Terms of Service - ruledoc.io

Status: DRAFT (non-lawyer prepared). Review carefully before publishing - especially section 8 (Limitation of Liability) and section 7 (Disclaimer of Warranties). Effective date: [REVIEW: set effective date on publish, e.g., 2026-05-15] Last updated: 2026-05-10 Version: 1.0-draft

1. Acceptance and parties

These Terms of Service ("Terms") form a legally binding agreement between RFPvault (postal address pending PostNord boxadress registration, Stockholm, Sweden) ("ruledoc", "we", "us", "our") and the legal entity that creates an account on ruledoc.io or otherwise uses the Service ("Customer", "you", "your"). By creating an account, uploading a configuration, or otherwise using the Service, you accept these Terms. If you do not accept them, do not use the Service.

If you accept these Terms on behalf of a company or other legal entity, you represent that you have the authority to bind that entity, and references to "you" mean that entity.

The Service is intended for B2B use only. It is not directed at consumers, and is not made available for personal, family, or household use.

2. Definitions

• "Service" means the ruledoc.io software-as-a-service platform, which ingests Customer-supplied firewall configuration files and produces compliance reports and audit-evidence packs.
• "Customer Data" means data that Customer or its Users upload, transmit to, or input into the Service, including firewall configuration files and any metadata associated with them.
• "User" means an individual authorised by Customer to use the Service under Customer's account.
• "Output" means compliance reports, findings, evidence packs, and other artefacts generated by the Service from Customer Data.
• "Documentation" means the documentation made available at ruledoc.io.
• "Subscription Plan" means the tier (free, paid) under which Customer uses the Service, as described on the ruledoc.io pricing page or in an applicable order form.

3. Service description

ruledoc.io parses firewall configurations and generates advisory compliance reports against frameworks such as NIS2, PCI-DSS, ISO 27001, CIS Benchmarks, NIST CSF, and SOC 2.

The Service Output is decision-support, not legal or compliance advice. Compliance with any framework is your responsibility, and the Output is one input into your own compliance assessment, not a substitute for that assessment. See section 7 (Disclaimer of Warranties).

4. Accounts and acceptable use

4.1 Account creation

You must provide accurate registration information and keep your password confidential. You are responsible for all activity under your account.

4.2 Acceptable use

You agree not to:

• (a) reverse-engineer, decompile, or disassemble the Service except to the extent permitted by mandatory law (e.g., 17 U.S.C. § 1201(f) equivalents in EU/Swedish law);
• (b) circumvent any access control, rate limit, or usage quota;
• (c) use the Service to process data you do not have the right to process;
• (d) upload content that is unlawful, infringing, or contains malware;
• (e) use the Service to develop a competing product, scrape Output for resale, or train machine-learning models on Output;
• (f) impersonate another person or entity, or misrepresent your affiliation with one;
• (g) use the Service in a manner that would, in our reasonable judgement, threaten the security or availability of the Service for other Customers;
• (h) use the Service in a jurisdiction subject to comprehensive sanctions by the EU, the UN, or the Government of Sweden, or where its use would violate export controls.

We may suspend or terminate access for any breach of this section without prior notice.

5. Customer Data

5.1 Ownership

As between us, you own Customer Data and Output derived from your Customer Data. You grant us a limited, non-exclusive, royalty-free licence to use Customer Data solely to provide the Service to you, including to: ingest configurations, generate Output, store Output for the retention period of your Subscription Plan, and provide support.

5.2 Customer indemnity for uploaded content

You represent and warrant that you have all rights necessary to upload Customer Data to the Service and that doing so does not violate any law, contract, or third-party right. You will indemnify, defend, and hold harmless ruledoc and its operators from any claim, loss, or liability arising from Customer Data, including claims that Customer Data infringes a third-party right or violates applicable law.

5.3 Personal data and DPA

Where Customer Data contains personal data subject to the GDPR, our Data Processing Agreement (DPA) at /legal/dpa applies and is incorporated into these Terms by reference. The DPA prevails over these Terms in respect of the processing of personal data.

5.4 Confidentiality of Customer Data

We treat Customer Data as confidential and will not access, use, or disclose it except to provide the Service, comply with law, or with your written authorisation. Our personnel are bound by confidentiality obligations.

5.5 Secrets in configurations

You acknowledge that firewall configuration files may contain secrets such as pre-shared keys, passwords, and certificates. You are responsible for the content you upload. Some Service parsers strip secrets automatically; others do not. We make no warranty that secrets in Customer Data will be removed or masked. You should review configurations and remove or redact secrets before upload where they are not necessary for compliance reporting.

