Trust Center

Security

At Cobalt, security is our absolute highest priority. Therefore, we take myriad of security measures to ensure the data of our customers and pentesters is secure and safe. In the spirit of openness and transparency, here are some of the security measures we take to protect and defend the Cobalt platform. Please contact a member of our team to learn more about our security measures.

Cobalt’s Certifications

 

SOC 2 Type II

Cobalt undergoes annual SOC 2 Type II audits to demonstrate the operating effectiveness of its security controls related to the Security, Availability and Confidentiality of the Trust Services Criteria.

ISO 27001

Cobalt is officially certified for ISO 27001, demonstrating that its ISMS is aligned with international security best practices. Robust processes and procedures to handle information assets demonstrate the company’s commitment to the highest level of internal compliance and security.

CREST

Cobalt has earned the CREST Penetration Testing Service accreditation, given to members working with highly competent and professional pentesters, and with robust processes for scoping, quality control, and customer data protection.

PGP

Below is the PGP public key to contact security@cobalt.io. You can use this key to encrypt and secure our messages. To start using it, you'll need to install an OpenPGP software on your computer. Below you'll find a list of possible solutions for your operating system:

macOS | Linux | Windows | iOS | Android

Please import the public key into your local OpenPGP Key-Manager. Updated on 10/3/22.

Click here to download PGP Public Key Block

Vulnerability Reporting(Bug Bounty)

security@cobalt.io

Since launching Cobalt, we’ve invited anyone on the internet to notify us of issues they might find in our application to further strengthen and secure our platform. All vulnerability report submissions are read within hours of receipt, and we aim to respond to all submissions within 48 hours.  Triage can take up to 72 hours for the team to review the issue and determine applicability.  Completed resolution is between 24 hours and 60 days depending upon the severity and nature of the vulnerability.  

Emergency

In the event of a security breach, we have created procedures for resolute reactions, including turning off access to the web application, mass password reset and certificate rotations. If our platform is maliciously attacked, we will communicate this information to all of our users as quickly and openly as possible.

GDPR

How we comply with GDPR

At Cobalt, we remain steadfast in our commitment to the principles of the General Data Protection Regulation (GDPR). Trust is the cornerstone of our business. We have built a comprehensive data privacy framework across our company which satisfies and complies with data protection laws, and empowers us to safeguard and protect the personal data we process, and process for our customers. 

We are continually developing our approach to data privacy, seeking opportunities to enhance, streamline or align our approach with expanding data privacy expectations. Some of our privacy controls include:

• Continually reviewing and monitoring our data processing activities to ensure ongoing compliance with data protection laws and regulations;
• Developing a record consistent with Article 30 GDPR, allowing us to fully understand important factors including the categories of personal data, the source of the data, the purpose and means of processing and the recipients of personal data;
• Consistently giving consideration to how our products, services and strategies are impacted by data protection rules; 
• A dedicated privacy team responsible for developing and bolstering our data privacy framework and upholding compliance with expanding laws and regulations, in collaboration with key stakeholders; 
• Implementation of a robust security infrastructure across our business, centered around organizational and contractual measures, combined with technological controls. Protection of our and our customers' data is of vital importance to us. For more information on our security posture and certification, visit our Security page;
• Regularly reviewing and adapting our Data Processing Agreement and Privacy Policy, ensuring our terms accurately reflect our business, and that our contracts continue to satisfy the requirements of Article 28 GDPR; 
• Promoting transparency and choice in our products, services and website, empowering our customers and visitors to make informed decisions about how their data is processed, including cookie management and a variety of other tools to assist individuals in exercising their data subject rights under GDPR. 
• Implementation of a privacy management platform whereby data subject rights requests can be fulfilled in a timely manner and with ease. For more information on how to exercise your data subject rights, please see our Privacy Policy; 
• Continually reviewing our data retention policies and schedules to ensure alignment with the data minimisation and storage limitation principles of GDPR. 
• Privacy by Design and Default is at the core of everything we do. We ensure that data privacy impacts of a new initiative, third party vendor or product are considered at the forefront of that project lifecycle. 
• Promoting a security-first culture – our people recognize the importance of data privacy. Our dedicated privacy and security teams work hard to align our people, policies, procedures and technology to protect our data and systems.
• Performing thorough diligence reviews of the third party vendors we work with who may process personal data as a data processor, or subprocessor. Cobalt has a stringent ‘Vendor Management Process’, meaning key stakeholders assess vendor suitability before approval is granted to onboard. We enter into Data Processing Agreements which satisfy at least the requirements of Article 28 GDPR and offer adequate protection for personal data processed by Cobalt and our customers. 
• Implementing a robust Security Incident and Data Breach Reporting policy and procedure to allow for efficient and transparent breach notification to both data protection authorities and/or data subjects when Cobalt is data controller, or to impacted customers when Cobalt is a data processor. Cobalt has appointed a ‘Rapid Response Team’, consisting of key stakeholders from across our business, responsible for the handling of a data breach and/or security incident.

