These Terms of Service ("Terms") govern (a) your access to and use of the Sudory website(s) (the "Website"), and (b) any subscription access to Sudory's platform, including related applications, APIs, connectors, and documentation (the "Service").
If you are entering into these Terms on behalf of a company or other legal entity, you represent that you have authority to bind that entity ("Customer", "you").
Company details
Sudory is built and operated by Luit Italianer (Noordwijk, Netherlands) and Aleksej Dix (Männedorf, Switzerland).
Customer contracts are signed with Italianer Consultancy (eenmanszaak, Luit Italianer), KVK 72768924, registered in Noordwijk, Netherlands. IT services for the Service are provided by Dix Consulting (Einzelunternehmen, Lidia Dix), CHE-397.600.688, registered in Männedorf, Switzerland, listed as a subprocessor under §10.
Support: support@sudory.com. Privacy: privacy@sudory.com.
1. Structure and order of precedence
1.1 Order of precedence. If you purchase the Service, these Terms apply together with (i) an order form or statement of work (each an "Order Form"), and (ii) the Data Processing Addendum ("DPA"), available on request by email to legal@sudory.com. In case of conflict: Order Form, then DPA, then Terms.
1.2 Business use only. The Service is intended for business and professional use. You confirm you are not using the Service as a consumer.
2. Definitions (high-level)
"Authorized Users" means personnel and contractors you permit to use the Service.
"Customer Data" means data and content you (or Authorized Users) submit to the Service or make available via connected systems, including configuration, evidence, metadata, and logs.
"Connected Systems" means third-party services you connect (for example identity providers, cloud/SaaS apps, ticketing, code repositories, logging tools).
"Documentation" means Sudory's published docs and guidelines.
3. The Service (what it does)
3.1 Core workflow. The Service is designed to help Customer:
- Connect to identity and business systems to discover apps, vendors, data flows, and access paths
- Normalize evidence and security/compliance-relevant information into structured records
- Monitor changes (for example access/permissions, posture signals, inventory changes) over time
- Generate outputs such as reports, dashboards, evidence snapshots, and customer or audit-ready exports
3.2 Tool-only notice. The Service provides operational support and information. Customer remains solely responsible for its compliance program, legal or regulatory obligations, and audit outcomes. Sudory does not act as your auditor, certification body, or legal advisor.
4. Website use
4.1 Permitted use. You may browse the Website for lawful purposes.
4.2 Restrictions. You must not: scrape or harvest content at scale, attempt unauthorized access, interfere with the Website, or use the Website to transmit malware or unlawful material.
4.3 External links. The Website may link to third-party sites. Sudory is not responsible for third-party content or practices.
5. Accounts, access, and Authorized Users
5.1 Account security. You are responsible for maintaining the confidentiality of credentials and for all activity under your accounts.
5.2 Authorized Users. You are responsible for ensuring Authorized Users comply with these Terms.
5.3 Administrative controls. Certain actions (connecting systems, managing access, exporting data) require admin privileges. You will ensure only appropriate personnel have such privileges.
6. Acceptable use (summary)
6.1 Use of the Service must comply with the Acceptable Use Policy in Appendix A (and any referenced policies).
6.2 Sudory may suspend or restrict access as described in Section 12 (Suspension) if necessary to protect the Service, Customer Data, or other customers.
7. Customer Data and permissions
7.1 Customer Data ownership. As between the parties, Customer retains all rights in Customer Data.
7.2 License to operate the Service. Customer grants Sudory a limited, non-exclusive right to host, process, transmit, and display Customer Data only as needed to provide, secure, maintain, and improve the Service and as otherwise permitted in the DPA and Privacy Notice.
7.3 Customer responsibilities. Customer is responsible for: (i) the legality of Customer Data, (ii) having the necessary rights and permissions to connect systems and provide Customer Data, and (iii) configuring the Service appropriately for its needs.
8. AI features and outputs
8.1 The Service may include AI-assisted features (for example summarization, mapping, suggested controls, risk explanations).
8.2 No reliance without review. AI outputs may be incomplete or inaccurate. You must apply human review and professional judgment before acting on AI outputs.
