Legal
Terms of Service
These Terms of Service ("Terms") govern Customer's use of the watchtower service.
1. The parties
Provider: Ampliosoft AB, a company organized under the laws of Sweden, reg. no. 559266-1309 ("Watchtower," "we," "us").
Customer: the organization that enters into this agreement ("Customer," "you").
These Terms, together with any signed order form, the Privacy Policy, and the Data Processing Agreement, form the complete agreement between the parties for the watchtower service.
2. The service
Watchtower is a security-posture monitoring service that connects to Customer's Microsoft 365 and Microsoft Entra tenants, evaluates them against published compliance benchmarks (CIS, CISA ScubaGear, and similar), and reports findings to designated Customer users.
Specifically, watchtower:
- Polls Customer's tenants on a documented cadence (5-minute drift sweeps) using Customer-provided credentials.
- Stores collected configuration data and computed findings.
- Generates signed evidence packs for download.
- Maintains an append-only audit chain of significant events.
What watchtower does NOT do:
- It does not read mailbox contents, file contents, chat contents, or any user-generated payload outside the configuration scope.
- It does not modify Customer tenant state except via explicit, audited "restore" operations the Customer initiates.
- It does not aggregate Customer data with other customers'.
The technical surface is described in the product documentation at https://docs.watchtower.nu. Watchtower commits to keeping that documentation honest as an auditor-facing artefact; the docs themselves are a contractual artefact of these Terms.
3. Customer obligations
Customer is responsible for:
- Providing accurate tenant credentials and maintaining their validity. Watchtower does not rotate Customer-provided credentials; it surfaces credential failure to the Customer's designated administrators.
- Designating authorized users and managing their access within watchtower's role-based permissions (scope-based access).
- Compliance with Customer's own contractual and regulatory obligations with respect to data Customer chooses to surface in watchtower.
- Acting on findings and not treating watchtower's evaluations as a substitute for an enterprise security program.
4. Acceptable use
Customer may use the service only:
- For Customer's own legitimate security-posture monitoring purposes.
- Within the per-plan limits (number of tenants, scan rate, evidence pack retention) documented in the order form.
Customer MUST NOT:
- Use the service to monitor tenants Customer is not authorized to monitor.
- Resell, sublicense, or expose the service to Customer's own customers without an explicit Multi-Tenant Service Provider ("MSP") add-on.
- Probe, attack, or attempt to bypass watchtower's security controls. Responsible disclosure of vulnerabilities is invited and welcomed (see Privacy Policy section on security).
- Use the service to violate law or third-party rights.
Watchtower may suspend access immediately on a good-faith belief that this section is being violated and shall promptly notify Customer.
5. Beta and design-partner phase
If Customer is in the watchtower design-partner phase or is otherwise using a pre-1.0 release, the following apply IN ADDITION TO and IN PRECEDENCE OVER the rest of these Terms:
- The service is provided "AS IS" with no warranty of fitness or uptime.
- Watchtower may make breaking changes with reasonable notice.
- Watchtower will not pursue commercial damages against Customer for testing-related issues, and reciprocally Customer agrees to not pursue commercial damages against watchtower for service issues.
- This phase has a fixed end date stated in the order form; before that date the parties shall negotiate the transition to the General-Availability terms or wind down the engagement.
6. Fees and billing
Per the order form. Where the order form is silent:
- Fees are stated in EUR exclusive of VAT.
- Invoices are due within 30 days of issue.
- Late payment past 30 days accrues interest at the lower of 1.5% per month or the maximum permitted by law.
- Watchtower may suspend the service for accounts overdue more than 60 days, with at least 10 days' advance notice.
7. Service levels (production phase)
Watchtower commits to the following Service Level Objectives once Customer transitions to General Availability:
- Web app monthly uptime: 99.5% measured from the watchtower status page external probes (status.watchtower.nu).
- Drift sweep cadence: at least one successful sweep per 30-minute window for healthy tenants.
- Recovery objective for an outage that triggers backup restoration: RPO 7 days, RTO 48 hours.
Service credits for missed SLOs are calculated per the order form. Service credits are the sole remedy for missed SLOs.