Cobalt is a remote-first business, based in California, US, with offices (and people) in Germany and the United Kingdom. Our pool of dedicated Pentesters, our Cobalt Core, are based in various locations across the world. Our trusted third-party data processors are based and operate in the US, too. As a business with a global customer base, Cobalt is respectful of the laws and regulations regarding international data transfers. When Cobalt transfers personal data outside of the European Economic Area to the United States, we enter into the EU Commission's Standard Contractual Clauses (2021/914) as an appropriate safeguard for that restricted transfer, as defined in EU GDPR. For transfers originating from the United Kingdom, Cobalt has incorporated the ICO’s UK Approved Addendum into the EU SCCs to safeguard that data.

Cobalt’s business model is aimed at corporate customers, not individuals. To promote our products and services, we share B2B (business-to-business) direct marketing with prospective and existing customers and their representatives to promote new and exciting services that we believe may be of interest. Individuals have the right to opt-out of receiving direct marketing at any time, for any reason. The footer of any marketing email sent from Cobalt includes a link to unsubscribe from receiving marketing or this can be requested by emailing privacy@cobalt.io. 

If you have any questions relating to Cobalts approach to compliance with GDPR, please see our Privacy Policy or you can contact our dedicated privacy team at privacy@cobalt.io. 

CCPA

The California Consumer Privacy Act of 2018, Cal Civ Code §1798.100 et seq. (CCPA) provides California consumers with more control over the personal information that businesses collect about them, and offers privacy rights which consumers can exercise at any time, including:

• The right to know about the personal information a business collects about them, how it is used and who it is shared with during the past 12 months;
• The right to delete personal information collected about them, with some exceptions;
• The right to opt-out of the sale or sharing of their personal information, as defined by the CCPA; and
• The right to non-discrimination for exercising their CCPA rights.

In November of 2020, the California Privacy Rights Act (CPRA), was approved and came into force on January 1, 2023, which amends the CCPA and adds additional privacy rights and protections that began. California consumers have the following rights in addition to those above:

• The right to correct inaccurate personal information that a business holds about them; and;
• The right to limit the use and disclosure of sensitive personal information collected about them.

Cobalt is headquartered in California, meaning we have centered our approach to data privacy around the laws and regulations contained within the CCPA, as amended. Cobalt is a “Service Provider”, as defined by the Act, meaning we process data belonging to our customers under their instruction, who are defined as “Businesses” under CCPA. For more information on how we comply with the CCPA, please read our Privacy Policy. 

Cobalt takes a proactive approach to complying with CCPA rules. Some of our controls include: 

• Continually reviewing and monitoring our data processing activities to ensure ongoing compliance with data protection laws and regulations;
• Implementing a privacy management platform across our business to assist us in identifying, verifying and fulfilling privacy rights requests from California consumers. Cobalt’s privacy request interface helps consumers exercise their rights with ease. The same functionality can be used to assist our Customers in fulfilling their obligations to respond to requests;
• Offering two ways to submit consumer rights requests and to opt-out of the ‘sale’ and ‘sharing’ of your personal information, either by submitting a Do-Not-Sell form or by emailing your request to us at privacy@cobalt.io. Privacy rights requests can be submitted by completing a Privacy Request Form or by emailing us;
• Our policy management process makes sure that our Privacy Policy remains in alignment with the data privacy laws of the CCPA. Our policy has dedicated sections to CCPA and the rights available to consumers;
• Implementation of a robust security infrastructure across our business, centered around organizational and contractual measures, combined with technological controls. Protection of our and our customers' data is of vital importance to us. For more information on our security posture and certification, visit our Security page;
• A dedicated privacy team responsible for developing and bolstering our data privacy framework and upholding compliance with expanding laws, in collaboration with key stakeholders across the business. 
  

