The agreement, in plain language.

These Terms govern your use of Stonewrit — the audit-evidence API, dashboard, and related services operated by Stonewrit (“Stonewrit,” “we,” or “us”).

By creating an account, sending an event to our API, or otherwise using the service, the entity on whose behalf you are acting (“you” or “Customer”) agrees to these Terms. If you do not agree, do not use the service.

If you are signing up on behalf of an organization, you represent that you have authority to bind that organization.

Stonewrit accepts normalized event payloads via POST /api/v1/events, canonicalizes them (RFC 8785), SHA-256 hashes them, and stores them in a tamper-evident hash chain. We map events to compliance controls, expose dashboards and verification endpoints, and let you export auditor-ready evidence bundles.

We may improve, update, and modify the service over time. We will notify you in advance of any change that materially reduces functionality you actively use. Documentation at stonewrit.com/docs is incorporated into these Terms by reference.

You are responsible for your account and for any API key issued from it, including:

• keeping API keys secret and not embedding them in client code;
• promptly revoking any key suspected of compromise from the dashboard;
• limiting key scopes to the minimum required by each integration;
• providing accurate contact information for security and incident notifications.

Stonewrit will treat any request authenticated with a valid API key as authorised by you. You remain responsible for the events submitted under your keys, even if a key is compromised.

You agree not to use Stonewrit to:

• violate any law or the rights of any person, or to enable others to do so;
• transmit malicious code, conduct denial-of-service attacks, or probe for vulnerabilities (except via a coordinated security disclosure to security@stonewrit.com);
• send events with falsified hashes, falsified timestamps, or otherwise attempt to defeat the integrity guarantees Stonewrit offers;
• submit content that you do not have the right to submit, including third-party personal data without lawful basis;
• resell, white-label, or repackage the service without a written agreement.

We may suspend service for violations of this section. We will attempt to notify you and give you an opportunity to cure where reasonable, but we may act immediately if doing so is necessary to protect the service or other customers.

You own the event data you send to Stonewrit (“Customer Data”). You grant us the limited rights necessary to provide the service: to store, hash, chain, process, transmit, and present your Customer Data to you and to parties you authorise.

We do not use Customer Data to train any machine learning model. We do not sell Customer Data. We do not access Customer Data except where necessary to operate, secure, and support the service, or where required by law.

On termination, you may export your Customer Data via the API or dashboard for 30 days. After that, we delete it in accordance with our retention policies and applicable law.

Paid subscriptions are billed in advance on a monthly or annual cycle. Usage in excess of soft caps is notified to your operator and may require a tier change — it is not automatically billed. Fees are non-refundable except where required by law.

You authorise us (and our billing processor, Stripe) to charge the payment method on file. If a charge fails, we will notify you and may suspend non-essential features until payment is resolved. Core evidence integrity and verification access are not disabled for short payment delinquency.

Either party may terminate a paid subscription at the end of the current term. You may cancel at any time from the dashboard.

We aim for high availability and publish a status page. Enterprise customers receive a written 99.99% uptime SLA with service credits for missed availability. Free and Pro tiers are provided on an as-available basis without an SLA.

Regardless of tier, the cryptographic chain integrity guarantee is unconditional: events accepted by the API are stored and independently verifiable. If we ever discover a chain break, we will notify affected customers immediately with the position and scope.

If you discover a security vulnerability, email security@stonewrit.com. We will acknowledge within 72 hours and work in good faith on a coordinated disclosure timeline. We will not pursue legal action against researchers who follow this process.

Stonewrit and its underlying technology — including the codebase, the chain construction, the canonicalization scheme, the control mappings, and all branding — are and remain our property. Nothing in these Terms transfers ownership to you. You may use the service only as permitted by these Terms.

Each party may receive information from the other that is confidential (“Confidential Information”). Each party agrees to use the other's Confidential Information only as needed to perform under these Terms, and to protect it with the same care it uses for its own confidential information (and no less than reasonable care). Customer Data is your Confidential Information.

Except as expressly stated in these Terms or a separate written agreement, the service is provided “as is” without warranty of any kind. We disclaim implied warranties of merchantability, fitness for a particular purpose, and non-infringement. We do not warrant that the service will be uninterrupted or error-free. Stonewrit does not provide legal, regulatory, or audit advice — the service is a technical tool that supports your compliance program, not a substitute for one.

To the maximum extent permitted by law, neither party will be liable for any indirect, incidental, special, consequential, or punitive damages, or for any loss of profits or revenue. Each party's aggregate liability under these Terms is limited to the greater of the amounts you paid Stonewrit in the twelve months preceding the claim or $100. Nothing in this section limits liability for fraud, wilful misconduct, or any liability that cannot be limited under applicable law.

You will defend, indemnify, and hold Stonewrit harmless from third-party claims to the extent arising from your Customer Data, your use of the service in violation of these Terms, or your violation of applicable law. We will defend, indemnify, and hold you harmless from third-party claims that the service, as provided by us and used within these Terms, infringes a U.S. patent, copyright, or trademark of that third party.

Either party may terminate these Terms for material breach not cured within 30 days of written notice. We may suspend or terminate immediately for serious abuse or as required by law. On termination, your right to use the service ends, your data export window opens, and accrued payment obligations remain. Sections that by their nature should survive — including IP, confidentiality, disclaimers, liability limits, and indemnification — survive termination.

These Terms are governed by the laws of the State of Delaware, USA, without regard to conflict-of-laws principles. Disputes will be resolved in the state or federal courts located in Delaware, and each party consents to that jurisdiction. Enterprise customers may negotiate alternative governing law in a written master agreement.

We may update these Terms as the service evolves. Material changes will be notified to organization owners by email and surfaced in the dashboard at least 30 days before they take effect. Continued use of the service after a change takes effect constitutes acceptance.

Legal notices — legal@stonewrit.com. Security disclosures — security@stonewrit.com. Anything else — hello@stonewrit.com.