CloudDefense.AI Security Disclosure

Relating to the use of CloudDefense's Security Disclosure
Last updated: January 17, 2021

Please read these terms and conditions carefully before using Our Service.

Interpretation and Definitions

Interpretation

The words of which the initial letter is capitalized have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or in plural.

Definitions

For the purposes of these Terms and Conditions:
  • Affiliate means an entity that controls, is controlled by or is under common control with a party, where "control" means ownership of 50% or more of the shares, equity interest or other securities entitled to vote for election of directors or other managing authority.
  • Country refers to: California, United States
  • Company (referred to as either "the Company", "We", "Us" or "Our" in this Agreement) refers to Cloud Defense AI, 579 University Ave, Palo Alto, CA 94301.
  • Device means any device that can access the Service such as a computer, a cellphone or a digital tablet.
  • Service refers to the Website.
  • Terms and Conditions (also referred as "Terms") mean these Terms and Conditions that form the entire agreement between You and the Company regarding the use of the Service.
  • Third-party Social Media Service means any services or content (including data, information, products or services) provided by a third-party that may be displayed, included or made available by the Service.
  • Website refers to CloudDefense.ai, accessible from https://www.clouddefense.ai
  • You means the individual accessing or using the Service, or the company, or other legal entity on behalf of which such individual is accessing or using the Service, as applicable.

Acknowledgment

These are the Terms and Conditions governing the use of this Service and the agreement that operates between You and the Company. These Terms and Conditions set out the rights and obligations of all users regarding the use of the Service.

Your access to and use of the Service is conditioned on Your acceptance of and compliance with these Terms and Conditions. These Terms and Conditions apply to all visitors, users and others who access or use the Service.

By accessing or using the Service You agree to be bound by these Terms and Conditions. If You disagree with any part of these Terms and Conditions then You may not access the Service.

You represent that you are over the age of 18. The Company does not permit those under 18 to use the Service.

Your access to and use of the Service is also conditioned on Your acceptance of and compliance with the Privacy Policy of the Company. Our Privacy Policy describes Our policies and procedures on the collection, use and disclosure of Your personal information when You use the Application or the Website and tells You about Your privacy rights and how the law protects You. Please read Our Privacy Policy carefully before using Our Service.

Links to Other Websites

Our Service may contain links to third-party web sites or services that are not owned or controlled by the Company.

The Company has no control over, and assumes no responsibility for, the content, privacy policies, or practices of any third party web sites or services. You further acknowledge and agree that the Company shall not be responsible or liable, directly or indirectly, for any damage or loss caused or alleged to be caused by or in connection with the use of or reliance on any such content, goods or services available on or through any such web sites or services.

We strongly advise You to read the terms and conditions and privacy policies of any third-party web sites or services that You visit.

Termination

We may terminate or suspend Your access immediately, without prior notice or liability, for any reason whatsoever, including without limitation if You breach these Terms and Conditions.

Upon termination, Your right to use the Service will cease immediately.

Limitation of Liability

Notwithstanding any damages that You might incur, the entire liability of the Company and any of its suppliers under any provision of this Terms and Your exclusive remedy for all of the foregoing shall be limited to the amount actually paid by You through the Service or 100 USD if You haven't purchased anything through the Service.

To the maximum extent permitted by applicable law, in no event shall the Company or its suppliers be liable for any special, incidental, indirect, or consequential damages whatsoever (including, but not limited to, damages for loss of profits, loss of data or other information, for business interruption, for personal injury, loss of privacy arising out of or in any way related to the use of or inability to use the Service, third-party software and/or third-party hardware used with the Service, or otherwise in connection with any provision of this Terms), even if the Company or any supplier has been advised of the possibility of such damages and even if the remedy fails of its essential purpose.

Some states do not allow the exclusion of implied warranties or limitation of liability for incidental or consequential damages, which means that some of the above limitations may not apply. In these states, each party's liability will be limited to the greatest extent permitted by law.

“AS IS” and “AS AVAILABLE” Disclaimer

The Service is provided to You "AS IS" and "AS AVAILABLE" and with all faults and defects without warranty of any kind. To the maximum extent permitted under applicable law, the Company, on its own behalf and on behalf of its Affiliates and its and their respective licensors and service providers, expressly disclaims all warranties, whether express, implied, statutory or otherwise, with respect to the Service, including all implied warranties of merchantability, fitness for a particular purpose, title and non-infringement, and warranties that may arise out of course of dealing, course of performance, usage or trade practice. Without limitation to the foregoing, the Company provides no warranty or undertaking, and makes no representation of any kind that the Service will meet Your requirements, achieve any intended results, be compatible or work with any other software, applications, systems or services, operate without interruption, meet any performance or reliability standards or be error free or that any errors or defects can or will be corrected.