Cobalt engages in limited data transfers to third parties that may be considered a data “sale” under CCPA, given that the definition of such is very broad. Such transfers occur only in the context of presentations, panels, and other events arranged or sponsored by Cobalt, that may be presented or co-sponsored with other third parties. In such cases, event attendees will be prompted to provide certain identifying information to register for the event in question.

Such information will be shared for marketing purposes with all parties presenting or sponsoring the event, including third parties with whom the attendee may not have a pre-existing relationship. Consumers have the right to opt out of their data being shared in this manner and can do so by emailing us at privacy@cobalt.io, or by clicking do not sell my info.

If you have any questions relating to Cobalts approach to compliance with the CCPA, please see our Privacy Policy or you can contact our dedicated privacy team at privacy@cobalt.io. 

Human Rights Policy

List of Subprocessors

List of Subprocessors

Last Updated: March 2023

Cobalt works with a variety of vendor types who assist us in delivering our products and services. When the nature of a vendor's services requires them to process personal data belonging to Cobalt or our customers, they are considered under GDPR to be a Data Processor where Cobalt is Data Controller, or  Subprocessor where the customer is Data Controller, and Cobalt is Data Processor. Our trusted third-party vendors are considered to be Service Providers under CCPA.

General authorization is sought from our customers and granted based on the approved list of Subprocessors, which is included below.

As our business expands, our relationships with and reliance on third-party subprocessors will change. We may add, remove, or replace a subprocessor if we determine that the services will enhance delivery of our products and services to our customers. Cobalt customers have the right to object to the use of new or replacement subprocessors. Customers are notified of new subprocessor appointments before data processing is due to commence and are given a chance to reasonably object. Any reasonable objections may be sent by email to privacy@cobalt.io, with a subject line of ‘Subprocessor Objection’, explaining the name of your organization and the grounds for reasonable objection. 

Our list of subprocessors includes the entity and trading name of each service provider, the location of data processing, the nature of the services performed by the Subprocessor and a link to each vendor’s Privacy Policy.

Subprocessors	Functions	Location of Processing
6sense	B2B Account Engagement Platform	USA
Amazon Web Services (S3)	Cloud Based Application Provider - Data Hosting	USA
Auth0 by Okta	Identify and access management (Selected Identity Provider “IdP”)	USA
BigQuery, by Google	Multi-cloud data warehousing	USA
Calendly	Appointment scheduling software	USA
ChurnZero	Customer success software	USA
Clozd	Win-loss analysis software	USA
DataDog	Application logging tool	USA
Datagrail	Privacy Management Software	USA
Gong.io, Inc.	Revenue Intelligence Software	USA
Google LLC (Google Cloud Platform)	Cloud Based Application Provider - Data Hosting	USA
Google Analytics	Web analytics service	USA
Hotjar	Product experience and website analytics tool	USA
HubSpot	Customer Marketing Database and service	USA
Jira by Atlassian	Project/ticket management tool, used for integrations with Customers if selected	USA
LeadIQ	B2B prospecting tool	USA
Linkedin Sales Navigator	Sales intelligence software	USA
Mailchimp by Intuit	Transactional email provider for Customer emails	USA
Miro	Team planning and collaboration tool	USA
Pandadoc	Cloud-based document management software	USA
Paypal	PCI-compliant payment processing service provider	USA
Pendo	Product Analytics tool	USA
Probely	Application vulnerability scanning tool	Ireland
Salesforce.com, Inc.	Customer Relationship Management software	USA
SalesLoft, Inc.	B2B Sales Prospecting Tool	USA
SEMrush, Inc.	Marketing insights tool	USA
Slack Technologies, Inc.	Cloud Based Application Software - Internal Comms tool	USA
Testimonial Hero	Video testimonial creation service	USA
Usercentrics	Consent management platform	USA
Usergems	ABM and Intent prospecting tool	USA
Buildscale, Inc dba. Vidyard	Online video platform for sales	USA
Workato, Inc.	Integration and workflow automation tool	USA
Zendesk	Customer service solution	USA
Zoom Video Communications, Inc dba. Zoom	Cloud based communications tool	USA
ZoomInfo	Sales intelligence software for business contact information	USA

 

