Skip to content

Terms of Service

These Terms of Service apply to the vahti.ai service provided by Vahti Service Oy, a security and compliance monitoring service for Microsoft 365 environments intended for businesses. The Terms define how the Customer may use the Service, the responsibilities of each party, and how matters such as billing, data protection, service changes and termination are handled. If a separate order or customer agreement has been entered into with the Customer, that agreement takes precedence to the extent it expressly provides otherwise.

Terms of Service

Effective date: 23 April 2026

These Terms of Service govern the use of the vahti.ai service provided by Vahti Service Oy. The Service is intended for business customers and is not intended for consumer use.

1. Scope and Parties

These Terms of Service apply to the use of the vahti.ai service (“Service”). The Service is provided by Vahti Service Oy, Business ID 3598836-2, Kauppakatu 39, 40100 Jyväskylä, Finland (“Vahti Service Oy”).

The user of the Service is a company or other legal entity (“Customer”). Individuals using the Service on behalf of the Customer are “Users”.

If Vahti Service Oy and the Customer have entered into a separate written agreement, offer, order confirmation, or other order document, that document takes precedence over these Terms to the extent expressly agreed otherwise in that document.

For matters concerning the processing of personal data, Vahti Service Oy’s Data Processing Agreement (DPA) takes precedence over these Terms, unless the parties have expressly agreed otherwise in writing.

2. Formation of the Agreement and Acceptance of Terms

The agreement is formed when the Customer registers for the Service, accepts an order, starts a trial period, accepts these Terms, or otherwise starts using the Service.

Use of the Service requires acceptance of and compliance with these Terms. The person accepting these Terms on behalf of the Customer represents that they have the authority to represent the Customer and bind the Customer to these Terms.

Vahti Service Oy may store information about the acceptance of the Terms, such as the time of acceptance, the accepted version of the Terms, the Customer’s organization, and the User who accepted the Terms.

3. Description of the Service

vahti.ai is a continuous security and compliance monitoring service for Microsoft 365 environments. The Service helps the Customer detect, monitor, and prioritize security and compliance findings related to the Customer’s Microsoft 365 environment.

The Service may produce findings, risk classifications, recommendations, guidance, reports, and other views based on data obtained from the Customer’s Microsoft 365 environment.

The Service is a support tool for decision-making and security management. Vahti Service Oy does not guarantee that the Service will detect all risks, vulnerabilities, incorrect settings, anomalies, or compliance-related deficiencies. The Service also does not guarantee that the Customer’s environment is secure, error-free, compliant, or will pass an audit.

4. Registration, User Accounts, and Access Rights

Use of the Service requires registration and creation of a user account. The Customer is responsible for ensuring that the information provided during registration is accurate, up to date, and sufficient.

The Customer is responsible for the actions of its Users in the Service and for ensuring that Users have the necessary rights to use the Service on behalf of the Customer. The Customer is also responsible for protecting its own user accounts, access rights, and login credentials.

The Customer is responsible for appointing administrators and other Users, managing access rights, and removing outdated or unnecessary access rights. Access rights are personal and may not be shared with another person.

If the Customer grants access to the Service to a group company, consultant, subcontractor, partner, or other external person, the Customer is responsible for that party and its Users as if they were the Customer’s own.

The Customer must notify Vahti Service Oy without delay if the Customer suspects misuse of a user account, access right, or identifier related to the Service.

5. Customer Responsibilities

The Customer is responsible for ensuring that:

  • the Service is used in accordance with law, regulatory guidance, and these Terms;
  • the Customer has the right to provide the data, credentials, integrations, and materials required for use of the Service;
  • the Customer’s own systems, devices, user accounts, and administrative practices are appropriately secured;
  • the Customer independently assesses the suitability of the findings and recommendations produced by the Service before taking action;
  • the Customer does not provide the Service with unnecessary personal data, confidential information, or other material that is not required for use of the Service;
  • the Customer complies with Microsoft’s and other third-party service terms in its own use.

The Customer is responsible for its own Microsoft 365 environment, its settings, licenses, access rights, administrative decisions, and any actions taken based on the Service. Vahti Service Oy does not make changes to the Customer’s environment without a separate agreement or the Customer’s explicit action.

The Customer is responsible for ensuring that the Microsoft 365 / Entra permissions granted to the Service have been approved through the Customer’s appropriate organizational governance process. The Customer may remove the Service’s Microsoft access in its own Microsoft Entra environment, but doing so may cause the Service’s Microsoft 365 visibility to stop functioning fully or partially.

6. Permitted and Prohibited Use

The Customer may use the Service only for its own internal business purposes.

