Dosanjh Labs  /  Legal  /  Terms of Service

Terms of Service

Last updated June 13, 2026

1. Acceptance & Eligibility

These Terms of Service ("Terms") are a binding agreement between you ("you," "Customer," or "your organization") and Dosanjh Labs, a sole proprietorship operated by Jasvant Dosanjh and based in Washington State, USA ("Dosanjh Labs," "we," "us," or "our"). By creating an account, completing checkout, or using any product or service we offer (the "Service"), you agree to these Terms and to our Privacy Policy, Disclaimer, Acceptable Use Policy, and Refund & Cancellation Policy, each incorporated by reference.

You represent that you are at least 18 years old and that, if you are using the Service on behalf of a company, agency, or other organization, you have the authority to bind that organization to these Terms. If you do not agree, do not use the Service.

2. Description of the Service — Tools, Not Guarantees

Dosanjh Labs offers a suite of subscription software products. Each is a tool and aid that supports your own security, compliance, and IT work. It is your responsibility to interpret and act on what the tools tell you. In particular:

• Sightline connects to tools you already operate and reports your posture across security and compliance frameworks. Its outputs are informational only — not legal advice, not an audit, not an attestation, and not a guarantee that you are or will become compliant with any framework, law, or contract.
• Bastion is a self-assessment preparation aid for CMMC / NIST SP 800-171. It helps you organize your assessment and generate working documents (such as an SSP and POA&M). It is not an official CMMC certification, not a C3PAO assessment, and not an attestation to the DoD or any other party. Your SPRS score and certification status are determined by you and the official assessment process, not by Bastion. Controlled Unclassified Information ("CUI") you enter into Bastion is handled locally in your own browser and does not reach Dosanjh Labs.
• Ward is a HIPAA compliance aid: a guided Security Risk Assessment (SRA), risk register, policy and BAA management, training records, and a Security Rule readiness gap report. It is local-first — PHI is designed to stay on your machine (with optional cloud sync). Its SRA, scores, and gap reports are informational starting points, not medical advice, not a legal determination of HIPAA compliance, and not a guarantee of any audit outcome (see the Disclaimer and Section 14).
• Charter generates security policies and procedures and provides a version-controlled policy library and attestation workflow. Generated policies are drafts you must review, customize, and approve; framework mappings are organizational aids, not legal opinions.
• Covenant tracks vendor / third-party risk and Business Associate Agreements. Its risk scores and expiry trackers are management aids, not legal opinions on any agreement or vendor.
• Watchword runs phishing simulations and security-awareness training. You may only target your own (or an authorized managed client's) workforce — see the Acceptable Use Policy.
• Passage automates IT onboarding/offboarding across your connected apps. It is an automation aid and does not guarantee that all access is provisioned or revoked correctly.
• Perimeter scans your external attack surface and known vulnerabilities. You may only scan assets you own or are authorized to assess; it does not guarantee that every exposure will be discovered.
• Klaxon provides incident-response and breach-notification playbooks, templates, and jurisdiction-aware timelines. Its letters, contacts, and timelines are informational templates, not legal advice, and must not be sent without review by a licensed attorney (see the Disclaimer).
• Lookout runs outbound-only agents that report server health metrics. It is a monitoring aid; it does not guarantee that issues will be detected, that alerts will be delivered, or that downtime will be prevented.
• Cairn is free and open-source software licensed under AGPL-3.0 and runs in your own environment (see Section 7).

We may add, change, or discontinue products and features at any time. Products not yet launched are described as roadmap items and are not part of the Service until launched and separately offered.

3. Accounts & Security

Accounts are passwordless and managed through our authentication provider (Clerk) using magic-link sign-in, passkeys, multi-factor authentication, and/or single sign-on (SSO). We collect your email address at checkout to provision your account.

You are responsible for:

• maintaining control of the email accounts, passkeys, devices, and identity providers (including any SSO or Okta connection) used to access the Service;
• all activity that occurs under your account; and
• promptly notifying us through the contact form if you believe your account has been compromised.

We are not responsible for losses arising from your failure to safeguard your access methods or from misconfiguration of your own identity provider or SSO.