6. Our responsibilities

We will:

• (a) make the Service available substantially as described in the Documentation, subject to scheduled maintenance and unforeseeable unavailability;
• (b) maintain commercially reasonable technical and organisational security measures (see Privacy Policy section 10);
• (c) maintain the sub-processor list at /legal/sub-processor-list;
• (d) provide reasonable email-based support for paid Subscription Plans during normal Swedish business hours.

There is no service-level agreement (SLA) committing to a specific uptime for the free tier. Paid-tier SLAs, if any, will be set out separately in the applicable order form.

7. Disclaimer of warranties

THE SERVICE AND OUTPUT ARE PROVIDED "AS IS" AND "AS AVAILABLE", WITH ALL FAULTS AND WITHOUT WARRANTY OF ANY KIND, whether express, implied, statutory, or otherwise.

To the maximum extent permitted by applicable law, ruledoc disclaims all warranties, including any warranty of:

• merchantability;
• fitness for a particular purpose;
• non-infringement;
• accuracy, completeness, or correctness of Output;
• that the Service will be uninterrupted, error-free, or secure;
• that defects will be corrected;
• that any specific compliance posture, certification, or audit outcome will be achieved by relying on Output.

Output is advisory. Compliance reports are decision-support artefacts to help you analyse a configuration; they do not certify, determine, or guarantee compliance with any standard or regulation. You remain solely responsible for your compliance with NIS2, PCI-DSS, ISO 27001, CIS Benchmarks, NIST CSF, SOC 2, GDPR, and any other framework or law.

Some jurisdictions do not allow exclusion of certain warranties; in those jurisdictions, our warranties are limited to the minimum scope and duration permitted by mandatory law.

8. Limitation of liability

8.1 Exclusion of indirect damages

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, RULEDOC SHALL NOT BE LIABLE FOR ANY INDIRECT, INCIDENTAL, CONSEQUENTIAL, SPECIAL, EXEMPLARY, OR PUNITIVE DAMAGES, including without limitation:

• loss of profit, revenue, business, or anticipated savings;
• loss of goodwill, reputation, or opportunity;
• loss, corruption, or unavailability of data;
• cost of procurement of substitute services;
• regulatory fines, penalties, or enforcement actions imposed on Customer;
• third-party claims arising from Customer Data or Customer's use of Output;

regardless of the form of action and whether arising in contract, tort (including negligence), strict liability, or otherwise, and even if ruledoc has been advised of the possibility of such damages.

8.2 Aggregate cap

RULEDOC'S TOTAL AGGREGATE LIABILITY UNDER OR IN CONNECTION WITH THESE TERMS AND THE SERVICE, FOR ALL EVENTS GIVING RISE TO LIABILITY, SHALL NOT EXCEED THE LESSER OF (A) THE FEES ACTUALLY PAID BY CUSTOMER TO RULEDOC IN THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO LIABILITY, OR (B) ONE THOUSAND EURO (EUR 1,000).

For Customers on the free tier, this cap is zero (EUR 0) - the free tier is provided without charge and without warranty.

8.3 Exceptions

Nothing in these Terms excludes or limits liability that cannot be excluded or limited under applicable mandatory law, including:

• liability for death or personal injury caused by negligence;
• liability for fraud or fraudulent misrepresentation;
• liability for wilful misconduct or gross negligence (where mandatory under Swedish law);
• liability under the Swedish Product Liability Act (Produktansvarslagen 1992:18) where applicable.

8.4 Allocation of risk

The disclaimers and limitations in sections 7 and 8 are fundamental elements of the bargain between us and reflect the price of the Service. They apply whether or not any limited remedy fails of its essential purpose.

9. Term and termination

9.1 Term

These Terms apply from the date of your account creation and continue until terminated under this section.

9.2 Termination by Customer

You may terminate at any time by closing your account in the Service interface or by emailing support@ruledoc.io. Fees paid for the current billing period are non-refundable except as required by mandatory law.

9.3 Termination by us

We may terminate or suspend your account: (a) immediately for material breach of section 4 (Acceptable Use), section 5.2 (Customer indemnity), or any law; (b) on 30 days' written notice for any other reason; (c) immediately if we discontinue the Service or the relevant Subscription Plan, in which case we will provide a pro-rata refund of pre-paid unused fees.

9.4 Effect of termination

On termination:

• your right to use the Service ends;
• we will delete Customer Data and Output within 30 days, except as required to comply with legal-retention obligations (see Privacy Policy section 7);
• sections 5.2 (indemnity), 7 (Disclaimer), 8 (Liability), 10 (Confidentiality), 12 (Governing Law), and any other clause that by its nature should survive, shall survive termination.