The Customer and Users may not:

  • use the Service unlawfully or in a way that infringes the rights of a third party;
  • attempt to breach, disrupt, overload, or circumvent the Service’s security or usage restrictions;
  • investigate, scan, or test the security of the Service without Vahti Service Oy’s prior written permission;
  • copy, resell, rent, sublicense, or otherwise commercialize the Service without Vahti Service Oy’s written permission;
  • reverse engineer the Service’s software or structure, unless expressly permitted by mandatory law;
  • use the Service to build a competing service, conduct benchmarking, or for a similar purpose without Vahti Service Oy’s prior written consent;
  • introduce malicious code or other material that may compromise the operation of the Service;
  • use the Service in a way that endangers the security or operation of the Service, other customers, subcontractors, or third-party services;
  • use the Service in violation of export controls, sanctions, or other applicable restrictions.

7. Third-Party Services and Integrations

The Service may use third-party services and integrations, such as Microsoft services, cloud infrastructure, payment services, and email delivery services. Such services may also be subject to their own terms, which the Customer must comply with as applicable.

The Customer’s Microsoft 365, Entra ID, and other Microsoft environments are the Customer’s own services and are governed by the Customer’s own contractual relationship with Microsoft. Microsoft does not act as Vahti Service Oy’s subprocessor merely because the vahti.ai service is integrated with the Customer’s Microsoft environment using permissions granted by the Customer.

Vahti Service Oy is not responsible for the operation, availability, changes, pricing, license terms, access rights, APIs, or errors of Microsoft or any other third-party service to the extent the cause lies with that third-party service.

If a third-party service, API, term, or technical functionality changes or becomes unavailable, Vahti Service Oy has the right to modify the Service accordingly.

8. Intellectual Property Rights

All rights related to the Service, its software, user interface, documentation, trademarks, methods, models, risk logic, and other materials belong to Vahti Service Oy or its licensors. These Terms do not transfer any intellectual property rights to the Customer.

For the duration of the agreement, the Customer receives a limited, non-exclusive, non-transferable, and non-sublicensable right to use the Service for its own internal business purposes.

If the Customer provides Vahti Service Oy with feedback, development suggestions, or ideas regarding the Service, Vahti Service Oy may use them to develop the Service without separate compensation or obligation to the Customer.

9. Customer Data and Right to Use It

The Customer or its licensors own the data that the Customer provides to the Service, that is obtained through the Service, or that is generated in the Service concerning the Customer. Vahti Service Oy does not acquire ownership of Customer Data.

The Customer grants Vahti Service Oy and its subcontractors the right to process Customer Data to the extent necessary to provide, maintain, secure, support, bill for, perform the agreement for, and ensure the quality of the Service.

Vahti Service Oy may process Customer Data to provide, maintain, secure, troubleshoot, support, and ensure the quality and detection logic of the Service. Processing is limited to what is necessary for the operation, security, and quality assurance of the Service.

Vahti Service Oy does not use the Customer’s identifiable tenant data for the benefit of other customers, to train general AI models, or for general development of the Service except in anonymized, aggregated, or otherwise de-identified form so that the Customer or a natural person cannot be identified. Vahti Service Oy does not sell Customer Data or disclose it to third parties except as permitted by the agreement, the Data Processing Agreement, or law.

Vahti Service Oy may use statistical, aggregated, anonymized, or otherwise de-identified information generated from use of the Service for service development, analytics, security improvement, and reporting, provided that the Customer or any natural person cannot be identified.

Upon termination of the agreement, the Customer has the right to request an export of reasonably available Customer Data within 30 days of termination. After that, Vahti Service Oy may delete the data in accordance with the Data Processing Agreement and its retention practices.

10. Privacy and Security

Vahti Service Oy processes personal data in accordance with applicable data protection laws.

To the extent Vahti Service Oy processes personal data for its own purposes, such as customer relationship management, billing, website use, contact requests, or customer communications, Vahti Service Oy acts as the controller. This processing is described in more detail in Vahti Service Oy’s Privacy Policy: Privacy Policy.

To the extent Vahti Service Oy processes personal data on behalf of the Customer to provide the vahti.ai service, the Customer acts as controller and Vahti Service Oy acts as processor. Such processing is automatically subject to Vahti Service Oy’s Data Processing Agreement (DPA), which forms part of these Terms: Data Processing Agreement (DPA).

Vahti Service Oy implements technical and organizational security measures appropriate to the nature of the Service. The Customer is responsible for the security of its own Users, access rights, devices, Microsoft 365 environment, and other systems.

Subprocessors used in the Service are described on a separate subprocessor page: Subprocessors.

11. Prices, Billing, and Payment Terms

The current prices, billing periods, and available service plans are presented to the Customer during registration, activation, or another order process. Unless otherwise stated, prices are in euros and are subject to applicable value-added tax.

The Service may be billed monthly or annually. Pricing may consist of a fixed base fee and a per-user fee based on billable Microsoft 365 users. The billable user count is determined by Vahti Service Oy’s backend logic in accordance with the commercial model of the Service.

