Dosanjh Labs / Legal / Acceptable Use Policy
Acceptable Use Policy
Last updated June 13, 2026
The short version
Use Dosanjh Labs products lawfully, only on systems and accounts you own or are authorized to assess, and don't abuse the service or harm others. Security tools like Perimeter (attack-surface scanning) and Watchword (phishing simulation) are powerful — only point them at assets and people you are authorized to test. Break these rules and we may suspend or terminate your access. This policy is part of our Terms of Service.
1. Scope
This Acceptable Use Policy ("AUP") applies to everyone who accesses or uses any Dosanjh Labs product or service (the "Service"), including Sightline, Bastion, Ward, Charter, Covenant, Watchword, Passage, Perimeter, Klaxon, Lookout, and Cairn. It is incorporated into, and is part of, our Terms of Service. You are responsible for ensuring your users, employees, contractors, and managed clients comply with this AUP.
2. Authorization — Only Test What You're Allowed To
Several products interact with live systems, networks, identities, or people. You represent and warrant that, for every such use, you have full authority and lawful authorization to do so. Specifically:
- Perimeter — only scan domains, IP ranges, and assets that you own or are expressly authorized in writing to assess. Unauthorized scanning, probing, or vulnerability testing of third-party systems may violate law (including computer-misuse statutes) and is strictly prohibited.
- Watchword — only run phishing simulations and awareness campaigns against your own workforce or a managed client's workforce with that organization's authorization. Do not target individuals who have not consented through their organization, and do not use simulated phishing to harvest real credentials for any improper purpose.
- Sightline, Passage, Cairn, Lookout, Covenant — only connect to, provision, deprovision, monitor, or inventory systems, identities, vendors, and credentials that you are authorized to administer.
- Klaxon — breach-notification letters, regulator contacts, and timelines are templates; do not send notifications to regulators, individuals, or media as though they are final or legally vetted without attorney review (see the Disclaimer).
3. Prohibited Conduct
You agree not to, and not to permit anyone, to:
- use the Service in violation of any applicable law, regulation, sanctions/export-control rule, or third-party right;
- access, scan, probe, attack, or test any system, network, account, or person without authorization;
- reverse engineer, decompile, or attempt to derive source code of any non-open-source product, or circumvent license terms, usage limits, rate limits, or security controls;
- resell, sublicense, white-label (except where a plan expressly permits it), or provide the Service to third parties beyond what your plan allows;
- upload, transmit, or store malware, ransomware, or malicious code, or use the Service to develop, host, or deliver an actual attack against any party;
- attempt to gain unauthorized access to the Service, other customers' data, or our infrastructure, or disrupt, overload, or degrade the Service (including denial-of-service);
- use the Service to store or transmit content that is unlawful, infringing, defamatory, harassing, or otherwise harmful;
- submit Protected Health Information (PHI) to any product unless that product explicitly supports it and any required Business Associate Agreement is in place — see Section 4;
- misrepresent any output (for example, presenting a Bastion self-assessment as an official CMMC certification, a Sightline meter as an audit, or a Charter draft as attorney-approved); or
- use the Service in any way that creates a risk of harm, loss, or liability to Dosanjh Labs or others.
4. Regulated Data (PHI, CUI)
- PHI / HIPAA. Do not submit PHI to any product that does not support it. Ward is designed to be local-first so PHI stays on your machine; if you use any optional cloud feature with regulated data, you must have any required Business Associate Agreement (BAA) in place first. Dosanjh Labs is not a covered entity or business associate by default, and no BAA is implied by use of the Service.
- CUI. Bastion processes Controlled Unclassified Information locally in your browser; do not attempt to route CUI through features or channels not designed to keep it local.
- You remain responsible for the lawfulness of any regulated, sensitive, or personal data you process using the Service.
5. Fair Use of Resources
You may not use automated means to place unreasonable load on the Service, exceed plan limits (such as per-server, per-user, per-domain, or per-client counts), or share a single subscription across organizations beyond what your plan permits. We may apply rate limits and other technical safeguards.
6. Enforcement
We may investigate suspected violations and may, in our discretion and to protect the Service or others, suspend, limit, or terminate access — with or without notice — and remove offending content. We may cooperate with law enforcement where appropriate. Suspension or termination for a violation does not entitle you to a refund.
7. Reporting Abuse
To report a vulnerability, abuse, or a violation of this AUP, contact us through our contact form — our sole support, security, and abuse contact channel.
8. Changes
We may update this AUP from time to time. We will update the "Last updated" date above and, for material changes, take reasonable steps to notify you. Continued use after changes take effect constitutes acceptance.