Legal

Acceptable Use Policy

The rules for how SnitchOS may and may not be used. This policy is part of, and incorporated into, the SnitchOS Terms of Service.

Effective date: July 11, 2026

This document is a template for review by the Customer's and Shield's legal counsel. It is not legal advice, and it does not by itself determine what is lawful in any given jurisdiction. Applicable law governs where this policy and the law differ.

1. Parties and definitions

SnitchOS is a product of Shield Management Inc ("Shield", "we", "us"). The managed service provider that licenses SnitchOS is the Customer. The Customer's own downstream client organizations are Client Tenants. The employees and contractors whose company-owned devices are monitored through SnitchOS are Monitored Users.

For monitored endpoint data, the Customer, together with its Client Tenant, acts as the data controller, and Shield acts as a data processor on the Customer's documented instructions. This Acceptable Use Policy applies to the Customer, to anyone the Customer authorizes to administer SnitchOS, and to every Client Tenant the Customer onboards. The Customer is responsible for the acts and omissions of the people it grants access.

2. Permitted use

SnitchOS is built for one purpose: giving an MSP and its Client Tenants visibility into how company-owned, professionally managed Windows endpoints are used during work. Permitted use means all of the following are true.

2.1 Eligible devices

  • The monitored device is company-owned or company-controlled and is managed by the Customer or its Client Tenant.
  • The device is used for work by an identified Monitored User within an employment or contractor relationship.
  • The agent is deployed through a legitimate management channel — an RMM, Microsoft Intune, or Group Policy — under the Customer's administrative authority.

2.2 Lawful notice and a lawful basis

Before monitoring a Monitored User, the Customer or its Client Tenant must have a lawful basis to do so and must provide any notice or obtain any consent that applicable law requires. Employee-monitoring rules vary by jurisdiction and can require advance written notice — for example, New York, Connecticut, and Delaware each require prior notice of electronic monitoring. Under the GDPR, the Customer must identify a lawful basis and meet its transparency obligations to staff; under US state privacy laws such as the CCPA/CPRA, the Customer must honor the notice and rights owed to its personnel. Meeting these obligations is the Customer's responsibility as controller, not Shield's.

2.3 A legitimate business purpose

Monitoring must serve a legitimate, proportionate business purpose — productivity measurement, security, resource planning, attendance, or compliance evidence. Data produced by SnitchOS may be used only for those purposes and only within the tenant it was collected for.

3. Prohibited uses

You must not use SnitchOS, and must not permit anyone else to use it, to do any of the following.

3.1 Monitoring personal or unauthorized devices

Do not install the agent on a personal device, a BYOD device, or any device you are not authorized to manage. SnitchOS is not intended for, and must not be pointed at, hardware outside the Customer's or Client Tenant's administrative control.

3.2 Covert or undisclosed monitoring where notice is required

Do not use SnitchOS to monitor people secretly where the law requires notice or consent. The agent is deliberately visible and disclosable; using it to surveil staff who have not been given legally required notice — or attempting to hide its presence to defeat that notice — is prohibited.

3.3 Unlawful discrimination or retaliation

Do not use SnitchOS data to unlawfully discriminate against, harass, or retaliate against any person, including on the basis of a protected characteristic or for protected activity such as organizing, whistleblowing, or exercising a legal right. Do not use the data to target lawful off-duty conduct where doing so is prohibited.

3.4 Attempting to capture what the product deliberately excludes

SnitchOS records input counts only and never records keystroke content, clipboard contents, file contents, message bodies, audio, webcam, saved passwords, or URL query strings and fragments. Do not attempt to defeat these limits — for example by modifying, repackaging, or reverse-engineering the agent, by pairing it with a separate keylogger or content-capture tool to reconstruct what SnitchOS withholds, or by treating any field as though it contained content it is designed never to hold.

3.5 Circumventing tenant isolation

Do not attempt to access, correlate, or export data belonging to another tenant, or to bypass the row-level, object-storage, and API scoping that separates tenants. Do not attempt to view data for any Client Tenant you have not been granted access to, and do not use the service to build a cross-tenant profile of any individual.

3.6 Reselling or exporting data unlawfully

Do not sell, rent, or otherwise transfer Monitored User data to a third party except as the underlying employment relationship and applicable law allow. Do not export personal data across borders without a valid transfer mechanism — for example the appropriate Standard Contractual Clauses where the GDPR applies. Exports produced from SnitchOS remain subject to this policy.

3.7 Interfering with the service or its security

  • No probing, scanning, or penetration testing of the SnitchOS infrastructure without Shield's prior written authorization.
  • No attempt to gain unauthorized access to any account, tenant, host, or backend system, and no sharing of admin credentials or Microsoft Entra sessions.
  • No action that degrades, overloads, or disrupts the service, including automated traffic that exceeds documented limits.
  • No uploading of malware, and no use of the service to stage attacks against third parties.
  • No removal or obscuring of proprietary notices, and no use of the service in violation of export-control or sanctions law.

4. What the product will not do

Several of the limits above are enforced by the product itself, not only by policy. These built-in restraints are part of how SnitchOS is designed to be used responsibly.

  • Counts, not content. Input is measured as keystroke_count, mouse_click_count, and mouse_distance_px. The keys a person presses are never recorded and never leave the endpoint.
  • A visible service. The agent runs as SnitchOSAgent and appears in Task Manager and services.msc. It is not hidden and is not designed to be undetectable.
  • Admin-uninstallable. A local administrator can remove the agent. SnitchOS is not a rootkit and is not tamper-proof against the device's own administrator, because MSPs need that for support.
  • No content capture. No clipboard, file contents, message bodies, audio, webcam, or saved passwords are collected. Website records keep scheme, host, and path only; query strings and fragments are stripped on the endpoint and again on ingest.

5. Consequences of violation

If Shield reasonably believes this policy has been violated, we may take action proportionate to the violation, including any of the following:

  • Requesting information and a remediation plan from the Customer.
  • Suspending or throttling access to affected tenants, accounts, or features.
  • Removing or disabling specific content, rules, or configurations.
  • Suspending or terminating the affected account or the agreement in accordance with the Terms of Service.
  • Preserving records and cooperating with lawful requests from courts or regulators.

Where a violation creates an imminent risk to the service, to other tenants, or to individuals, Shield may act first and notify the Customer promptly afterward. A violation by the Customer, its personnel, or a Client Tenant does not relieve the Customer of its obligations under the agreement, including its indemnification obligations. Nothing in this section limits any remedy available to Shield at law or in the Terms of Service.

6. Reporting abuse

If you believe SnitchOS is being used in violation of this policy — for example to monitor people without required notice, to circumvent tenant isolation, or to capture data the product is meant to exclude — report it to support@snitchos.com. Include the tenant or account involved and enough detail for us to investigate. We review reports promptly and take appropriate action. Monitored Users with questions about how their own employer uses SnitchOS should raise them with their employer, who is the data controller; we can direct genuine reports of abuse to the right contact.

7. Changes to this policy

We may update this policy as the product, the law, or our practices change. Material changes will be reflected by a new effective date, and continued use of SnitchOS after a change takes effect constitutes acceptance of the updated policy. This policy works alongside our Privacy Policy, Data Processing Addendum, and Terms of Service; where the Terms and this policy conflict, the Terms govern.

8. Contact

For questions about acceptable use, or to report a suspected violation:

SnitchOS is a product of Shield Management Inc.

Questions before you deploy

See how SnitchOS handles monitoring responsibly.

Walk through the deployment, disclosure, and data-handling model on your own fleet with a 30-day pilot.