The billable Microsoft 365 user count may differ from the Customer’s own Microsoft license, user, or access right views. The billable user count is determined according to the commercial calculation logic used by the Service from time to time, unless expressly agreed otherwise in a separate written agreement or order document.

A billable Microsoft 365 user means an active internal user account that has an assigned license based on Microsoft Graph data available to the Service. Guest users, service principals, groups, deleted or disabled users, and user accounts identified as unlicensed are not included in the billable user count unless otherwise agreed. Unlicensed user accounts may still appear in the Service for monitoring, security, and reporting purposes.

Vahti Service Oy has the right to review and update the billable Microsoft 365 user count during use of the Service based on data obtained through the Service from the Customer’s Microsoft 365 or Entra ID environment. If the billable user count increases during a subscription period, Vahti Service Oy has the right to charge the increase for the remaining subscription period on a prorated basis. Such additional charge may be made during the subscription period using the Customer’s payment method on file or by separate invoice.

If the billable user count decreases during a subscription period, the lower user count will be taken into account in the next billing period or subscription renewal, unless otherwise agreed. A decrease in user count during a subscription period does not entitle the Customer to a refund or credit, unless required by mandatory law or a separate written agreement.

Payments may be charged to the payment method selected by the Customer through a third-party payment service, such as Stripe. The Customer is responsible for ensuring that payment and billing information is accurate and up to date.

Removal of a payment method or expiry of a payment card does not by itself terminate the subscription or remove the Customer’s obligation to pay amounts already incurred.

If a payment fails or Stripe indicates that the subscription has moved to a past_due, unpaid, or canceled status, Vahti Service Oy has the right to restrict use of the Service or suspend the Service if the Customer does not correct the payment issue within a reasonable time after being notified.

Unless mandatory law requires otherwise, the Service may be suspended no later than 7 days after notice, or earlier if Stripe marks the subscription as terminated or unpaid and continued provision of the Service is not commercially justified.

12. Trial Periods

Vahti Service Oy may offer a trial period for the Service. Unless otherwise stated, the trial period is 7 days.

Starting a trial requires adding a payment method in advance. If the Customer does not cancel the subscription before the trial period ends, a paid subscription will begin automatically after the trial period according to the service plan and billing period selected by the Customer.

During the trial period, the Service may be provided with limited features, usage volumes, or support services. Vahti Service Oy may end the trial period or restrict its use if the Service is misused or used in violation of these Terms.

13. Term, Termination, and Expiry of the Agreement

The agreement enters into force when the Customer registers for the Service, accepts an order, or starts using the Service.

The agreement remains in force according to the selected subscription period. A monthly subscription renews monthly and an annual subscription renews annually, unless the Customer cancels the subscription before the start of the next billing period or unless otherwise agreed.

The Customer may terminate the subscription through the account management function of the Service or by another method indicated by Vahti Service Oy. Fees already paid are non-refundable unless required by mandatory law or separately agreed.

Vahti Service Oy may terminate the agreement or suspend the Service if the Customer materially breaches these Terms, misuses the Service, endangers the security of the Service or other customers, fails to pay fees, or if provision of the Service can no longer reasonably be continued.

Either party may terminate the agreement immediately if the other party is declared bankrupt, enters corporate restructuring, becomes insolvent, or otherwise substantially ceases its operations.

14. Changes and Interruptions to the Service

Vahti Service Oy continuously develops the Service and may change its features, user interface, technical implementation, integrations, pricing, and documentation.

Vahti Service Oy aims to notify the Customer of material changes within a reasonable time in advance where practically possible. The Service may experience planned or unplanned interruptions due to maintenance, updates, security measures, capacity issues, errors, or third-party services.

Vahti Service Oy has the right to suspend or restrict use of the Service immediately if necessary to protect the security, availability, or integrity of the Service, the Customer, other customers, subcontractors, or third-party services.

Vahti Service Oy does not guarantee any specific availability, service level, or response time for the Service unless separately agreed in writing.

15. Terms Concerning AI and Automated Recommendations

The Service may use artificial intelligence, machine analysis, or automated methods to explain findings, produce recommendations, generate guidance, or improve usability of the Service.

Content produced by AI or automated analysis is supporting information. It is not a final legal, technical, security, or compliance decision or guarantee. The Customer is responsible for assessing the suitability of recommendations for its own environment before making decisions or taking actions based on them.

The findings, risk classifications, and recommendations produced by the Service may be based on available data, Microsoft APIs, the Customer’s licenses, permissions, settings, and technical limitations. As a result, they may be incomplete, change over time, or differ from the Customer’s own assessment.

The Service does not make automated decisions that produce legal effects concerning the Customer or a data subject. AI-assisted content produced by the Service is information used to support the Customer’s decision-making.