8.3 Your policies. You are responsible for deciding how (and whether) to use AI outputs in your organization and for complying with your internal and external requirements.
9. Security and incident notification
9.1 Safeguards. Sudory maintains administrative, physical, and technical safeguards designed to protect the confidentiality, integrity, and availability of the Service and Customer Data.
9.2 Security incidents. If Sudory becomes aware of a confirmed security incident affecting Customer Data, Sudory will notify Customer without undue delay and, where feasible, within 48 hours, unless legally prohibited. Sudory will provide information reasonably necessary to help Customer meet its obligations and will take reasonable steps to mitigate and remediate.
9.3 Customer security. Customer is responsible for securing its own environments and Connected Systems, including identity, endpoints, and access controls.
10. Subprocessors and third parties
10.1 Sudory may use subprocessors and infrastructure providers to deliver the Service (hosting, monitoring, support tooling). Subprocessors will be bound by confidentiality and data-protection obligations consistent with the DPA. The current list of subprocessors is available on request.
IT services for the Service are provided by Dix Consulting (Einzelunternehmen, CHE-397.600.688, Männedorf, Switzerland), operating under this Agreement as a subprocessor.
10.2 Customer's relationship with Connected Systems is governed by Customer's agreements with those providers. Sudory is not responsible for third-party services outside the Service.
11. Fees, billing, and taxes
11.1 Fees. Fees, term, and billing schedule are set out in the Order Form.
11.2 Payment terms. Unless otherwise stated, invoices are due 30 days from invoice date. Late payments may incur statutory interest and reasonable collection costs.
11.3 Taxes. Fees exclude applicable taxes (VAT, sales or use taxes). Customer is responsible for taxes other than Sudory's net income taxes.
12. Suspension
12.1 Sudory may suspend or limit access to the Service (in whole or in part) if:
- (a) Customer is in material breach (including AUP violations)
- (b) Customer's use poses a security risk to the Service or others
- (c) required by law
- (d) payment is overdue and not disputed in good faith
12.2 Where reasonable, Sudory will provide notice and an opportunity to cure before suspension.
13. Term, renewal, and termination
13.1 Term. The subscription term is defined in the Order Form ("Subscription Term").
13.2 Renewal. Unless stated otherwise, subscriptions renew automatically for successive periods equal to the initial Subscription Term, unless either party gives written notice of non-renewal at least 30 days before the end of the then-current term.
13.3 Termination for cause. Either party may terminate if the other party materially breaches and fails to cure within 30 days of written notice (or immediately for non-curable breaches).
13.4 Effect of termination. Upon termination or expiration:
- Customer's access ends
- Sudory will make Customer Data available for export for 30 days (unless legally prohibited or a security risk)
- After the export window, Sudory will delete Customer Data in accordance with the DPA and retention practices, except where retention is required by law
14. Professional Services (if applicable)
14.1 If Sudory provides onboarding, configuration, training, or other professional services ("Professional Services"), the scope, fees, and deliverables will be defined in an Order Form or statement of work.
14.2 Unless explicitly stated, Professional Services do not constitute legal advice, audit opinions, certification, or guarantees of compliance outcomes.
15. Intellectual property
15.1 Sudory IP. Sudory and its licensors retain all rights in the Service, Documentation, and underlying technology, including improvements and feedback implementations.
15.2 Customer IP. Customer retains all rights in Customer Data and Customer trademarks.
15.3 Feedback. If you provide feedback, you grant Sudory a perpetual, worldwide right to use it without restriction or obligation.
16. Confidentiality
16.1 Each party may receive confidential information ("Confidential Information"). The receiving party will protect it using reasonable care and only use it to perform under these Terms.
16.2 Confidentiality obligations do not apply to information that is publicly available without breach, independently developed, or rightfully obtained from a third party.
16.3 This section survives termination. Trade secrets remain protected as long as they remain trade secrets.
17. Warranties and disclaimers
17.1 Performance warranty. Sudory warrants it will provide the Service in a professional manner consistent with generally accepted industry practices.
17.2 Disclaimer. Except as expressly stated, the Service and Website are provided "as is" and "as available." Sudory disclaims all implied warranties (merchantability, fitness, non-infringement) to the maximum extent permitted by law.