FAQ

1. How does Cobalt comply with GDPR?

At Cobalt, we are focussed to the security and privacy of your information.  We are committed to complying and helping our customers to comply with the General Data Protection Regulation (GDPR). Cobalt continues to adapt our products and services, operations and contractual arrangements to meet the evolving needs of the GDPR. Some of the measures we have taken include: 

• Continually investing and bolstering our security infrastructure and certifications.
• Our privacy framework is reviewed on an annual basis to ensure it aligns with regulatory obligations. 
• Protecting personal data when it is transferred internationally by executing Standard Contractual Clauses, or Model Clauses, and incorporating them into our data protection contracts. 
• Robust data protection terms within our contracts which satisfy the requirements of Article 28. 
• Automated process for the handling of Data Subject Rights requests, to ensure individuals can exercise their GDPR rights with ease.
• By promoting privacy-by-design and default across our business, data privacy and security is at the forefront of everything we do. 
• Our people understand the importance of data privacy and are committed to confidentiality. 
• We restrict access to personal data within our systems, with authorization granted only to individuals who strictly require it in order to provide, maintain or improve our services.

2. How does Cobalt comply with CCPA?

The California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (CCPA) is a US law which applies to residents of the State of California. Section 15 of our Privacy Policy has a dedicated section entitled ‘Your Rights under CCPA’ which also provides some necessary information that is required by the Act. On January 1, 2023, California passed new privacy provisions in the California Privacy Rights Act (CPRA), which offers additional rights for individuals residing in California.

Cobalt acts as a “Service Provider”, as such term is defined in the CCPA, with respect to our data processing activities. Cobalt customers are considered to be ‘Businesses’ under the CCPA.

Cobalt does not “sell” personal information as defined under the CCPA, however, because the definition of “sale” is significantly broad, some activities we undertake with personal information may be classed as such. For example, where we co-host an event or use a hosting partner, where the attendee list is shared. You have the right to opt-out of this activity at any time by clicking Do Not Sell My Data.

3. What personal data does Cobalt process?

First, let’s look at the definition Personal Data given in the GDPR:

“‘Personal Data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person”

Under CCPA, Personal Information is defined as:

“Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”

Generally, this can be split into two categories:
1. Personal Data or Personal Information, such as name, email address, social security number, IP address;
2. Special Category Data or Sensitive Personal Information, which is more high-risk in nature, such as political opinions, generic data, biometric and health data.

Cobalt does not process Special Category Data or Sensitive Personal Information about Customers. For information on the types of Personal Data that Cobalt processes for the purpose of providing our products and services, please see our Privacy Policy. 

4. Where do we store personal data?

As of today, Cobalt stores data in cloud-based data centers located in the United States. Cobalt is a remote-first business, meaning we have employees in the UK, the EU and the US. Our Cobalt Core pentesters are globally distributed, and our trusted third-party vendors may operate outside of the EEA.

 

5. Does Cobalt enter into Standard Contractual Clauses?

Cobalt has long utilized EU Standard Contractual Clauses (also known as ‘SCCs’ and ‘Model Clauses’) as a safeguard and transfer mechanism for personal data transferred outside of the European Economic Area. Cobalt is based and processes data in the US. The SCCs are a set of standard terms approved by the European Commission that can be used to transfer data to a country without an ‘adequacy decision’, like the United States, in a safe way. We embed EU SCCs (2021/914/EU) into our DPA, and assess their effectiveness for international transfers through the use of a Transfer Impact Assessment.

For personal data originating from the United Kingdom, Cobalt has incorporated the ICO’s UK Approved Addendum into the EU SCCs in our DPA which includes UK specific terms that meet onward transfer requirements under UK GDPR and the Data Protection Act 2018. 

6. How do we keep information secure?

Here at Cobalt, we pride ourselves on our security infrastructure. Not just because we’re a security-centric company, but because we genuinely care about protecting the data we handle and maintaining our customer’s trust. We have robust technical and organizational security measures designed to protect the integrity, availability, completeness and confidentiality of personal data.

For more information on our security framework and our certifications, please visit our dedicated Security page. 

7. Does Cobalt offer a DPA?

Yes we do! Cobalt’s Data Processing Agreement sets out the terms under which Cobalt will process personal data/PII as a data processor under GDPR and as a Service Provider under CCPA. If you are an entity based in the EU or California, or collect personal data from data subjects in the EU or consumers in California, you must enter into a Data Processing Agreement to ensure personal information is adequately protected. Our DPA is available upon request at privacy@cobalt.io. 