4. Acceptable Use

You agree not to, and not to permit anyone to:

• use the Service in violation of any applicable law, regulation, or third-party right;
• reverse engineer, decompile, or attempt to derive source code of any non-open-source product, or circumvent usage limits, license terms, or security controls;
• resell, sublicense, or provide the Service to third parties except as expressly permitted;
• upload malware, attempt to gain unauthorized access, probe or disrupt the Service or its infrastructure, or interfere with other customers;
• use the Service to store or transmit unlawful, infringing, or harmful content; or
• misrepresent the outputs of any tool (for example, presenting a Bastion self-assessment as an official certification).

We may suspend or terminate access for violations of this Section, with or without notice, to protect the Service or other customers.

5. Subscriptions, Billing, Auto-Renewal & Taxes

• Pricing & currency. Fees are in U.S. Dollars (USD) and are charged through our payment processor, Stripe. Stripe stores and processes your card data; we do not store full card numbers.
• Billing terms. You may choose monthly or annual billing. Annual plans receive a 15% discount versus twelve monthly payments. When 3 or more paid products are in your subscription, an additional 5% suite discount applies. Per-server products (Lookout) are billed by the number of servers you monitor.
• Auto-renewal. Subscriptions automatically renew at the end of each billing period (monthly or annual) at the then-current rate, using your payment method on file, until you cancel. By subscribing, you authorize these recurring charges.
• Price changes. We may change prices; changes apply on your next renewal after reasonable notice (for annual plans, before the renewal date).
• Taxes. Fees are exclusive of taxes. You are responsible for any sales, use, VAT, or similar taxes, which may be calculated and collected at checkout.
• Cancellation. You may cancel at any time through the contact form. See Section 6 and the Refund & Cancellation Policy.

6. Refunds & Cancellation

Our refund terms are set out in full in the Refund & Cancellation Policy and summarized here:

• Monthly plans are non-refundable.
• Annual plans include a 30-day money-back window from the date of the charge; after 30 days they are non-refundable.
• You may cancel anytime, and your access continues until the end of the period you have already paid for. We do not pro-rate or refund partial periods except as required by law or as expressly stated in the Refund Policy.
• Free / open-source products (Cairn) involve no charge and are excluded from refunds.

7. Intellectual Property & License Grant

Except for open-source components, the Service, software, documentation, trademarks, and all related intellectual property are owned by Dosanjh Labs or its licensors. Subject to these Terms and your payment of fees, we grant you a limited, non-exclusive, non-transferable, revocable license to access and use the paid Service for your organization's internal business purposes during your subscription. You retain ownership of your own data.

Cairn is licensed separately under the GNU Affero General Public License, version 3.0 (AGPL-3.0). Your use of Cairn is governed by that license, not by the proprietary license in this Section. Nothing in these Terms limits any rights granted to you under AGPL-3.0 for Cairn.

We may use aggregated, de-identified data (which does not identify you, your organization, or any individual) to operate and improve the Service.

8. Third-Party Services & Bring-Your-Own Keys

The Service relies on third-party providers, including Stripe (payments), Clerk (authentication), Cloudflare (hosting and delivery), and Resend (transactional email). Sightline and other products may also connect to tools you operate (identity, device, cloud, ticketing, and similar systems). Your use of those third-party services is governed by their own terms and policies. We do not control and are not responsible for any third-party service, its availability, security, accuracy, pricing, or acts and omissions, and you are responsible for your own connected tools and the credentials you provide to connect them.

Bring-your-own AI keys. Where a product lets you supply your own AI provider key (for example, an OpenAI, Anthropic, or other model-provider API key), that key and your requests are configured client-side and sent directly from your browser to the provider you chose; they are not routed through, intercepted by, or stored by Dosanjh Labs. Your use of any such AI provider is governed by that provider's own terms, and you are solely responsible for your key, your usage, the costs the provider charges you, and the provider's outputs. Dosanjh Labs disclaims all responsibility and liability for any third-party AI provider and its output.

9. Disclaimer of Warranties

The Service is provided "as is" and "as available," with all faults and without warranties of any kind. To the maximum extent permitted by law, Dosanjh Labs disclaims all warranties, whether express, implied, statutory, or otherwise, including any implied warranties of merchantability, fitness for a particular purpose, title, and non-infringement, and any warranties arising from course of dealing or usage of trade.