17.3 No guarantee. Sudory does not guarantee that the Service will detect every risk, prevent incidents, or achieve any certification or audit result.
18. Indemnification
18.1 IP indemnity by Sudory. Sudory will defend Customer against third-party claims alleging the Service infringes intellectual-property rights and will pay finally awarded damages or approved settlements, provided Customer promptly notifies Sudory and allows Sudory control of the defense.
18.2 Exclusions. Sudory has no obligation to the extent a claim arises from: (i) Customer Data, (ii) Customer's configuration or misuse, (iii) use with non-Sudory products where the claim would not exist otherwise, or (iv) modifications not made by Sudory.
18.3 Indemnity by Customer. Customer will defend and indemnify Sudory against third-party claims arising from Customer Data or Customer's violation of the AUP or applicable law.
19. Limitation of liability
19.1 No indirect damages. Neither party is liable for lost profits, lost revenue, loss of goodwill, business interruption, or indirect, consequential, or punitive damages.
19.2 Liability cap. Each party's total aggregate liability arising out of these Terms will not exceed the fees paid (or payable) by Customer for the Service in the 12 months before the event giving rise to the claim (the "Cap").
19.3 Carve-outs. The Cap does not apply to: (i) Customer's payment obligations, (ii) a party's fraud or wilful misconduct, or (iii) liability that cannot be limited under applicable law.
19.4 Basis of bargain. The parties agree these limitations reflect risk allocation and form an essential basis of the agreement.
20. Publicity
Sudory may not use Customer's name or logo without Customer's prior written consent, except where explicitly permitted in an Order Form.
21. Compliance, export, and sanctions
Customer will comply with applicable laws, including export control and sanctions laws, in its use of the Service.
22. Force majeure
Neither party is liable for failure to perform due to events beyond reasonable control (for example natural disasters, war, widespread internet outages), provided it mitigates and resumes performance as soon as practicable.
23. Assignment
Either party may assign these Terms in connection with a merger, acquisition, reorganization, or sale of substantially all assets, provided the assignee agrees to be bound. Any other assignment requires prior written consent (not unreasonably withheld).
24. Notices
Notices must be in writing and delivered to the addresses in the Order Form or to:
- Legal notices to Sudory: legal@sudory.com
- Operational notices may be sent via the Service or email
25. Governing law and venue
These Terms are governed by the laws of The Netherlands, excluding conflict-of-law rules. The courts of Amsterdam have exclusive jurisdiction, unless mandatory law provides otherwise.
26. Miscellaneous
26.1 Entire agreement. These Terms, Order Forms, and the DPA constitute the entire agreement.
26.2 Severability. If a provision is invalid, the rest remains in effect.
26.3 No waiver. Failure to enforce is not a waiver.
26.4 Updates. Sudory may update these Terms from time to time. Material changes apply from the effective date stated and, for paying customers, will not retroactively reduce rights for the then-current Subscription Term.
Appendix A: Acceptable Use Policy (AUP)
Last updated: 2026-04-20
You must not (and must not allow others to):
- Unlawful or harmful activity. Use the Service to violate laws, infringe rights, or facilitate wrongdoing.
- Security abuse. Probe, scan, or test vulnerabilities of the Service; bypass access controls; introduce malware; or interfere with integrity or availability.
- Misuse of data. Upload or process Customer Data you do not have rights to use; process special-category data unless strictly necessary and permitted under your DPA setup; or attempt to re-identify anonymized outputs.
- High-risk operations without authorization. Use the Service to make automated decisions with legal or similarly significant effects on individuals without appropriate safeguards and lawful basis.
- Reverse engineering. Copy, modify, translate, decompile, reverse engineer, or attempt to derive source code except where prohibited by law (in which case you will first notify Sudory).
- Benchmarking. Publish benchmarks or competitive analyses of the Service without Sudory's prior written consent.
- Abusive usage. Excessive API calls or behavior that materially degrades the Service for others.
- Misrepresentation. Impersonate others, misrepresent authority, or submit false evidence intended to mislead audits or procurement.
Enforcement. Violations may lead to suspension or termination under the Terms.