be identified in materials accompanying any prompt to provide information. 

You have the right to opt out of your data being shared in this manner. you can do so by emailing privacy@cobalt.io, or by clicking here: do not sell my info.

CCPA: Descriptions of processing

The table below includes information on the categories of Consumers' Personal Information we collected within the last twelve (12) months, categories of sources from which such Personal Information was collected and the business or commercial purpose for which the Personal Information was collected:

Category of Personal Information we Collected

Category of Source from which Personal Information was Collected

Business or Commercial Purpose for which Personal Information was Collected

Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, etc.

  • the Consumer directly;

  • data analytics providers;

  • operating systems and platforms;

  • social networks; and

  • data brokers

Performing services for the Consumer, including maintaining or servicing accounts, providing customer services and verifying customer information and fulfilling orders and transactions

Commercial information, such as records of services purchased

  • the Consumer directly

Processing payments; fulfilling orders and transactions; providing financial documents

Internet or other electronic network activity information, including information regarding a Consumer’s interaction with our site

  • the Consumer directly;

  • data analytics providers;

  • operating systems and platforms;

  • social networks; and

  • data brokers

Providing advertising or marketing services; for analytics activities

 

The table below describes the categories of Personal Information about Consumers we have disclosed to third parties for a business purpose and the corresponding categories of third parties to whom such Personal Information was disclosed within the last twelve (12) months:

Category of Personal Information we Disclosed for a Business Purpose

Category of Third Party to whom Personal Information was Disclosed

Identifiers such as real name, alias, postal address, unique personal identifier, online identifier, etc.

Cobalt's vendors who assist us in providing our products and services, including access to the services

Commercial information, such as records of services purchased

Cobalt’s vendors who assist us in providing our products and services, including completing transactions and for accounting purposes. 

Internet or other electronic network activity information, including information regarding a Consumer's interaction with our site

Cobalt’s vendors who assist us in providing our products and services, including promotion and marketing activities. 

 

16. CHANGES TO THIS POLICY

Cobalt reserves the right to update and amend this Policy from time to time, in order to reflect any changes to our data processing activities or advancements in laws and regulations. Any changes we may make to our Policy in the future will be published on this page. Please review this page frequently to check for any updates or changes to our Policy.

17. CONTACT US

If you have any questions, comments or feedback about this privacy policy, or the ways in which we collect and process your personal information, or wish to exercise your rights under GDPR or CCPA please do not hesitate to contact us at privacy@cobalt.io.

Last updated: March 2023

Licenses

 

Name License Homepage
The OWASP Foundation License Homepage
Bugcrowd VRT License Homepage
CWE Common Weakness Enumeration License Homepage

 

Flying Bug Image