Dosanjh Labs does not warrant that the Service will be uninterrupted, secure, error-free, or free of harmful components, that any data will be accurate or preserved, or that the Service will detect every issue or result in compliance with, or certification under, any framework, law, contract, or standard. You assume full responsibility for your use of the Service and any decisions made based on its outputs. Some jurisdictions do not allow certain warranty exclusions, so some of the above may not apply to you.

10. No Professional Advice; No Reliance

Every output of the Service is informational only. The tools, readiness meters, scores, posture reports, SPRS calculations, SSPs and POA&Ms, Security Risk Assessments, gap reports, generated policies and procedures, framework mappings, vendor and BAA risk scores, breach-notification letters, regulator contacts, timelines, scan results, and every other document, number, or recommendation the Service produces are informational outputs that you alone are responsible for reviewing, validating, and deciding whether and how to use. They are not legal, medical, audit, accounting, tax, insurance, or other professional advice, and using the Service creates no professional, advisory, fiduciary, attorney–client, or other special relationship between you and Dosanjh Labs.

You agree that you will not rely on any output as a substitute for your own judgment or the advice of a qualified, licensed professional, and that you will independently verify any output before you adopt, send, sign, publish, file, or otherwise act on it. Dosanjh Labs makes no representation, warranty, or guarantee that use of the Service will result in compliance with, or certification under, HIPAA, CMMC, NIST SP 800-171, SOC 2, ISO 27001, PCI DSS, FERPA, GDPR, any state breach-notification law, or any other law, regulation, framework, standard, or contract, or that you will pass any audit, assessment, examination, or enforcement review, or avoid any breach, fine, penalty, or claim. This Section is reinforced by, and incorporates, the Disclaimer.

11. Assumption of Risk

You knowingly and voluntarily assume all risk arising from your use of the Service and its outputs, including any decision you make or refrain from making in reliance on them, any reliance on a score, meter, or generated document, any sending of a Klaxon notification, any Watchword phishing simulation, any Perimeter scan, any handling of CUI, PHI, or other regulated data, and any compliance, audit, security, legal, or financial result. You acknowledge that security and compliance involve inherent uncertainty and that no tool can guarantee any outcome.

12. Limitation of Liability

To the maximum extent permitted by law, in no event will Dosanjh Labs be liable for any indirect, incidental, special, consequential, exemplary, or punitive damages, or for any loss of profits, revenue, data, goodwill, or business, arising out of or relating to the Service or these Terms, even if advised of the possibility of such damages and even if a remedy fails of its essential purpose.

Dosanjh Labs' total aggregate liability arising out of or relating to the Service or these Terms, for all claims combined, will not exceed the greater of (a) the total fees you actually paid to Dosanjh Labs in the twelve (12) months immediately preceding the event giving rise to the claim, or (b) one hundred U.S. dollars (US $100). For free or open-source products (such as Cairn) for which you paid no fees, the cap is US $100.

Nothing in these Terms limits or excludes any liability that cannot be limited or excluded under applicable Washington State law, including liability for fraud, gross negligence, or willful misconduct.

13. Indemnification

You agree to defend, indemnify, and hold harmless Dosanjh Labs and Jasvant Dosanjh from and against any claims, liabilities, damages, losses, and expenses (including reasonable attorneys' fees) arising out of or related to: (a) your use or misuse of the Service; (b) your data and any content you submit, including any CUI, PHI, or other regulated data; (c) your violation of these Terms, any law, or any third-party right; and (d) your connected tools and identity providers.

14. Regulated Data (CUI, PHI & Similar)

• You are the controller / covered entity. For any regulated data you process using the Service, you remain the data controller and, where applicable, the covered entity or business associate. You are responsible for ensuring your use of the Service is lawful for that data.
• CUI stays local in Bastion. Bastion is designed so that CUI you enter is processed locally in your browser and is not transmitted to or stored by Dosanjh Labs.
• PHI stays local in Ward. Ward is local-first and designed so that Protected Health Information ("PHI") you enter stays on your own machine and is not transmitted to or stored by Dosanjh Labs. If you enable any optional cloud feature with regulated data, you are responsible for ensuring a required BAA is in place first.
• No BAA implied. Dosanjh Labs is not a HIPAA covered entity or business associate by default, and no Business Associate Agreement ("BAA") is created by these Terms or by your use of the Service. You must not route PHI through any product feature or channel that is not designed to keep it local unless a separate, signed BAA is in place.