The watchtower status page is the canonical source for uptime reporting. Disputes about uptime are resolved by reference to the status page's incident record.
During the design-partner phase (section 5) the SLOs in this section are aspirational targets, not commitments.
8. Intellectual property
Customer retains all rights to Customer Data. Customer grants watchtower a non-exclusive, worldwide, royalty-free license to process Customer Data solely to provide the service.
Watchtower retains all rights to the watchtower software, the benchmark catalog, the audit-chain design, and the evidence-pack format.
Feedback Customer provides about the service is freely usable by watchtower without obligation. Customer is not required to provide feedback.
9. Confidentiality
Each party shall treat the other's non-public information shared in the course of this agreement as confidential. Each party may use that information only to perform under this agreement. Each party shall apply at least the same standard of care to the other's confidential information as to its own confidential information of similar sensitivity, but not less than reasonable care.
Confidentiality survives termination for 5 years, indefinitely for trade secrets.
10. Data processing and privacy
The collection, processing, and disclosure of personal data is governed by the Privacy Policy and the Data Processing Agreement (DPA), each of which is incorporated by reference. To the extent of any conflict, the DPA controls.
11. Limitation of liability
Neither party is liable to the other for indirect, incidental, consequential, or punitive damages, including lost profits, even if advised of the possibility.
Each party's aggregate liability for direct damages is capped at the greater of (a) EUR 10,000 or (b) the fees Customer paid in the 12 months preceding the claim.
The cap and exclusion do NOT apply to:
- Watchtower's intentional misuse of Customer Data.
- Either party's indemnity obligations.
- Customer's payment obligations.
- Either party's gross negligence or willful misconduct.
12. Indemnity
Watchtower shall defend Customer against any third-party claim that watchtower's service, as provided, infringes that third party's intellectual property rights, and shall pay damages and reasonable costs finally awarded, provided Customer notifies watchtower promptly and gives watchtower control of the defense.
Customer shall defend watchtower against any third-party claim arising from Customer's use of the service in violation of these Terms, or from data Customer chose to load into the service in violation of law or third-party rights.
Neither party indemnifies the other for the other's own breach of law.
13. Term and termination
These Terms run for the term stated in the order form (default: 12 months) and auto-renew for like periods unless either party gives notice of non-renewal at least 30 days before the end of a term.
Either party may terminate for cause if the other materially breaches and fails to cure within 30 days of written notice (or 10 days for non-payment).
On termination:
- Customer access ends immediately.
- For 30 days post-termination, watchtower retains Customer Data and permits export via the documented export mechanism under our data-lifecycle policy.
- After 30 days, watchtower permanently deletes Customer Data EXCEPT the immutable audit chain entries, which are retained for the legally-required minimum and then purged on a schedule documented in our data-lifecycle policy and in the Privacy Policy.
14. Governing law and disputes
These Terms are governed by the laws of Sweden without regard to its conflict-of-laws rules.
The parties first attempt to resolve disputes informally for 30 days after written notice. Unresolved disputes are submitted to binding arbitration in Stockholm, Sweden under the Rules of the Arbitration Institute of the Stockholm Chamber of Commerce (SCC). Either party may seek injunctive relief in any court of competent jurisdiction to protect its intellectual property or confidentiality.
Each party waives any right to participate in a class action.
15. General
Notice. Notices to watchtower go to legal@watchtower.nu; notices to Customer go to the contact in the order form. Notice is effective on receipt.
Assignment. Neither party may assign this agreement without the other's written consent, except to a successor in a merger, acquisition, or sale of substantially all assets. Watchtower shall notify Customer of a permitted assignment.
Force majeure. Neither party is liable for delay or failure due to causes beyond reasonable control (natural disaster, war, sustained provider outage, lawful government action) provided the affected party notifies the other promptly and resumes performance as soon as practicable.
No third-party beneficiaries. This agreement is for the parties' benefit only.
Severability. If any provision is unenforceable, the rest stays in effect.
Entire agreement. These Terms, the order form, the Privacy Policy, and the DPA are the complete agreement. They supersede prior oral or written communications.