10. Confidentiality (mutual)

Each party will protect the other's Confidential Information with the same degree of care it uses for its own (and at least reasonable care). "Confidential Information" includes Customer Data, ruledoc's source code and Documentation, and the terms of any non-public order form. Confidentiality obligations survive for 5 years after termination, except for trade secrets which remain protected as long as they qualify as trade secrets under applicable law.

11. Fees and payment (when paid tiers launch)

[REVIEW: align with launch pricing.] Fees, billing periods, and payment terms are set out on the ruledoc.io pricing page or applicable order form. Prices exclude VAT, which will be added where applicable. Payment is by card via our payment processor (currently planned: Stripe). Late payment may result in suspension after 14 days' notice.

12. Governing law and disputes

12.1 Governing law

These Terms are governed by the laws of Sweden, excluding its conflict-of-laws rules and the United Nations Convention on Contracts for the International Sale of Goods (CISG).

12.2 Mediation first

Before commencing court proceedings, the parties shall attempt to resolve any dispute through good-faith negotiation for at least 30 days, escalated to senior representatives of each party. If unresolved, the parties shall consider mediation through a Swedish mediation institute (e.g., the SCC Mediation Institute) before litigation.

12.3 Jurisdiction

Any dispute that is not resolved by negotiation or mediation shall be subject to the exclusive jurisdiction of the Swedish courts, with Stockholm District Court (Stockholms tingsrätt) as the first instance.

12.4 Mandatory consumer rights

Nothing in this section affects mandatory consumer rights (where the Service is exceptionally used by a consumer notwithstanding section 1) or mandatory jurisdictional rights of an EU-based Customer.

13. Force majeure

Neither party is liable for failure or delay in performance caused by events outside its reasonable control, including acts of God, war, terrorism, civil unrest, government action, pandemic, network outages affecting the public internet, or failure of upstream infrastructure providers. The affected party shall notify the other and use reasonable efforts to mitigate. Payment obligations are not excused by force majeure.

14. Changes to these Terms

We may modify these Terms by giving you at least 30 days' prior notice by email or in-Service notification. If you do not accept the modified Terms, you may terminate before they take effect. Continued use after the effective date constitutes acceptance.

Changes required by law or to address a security or legal risk may take effect immediately.

15. Notices

Notices to ruledoc must be sent to support@ruledoc.io.

Notices to Customer will be sent to the email on the account.

16. Assignment

You may not assign these Terms without our prior written consent. We may assign these Terms to an affiliate or in connection with a merger, acquisition, or sale of assets, on prior notice to you.

17. Severability

If any provision of these Terms is held unenforceable, the remaining provisions remain in full force, and the unenforceable provision shall be reformed to the minimum extent necessary to make it enforceable while preserving its intent.

18. No waiver

Failure to enforce any provision is not a waiver of the right to enforce it later.

19. Entire agreement

These Terms (together with the Privacy Policy, DPA, and any applicable order form) constitute the entire agreement between the parties on the subject matter and supersede all prior agreements and communications. No terms in any Customer purchase order or vendor-management portal apply unless we expressly agree in writing.

20. Independent contractors

The parties are independent contractors. No agency, partnership, joint venture, or employment is created by these Terms.

[REVIEW] Items requiring your attention before publication:

• [REVIEW] Operator legal entity name (sole prop vs aktiebolag)
• [REVIEW] Registered address
• [REVIEW] Effective date
• [REVIEW] Section 8 (Limitation of Liability) - the EUR 1,000 / 12-month-fees cap is the most consequential single clause. Confirm you want the lower-of formulation, that EUR 1,000 is your accepted exposure ceiling, and that the EUR 0 cap for the free tier is acceptable.
• [REVIEW] Section 12 - Stockholm District Court as exclusive forum (suitable for sole prop / Swedish AB; for cross-border B2B you may want SCC Arbitration Institute as an alternative)
• [REVIEW] Section 11 - pricing/billing terms, will need to be filled in or cross-linked once paid tiers launch
• [REVIEW] Section 4(h) sanctions list - confirm scope is acceptable
• [REVIEW] Insurance - these Terms do not currently mention E&O / professional liability insurance. If you procure it, consider noting available cover

DRAFT NOTICE. This is a defensible non-lawyer draft. Section 8 (Limitation of Liability) is conservative and weighted in your favour as operator - this is the right posture for a small-team B2B SaaS, but a sophisticated enterprise Customer will push back on the EUR 1,000 cap and may require a separately-negotiated MSA. Plan for this.