What you can and can't monitor with Sutrace.

• Monitor systems, endpoints, services, devices, or AI agents that you own or are authorised (in writing) to observe.
• Aggregate and alert on telemetry inside your own organisation and with your own workforce.
• Build on top of the Sutrace API under your plan's rate limit.
• Export your data at any time in machine-readable form.

• Scan, probe, or ingest telemetry from systems you are not authorised to monitor. Running a scan against a third-party IP range or API without written permission is prohibited.
• Use Sutrace to capture personal data beyond the minimum required for observability (for example, do not pipe full customer identifiers into free-form log fields when a hashed reference would do).
• Use Sutrace to operate or support any system intended to harm others — weapons, surveillance of protected classes, discriminatory profiling, or critical-infrastructure sabotage.
• Attempt to disrupt the service for other customers: denial-of-service, cache-poisoning, resource-exhaustion, or any form of tenancy escape.
• Attempt to defeat or reverse App Check, rate limits, or Firestore security rules.
• Resell, sublicense, white-label, or redistribute Sutrace without a signed reseller agreement.
• Upload content or run workloads that infringe a third party's intellectual-property rights, or that violate export-control or sanctions law (we block OFAC-sanctioned jurisdictions by default).

When you connect an AI agent or LLM application to Sutrace, you remain the controller of the prompts, retrieved context, and completions that your system generates. Do not pipe human-generated content (customer support messages, forum posts, medical notes) into Sutrace without the legal basis to observe it. Our on-host redaction defaults will strip raw prompts and completions — if you disable redaction, the responsibility for that content is yours.

Observing a plant floor or fleet from the cloud has real-world consequences. Do not use Sutrace to trigger write-backs or setpoint changes on equipment you are not authorised to command. Configure read-only mode on your collector by default and turn on write-back per device, with an operator in the loop.

If you find a vulnerability, we welcome reports at security@sutrace.io. Authorised testing against your own workspace is permitted. Do not test against other tenants, and do not exfiltrate other customers' data.

We will suspend or terminate accounts that breach this AUP, with or without notice depending on severity. We'll tell you what we saw and give you a reasonable chance to remediate except where the conduct is clearly illegal or actively damaging.

Email legal@sutrace.io. We read everything.