8. Does Cobalt use third-party subprocessors?

Yes we do. Our trusted third-party vendors provide us with products and tools that we rely on to offer our services. Not all of our vendors will process customer personal data, but those who will are called ‘subprocessors’ under GDPR, and Service Providers under CCPA . You can find a list of our current subprocessors/service providers here.

9. Can I opt out of B2B direct marketing?

Yes - you have the right to opt-out of receiving direct marketing at any time. You can do so by clicking the ‘unsubscribe’ link in the footer of any marketing email, or by requesting this by email at privacy@cobalt.io.

Please note that you may only opt-out of marketing-related correspondence. On occasion, we will send service-related messages to our active customers, for example, when we update our terms and conditions. You may not opt-out of receiving these as we are required by law to provide these notifications.

10. How can I exercise my rights?

GDPR offers individuals eight fundamental data subject rights. California Consumers have six privacy rights under the CCPA, as amended by CPRA. You can exercise your privacy rights at any time by completing our Privacy Request Form, or by emailing us at privacy@cobalt.io. We take all data subject rights requests very seriously. However, it is important to note that not every individual right is an absolute right, meaning in certain circumstances we may not be able to fulfill your request. For more information on your rights under GDPR and CCPA, please see the ‘Your rights under GDPR’ and ‘Your rights under CCPA’ sections of our privacy policy.

11. Who can I submit privacy questions to?

If you have any questions relating to Cobalt’s commitment to data privacy, our privacy policy, or anything else, please do not hesitate to contact our Privacy Team at privacy@cobalt.io. 

 

Privacy Rights

How can I exercise my rights?

GDPR offers individuals eight fundamental data subject rights. California Consumers have six privacy rights under the CCPA, as amended by CPRA. You can exercise your privacy rights at any time by completing our Privacy Request Form, or by emailing us at privacy@cobalt.io. We take all data subject rights requests very seriously. However, it is important to note that not every individual right is an absolute right, meaning in certain circumstances we may not be able to fulfill your request. For more information on your rights under GDPR and CCPA, please see the ‘Your rights under GDPR’ and ‘Your rights under CCPA’ sections of our privacy policy. 

Content Advisory Board

At Cobalt, we take great pride in delivering high-quality and trustworthy content to our valued audience. Recent advances with AI content creation have allowed our team of security researchers, marketers, and content contributors to explore the use of these tools in our workflows. 

We understand the importance of instilling trust, which is why our content goes through a rigorous review process, regardless of the use of AI. First and foremost, our expert editorial team meticulously evaluates each piece of content to ensure its accuracy, clarity, and overall quality.

Additionally, we take advantage of the expertise of subject matter experts who thoroughly review the content to ensure its accuracy, relevance and reliability to other information security professionals. 

We hold trustworthiness with our audience in the highest regard.

But we don't stop there. We believe in the power of collaboration, which is why we have established a Content Advisory Board consisting of subject matter experts who bring their extensive knowledge and experience to the table. These experts conduct thorough reviews, ensuring that our content remains relevant and reliable for security professionals like you.

We believe in transparency, and it is important to note that any content we create undergoes a thorough review by humans. This comprehensive process ensures that our audience can trust the information they find on our website, allowing them to make informed decisions with confidence.

Content Integrity Promise

As a cybersecurity company committed to delivering reliable and accurate content. Cobalt understands the significance of trust in the digital world and relaying accurate information. 

That's why our content always goes through a meticulous review process, ensuring the highest standards of integrity. Our expert editorial team takes great care in evaluating each piece of content, guaranteeing its accuracy, clarity, and overall quality.

This comprehensive process, combining the best of AI and human expertise, should instill confidence in our content, empowering readers to make informed decisions and navigate the complex world of cybersecurity more easily.

Cobalt's Content Integrity Promise is to provide you with the highest quality content that you can trust.

Input Information Promise

Another aspect of the advisory board is to ensure healthy and constructive data input requirements. 

Restricting what type of information is fed into AI systems and how the data inputs are used for crafting content are of a key concern related to trust in the digital world and ensuring sound digital privacy.

That’s why absolutely no PII or other sensitive data will be fed into the AI models to generate outputs. Despite the safeguards that can be put into place for this type of activity, the Cobalt team finds avoiding it all together is the safest and most responsible approach.

Cobalt’s Input Information Promise is a principle the team stands by and enforces actively throughout the content creation process.