15. Binding Arbitration; Class-Action & Jury-Trial Waiver

Please read this section carefully — it affects your legal rights.

• Binding arbitration. Except as provided below, any dispute, claim, or controversy arising out of or relating to the Service or these Terms will be resolved by final and binding arbitration, rather than in court, administered by a recognized arbitration provider under its commercial rules. The arbitration will be seated in Washington State, and judgment on the award may be entered in any court of competent jurisdiction.
• Class-action waiver. All claims must be brought in your individual capacity, and not as a plaintiff or class member in any purported class, collective, consolidated, or representative proceeding.
• Jury-trial waiver. To the extent any dispute proceeds in court rather than arbitration, you and Dosanjh Labs each waive any right to a jury trial.
• 30-day opt-out. You may opt out of this arbitration agreement by notifying us through the contact form within 30 days of first accepting these Terms, stating your name and intent to opt out. If you opt out, the arbitration/class-waiver provisions do not apply to you, but the remainder of these Terms (including the governing-law and venue provisions) still do.
• Small-claims carve-out. Either party may bring an individual claim in small-claims court if it qualifies. Claims for injunctive relief to protect intellectual property may also be brought in court.

16. Limitation of Claims Period

Any claim or cause of action arising out of or relating to the Service or these Terms must be commenced within one (1) year after the claim or cause of action accrues, or it is permanently barred, except where applicable law prohibits shortening the limitations period, in which case the shortest period permitted by law applies.

17. Export Controls & Sanctions

You must comply with all applicable export-control, import, and economic-sanctions laws and regulations, including those of the United States. You represent that you are not located in, organized under the laws of, or ordinarily resident in any country or territory subject to comprehensive sanctions, and that you are not on any government restricted-party, denied-party, or sanctions list. You will not use, export, re-export, or provide access to the Service in violation of any such law, and you will not use the Service for any prohibited end use.

18. Governing Law & Venue

These Terms are governed by the laws of the State of Washington, USA, without regard to its conflict-of-laws rules. Subject to the arbitration provision above, you and Dosanjh Labs agree to the exclusive jurisdiction and venue of the state and federal courts located in Washington State for any matter not subject to arbitration.

19. Changes to the Terms or Service

We may update these Terms from time to time. When we do, we will update the "Last updated" date above and, for material changes, take reasonable steps to notify you. Your continued use of the Service after changes take effect constitutes acceptance. We may also modify, suspend, or discontinue any part of the Service.

20. Termination & Suspension

You may stop using the Service and cancel at any time. We may suspend, limit, or terminate your access, in whole or in part, with or without notice, if you breach these Terms or the Acceptable Use Policy, fail to pay, present a security or legal risk, or use the Service in a way that risks harm to us, other customers, or any third party. We may also suspend the Service to protect its integrity or to comply with law. On termination, your license ends, your right to use the Service ceases, and the survival provisions below continue to apply. Termination or suspension for cause does not entitle you to a refund.

21. Force Majeure

We are not liable for any failure or delay caused by events beyond our reasonable control, including acts of God, natural disasters, war, terrorism, civil unrest, labor disputes, internet or utility failures, third-party service outages, or government action.

22. Severability

If any provision of these Terms is held unenforceable, that provision will be limited or removed to the minimum extent necessary, and the remaining provisions will remain in full force and effect.

23. Entire Agreement & Survival

These Terms, together with the Privacy Policy, Disclaimer, Acceptable Use Policy, and Refund & Cancellation Policy, are the entire agreement between you and Dosanjh Labs regarding the Service and supersede any prior agreements. The provisions that by their nature should survive termination — including Sections 7, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 22, and 23 — survive.

24. Contact

Questions about these Terms? Reach us through our contact form — our sole support, legal, and privacy contact channel.