Without limiting the foregoing, neither the Company nor any of the company's provider makes any representation or warranty of any kind, express or implied: (i) as to the operation or availability of the Service, or the information, content, and materials or products included thereon; (ii) that the Service will be uninterrupted or error-free; (iii) as to the accuracy, reliability, or currency of any information or content provided through the Service; or (iv) that the Service, its servers, the content, or e-mails sent from or on behalf of the Company are free of viruses, scripts, trojan horses, worms, malware, timebombs or other harmful components.

Some jurisdictions do not allow the exclusion of certain types of warranties or limitations on applicable statutory rights of a consumer, so some or all of the above exclusions and limitations may not apply to You. But in such a case the exclusions and limitations set forth in this section shall be applied to the greatest extent enforceable under applicable law.

Governing Law

The laws of the Country, excluding its conflicts of law rules, shall govern this Terms and Your use of the Service. Your use of the Application may also be subject to other local, state, national, or international laws.

Disputes Resolution

If You have any concern or dispute about the Service, You agree to first try to resolve the dispute informally by contacting the Company.

For European Union (EU) Users

If You are a European Union consumer, you will benefit from any mandatory provisions of the law of the country in which you are resident in.

United States Legal Compliance

You represent and warrant that (i) You are not located in a country that is subject to the United States government embargo, or that has been designated by the United States government as a "terrorist supporting" country, and (ii) You are not listed on any United States government list of prohibited or restricted parties.

Severability and Waiver

Severability

If any provision of these Terms is held to be unenforceable or invalid, such provision will be changed and interpreted to accomplish the objectives of such provision to the greatest extent possible under applicable law and the remaining provisions will continue in full force and effect.

Waiver

Except as provided herein, the failure to exercise a right or to require performance of an obligation under this Terms shall not effect a party's ability to exercise such right or require such performance at any time thereafter nor shall be the waiver of a breach constitute a waiver of any subsequent breach.

Translation Interpretation

These Terms and Conditions may have been translated if We have made them available to You on our Service. You agree that the original English text shall prevail in the case of a dispute.

Changes to These Terms and Conditions

We reserve the right, at Our sole discretion, to modify or replace these Terms at any time. If a revision is material We will make reasonable efforts to provide at least 30 days' notice prior to any new terms taking effect. What constitutes a material change will be determined at Our sole discretion.

By continuing to access or use Our Service after those revisions become effective, You agree to be bound by the revised terms. If You do not agree to the new terms, in whole or in part, please stop using the website and the Service.

Contact Us

If you have any questions about these Terms and Conditions, You can contact us:

By email: sales@clouddefense.ai

Best practices to follow

On CloudDefense, your privacy and safety have always been our top priorities. We have compiled a short checklist of security measures to take as a precaution and to assure the highest level of safety:
  • Never, under any circumstances, whether via phone, text, or email, reveal sensitive security information about your company’s financial possession.
  • You can rest assured that we will never, ever ask for any of the above-mentioned private information.
  • We will not contact you over the phone to request access to your computer via TeamViewer, any desk, etc. in order to disclose sensitive information.
  • Keep away from any communication with the sender of such messages.

Privacy Practices

Without your approval, we do not sell or disclose your personal information with unaffiliated third parties for their own advertising or marketing purposes. Consult our Privacy Policy for additional details.

Cloud Infrastructure

CloudDefense is a unified security platform based on DevSecOps infrastructure which delivers convenient, scalable and robust next generation Application Security - from Development to Build to Deployment to Cloud.

Perimeter Security

CloudDefense protects cloud infrastructure from external threats and incorrect permissions, protects the supply chain, and provides security teams with quick and thorough insights into application assets and risks. This gives security teams the information they need to manage risks and enable innovation in their organizations.

We use discovery, posture, entitlement engines to protect all branches by which users can find undiscovered web assets. With the help of our builtin DevSecOps platform users are able to discover SBOM in application code and OSS packages, catch & fix Code, OSS, IaC vulnerabilities and misconfigurations early in development lifecycle. 