16. Beta, Preview, and Experimental Features

Vahti Service Oy may offer beta, preview, early access, or other experimental features in the Service. Such features may be unfinished, change, be removed, or contain errors.

Experimental features are provided as is and are not subject to separate warranties, service levels, or permanence unless otherwise agreed in writing. The Customer uses experimental features at its own discretion.

17. Limitations of Liability

Vahti Service Oy is not liable for indirect or consequential damages, such as loss of revenue, profit, savings, business opportunities, reputation, data, or use, unless mandatory law requires otherwise.

Vahti Service Oy is not liable for damage caused by the Customer’s own actions, omissions, incorrect information, insufficient access rights, changes in the Microsoft 365 environment, third-party services, or the Customer’s use of the Service’s findings or recommendations without its own assessment.

The Service is provided without warranty that it will be uninterrupted, error-free, complete, or suitable for all of the Customer’s specific purposes, unless otherwise agreed in writing.

18. Liability Cap

Vahti Service Oy’s total liability to the Customer under these Terms, the Service, or the contractual relationship is limited to the amount paid by the Customer to Vahti Service Oy in service fees during the 12 months preceding the event giving rise to liability, subject to a minimum of EUR 2,000 and a maximum of EUR 10,000.

If the Customer has used the Service for less than 12 months, the liability cap is calculated based on the fees paid during the term of the agreement, subject to the minimum and maximum amounts stated above.

During a trial or free use, Vahti Service Oy’s total liability is limited to EUR 500.

The above limitations of liability do not limit liability to the extent liability cannot be limited under mandatory law, for example in cases of intent or gross negligence.

19. Confidentiality

The parties undertake to keep confidential information received from each other confidential. Confidential information includes information marked as confidential or information that should be understood to be confidential based on its nature or the circumstances of disclosure, including Customer Data, non-public Service features, technical information, pricing, business information, and security information.

Confidential information may be used only to perform the agreement. It may be disclosed only to employees, advisors, subcontractors, or other representatives who need the information and are bound by a corresponding confidentiality obligation.

The confidentiality obligation does not apply to information that is publicly available without breach of agreement, lawfully received from a third party without a confidentiality obligation, independently developed without use of confidential information, or required to be disclosed by law, authority, or court order.

The confidentiality obligation remains in force during the term of the agreement and for three years after termination. For trade secrets, the confidentiality obligation continues for as long as the information qualifies as a trade secret under applicable law.

20. Force Majeure

A party is not liable for delay or damage caused by an obstacle beyond the party’s reasonable control that the party could not reasonably have foreseen or prevented.

Force majeure events may include war, terrorist acts, natural disasters, pandemics, labor disputes, authority orders, widespread telecommunications or power outages, cyberattacks, major cloud service disruptions, or other comparable events beyond a party’s control.

The affected party must notify the other party of the force majeure event without undue delay. If the force majeure event continues for more than three months, either party has the right to terminate the agreement.

21. Notices

Notices related to these Terms may be delivered by email, through the Service, or by another verifiable written method.

Notices to Vahti Service Oy must be sent to contact@vahti.ai. Security-related notices may be sent to the same address with the subject line “Security”. Notices to the Customer may be sent to the contact or billing email address provided by the Customer in the Service.

The Customer is responsible for keeping its contact and billing information up to date.

22. Assignment

The Customer may not assign the agreement or its rights under it to a third party without Vahti Service Oy’s prior written consent.

Vahti Service Oy may assign the agreement and its rights and obligations under it to a group company, purchaser of the business, or in connection with a corporate transaction, provided that the assignment does not materially weaken the Customer’s position.

23. Governing Law and Dispute Resolution

These Terms and use of the Service are governed by the laws of Finland, excluding its conflict of law rules.

The parties will primarily seek to resolve disputes through negotiation. If a dispute cannot be resolved through negotiation, it will be resolved by the competent Finnish general court.

24. Changes to the Terms

Vahti Service Oy may change these Terms due to changes in the Service, law, business, security, or technical requirements.

Material changes will be notified to the Customer within a reasonable time in advance, for example by email, in the Service, or on the website. If the Customer continues to use the Service after the changes enter into force, the Customer is deemed to have accepted the changes.

If a change materially weakens the Customer’s position, the Customer has the right to terminate the Service effective as of the date the change enters into force.

25. Miscellaneous

If any provision of these Terms is found to be invalid or unenforceable, this does not affect the validity of the remaining provisions. The invalid or unenforceable provision will, where possible, be replaced by a provision that most closely reflects the purpose of the original provision.

A party’s failure to exercise a right under these Terms immediately does not constitute a waiver of that right.

26. Contact Details

Vahti Service Oy
Business ID: 3598836-2
Kauppakatu 39, 40100 Jyväskylä, Finland
Email: contact@vahti.ai