Host Security

We developed an open source platform that can deliver anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, application control, application and audit log aggregation, and automated patching solutions that are industry-leading.

Legal Basis for our processing personal data

We developed an open source platform that can deliver anti-virus, anti-malware, intrusion prevention systems, intrusion detection systems, file integrity monitoring, application control, application and audit log aggregation, and automated patching solutions that are industry-leading.

Data Security

On a documented, authorized, no-need-to-use basis, we use environment separation and segregation of duties, as well as strict role-based access control. We use key management services to limit data access. Rest encryption protects stored data, whereas application-level encryption protects sensitive data. 

Incident and Change Management

We have implemented mature Change Management processes, allowing us to release thoroughly tested features for you in a reliable and secure manner, allowing you to enjoy the CloudDefense experience with maximum assurance. We take an aggressive approach to Incident Management in terms of both system downtime and security, and we have an Information Security Management System in place to quickly respond to remediate or escalate any Incidents arising from planned or unplanned changes.

Vulnerability Assessment and Penetration Testing

Our internal network security team builds industry driven systems to perform automated VA/PT tasks using state-of-the-art tools. We use static application security testing as well as dynamic application security testing in our continuous integration / continuous deployment pipeline. We also use certified auditors and information security engineers to perform external security testing and audits on a regular basis.

Standards and Certifications

Responsible Disclosure

We at CloudDefense are devoted to protecting our customers' data and privacy.

We use cutting-edge technology to secure our systems at multiple stages. Our data and privacy security design protects against low-hanging fruit and complex threats. We encourage security enthusiasts and researchers to responsibly report CloudDefense security vulnerabilities.

Send support@clouddefense.ai a bug report with steps to reproduce the issue. Please wait while we investigate and resolve the legitimate issues.
We have implemented mature Change Management processes, allowing us to release thoroughly tested features for you in a reliable and secure manner, allowing you to enjoy the CloudDefense experience with maximum assurance. We take an aggressive approach to Incident Management in terms of both system downtime and security, and we have an Information Security Management System in place to quickly respond to remediate or escalate any Incidents arising from planned or unplanned changes.

Out of scope tests

with following content
-Vulnerability scanners and another automated tools reports
- Disclosure of non sensitive information, such as product version
- Disclosure of public user information, such as nick name / screen name
- Reports based on product/protocol version without demonstration of real vulnerability presence
- Reports of missed protection mechanism / best current practice (e.g. no CSRF token, framing/clickjacking protection) without demonstration of real security impact for user or system
- Reports regarding published and non-published SPF and DMARC policies
- Logout CSRF
- Vulnerabilities of partner products or services if Clouddefense.ai users / accounts are not directly affected
- Missed SSL or another BCP for products beyond the main scope
- Security of rooted, jailbreaked or otherwise modified devices and applications
- Ability to reverse-engineer an application, lack of binary protection
- Open redirections are only accepted if security impact, e.g. ability to steal authentication token is identified.
- Plain text, sound, image, video injection into server's reply outside of UI (e.g. in JSON data or error message) if it doesn't lead to UI spoofing, UI behavior modification or another negative impact.
- Same site scripting, reflected download and similar attacks with questionable impact
- CSP related reports for domains without CSP and domain policies with unsafe eval and/or unsafe inline
- IDN homograph attacks
- XSPA (IP/port scanning to external networks)
- Excel CSV formula injection, scripting within PDF documents
- Attack which require full access to local account or browser profile
- Attacks with scenarios where vulnerability in a 3rd party site or application is required as a prerequisite and is not demonstrated
- Theoretical attacks without proof of exploitability
- Denial of Service vulnerabilities
- Ability to send large amount of messages
- Ability to send spam or malware file
- Information disclosure via external references outside of Clouddefense.ai control (e.g. search dorks to private robots.txt protected areas)
- Disclosure of unused or properly restricted JS API keys (e.g. API key for external map service)
- Ability to perform an action unavailable via user interface without identified security risks
We have implemented mature Change Management processes, allowing us to release thoroughly tested features for you in a reliable and secure manner, allowing you to enjoy the CloudDefense experience with maximum assurance. We take an aggressive approach to Incident Management in terms of both system downtime and security, and we have an Information Security Management System in place to quickly respond to remediate or escalate any Incidents arising from planned or unplanned changes.