Help Center › Cloud / Pro

Cloud / Pro sign-in, sync & entitlements

The optional cloud tier: how to sign in, what per-tenant sync does, the Pro entitlements that unlock features, and how to publish compliance evidence — all without ever syncing PII.

The cloud tier is 100% optional. All training and the campaign simulator work offline with no account. Signing in only adds sync, MSP/white-label features, live send, and evidence publishing. If the cloud module never loads, the rest of the app is unaffected.

1 · Signing in

  1. Open the Sign in / Cloud tab.
  2. Click Sign in with Clerk. The sign-in component (and only then) loads, and you authenticate with your DosanjhLabs account — one login across the whole suite.
  3. After sign-in, the tab shows who you're signed in as and your tenant, plus the Pro feature panel.
  4. To sign out, click Sign out.
No third-party script loads until you click. Until you choose to sign in, Watchword makes no network calls and loads no auth script — it's local-first by default.

2 · Pro features & entitlements

After signing in, the Pro features panel checks your account's entitlements and shows each as Pro · unlocked or Locked. The entitlements are:

EntitlementFeatureWhat it unlocks
ai_contentBYO-key AI contentGenerate phishing lures and training lessons with your own LLM key (the AI content tab).
cloud_syncCloud syncSync training progress + campaign results across devices (see below).
mspMSP multi-tenant consoleRun per-client campaigns and reports under one login; also gates live send.
white_labelWhite-label reportsYour (or your client's) brand on exported reports.

If a feature is Locked, you'll see an Upgrade to unlock link. Entitlements are resolved server-side from your verified session — the client can't grant itself a feature, and an entitlement is scoped to your tenant so it can't unlock another tenant's plan.

3 · Per-tenant cloud sync

With cloud_sync unlocked, the Pro panel adds two buttons:

  1. ⬆ Sync up — pushes the active tenant's PII-free summary (completion %, campaign stats) to the cloud, stored under that tenant's own scoped key. You'll see "Synced [org] to cloud (isolated per-tenant scope)".
  2. ⬇ Pull from cloud — reads the active tenant's cloud summary back. If nothing's there yet, you're prompted to sync up first.
Each client syncs in its own slot. A client tenant's summary is never written to or read from another tenant's key. This mirrors the in-app isolation client-side, and Keystone enforces the same boundary server-side (the tenant is derived from your verified session). Switch the active client first, then sync.
What is never synced: learner emails, captured submissions (which are boolean-only and never stored anyway), and your AI key. The bridge that feeds the cloud module has no way to read them, so they physically cannot reach the cloud. See Security & privacy.

4 · Publishing compliance evidence

You can publish your training-completion records and campaign results as a canonical Awareness & Training evidence object into the shared graph, where it can be mapped across HIPAA AT, NIST 3.2.x, SOC 2 CC2, PCI 12.6, and ISO A.6.3.

  1. On the Sign in / Cloud tab, find the Evidence emission callout.
  2. Click Publish Awareness & Training evidence.
  3. Watchword sends the PII-free payload and confirms with the new evidence ID.

Prefer to keep it local? Use Program → Reports & exports → Evidence object (JSON) to download the same payload without publishing. The payload carries control state and framework references — never learner emails or captured data.

5 · Common cloud snags

SymptomFix
Sign-in / Cloud tab stuck on "Loading the optional cloud tier…"The cloud module isn't deployed or failed to load (offline / CSP). Everything else works fully offline — this is expected on local-only runs.
"Cloud sync is a Pro feature"Your account lacks cloud_sync. Upgrade, or use local CSV/JSON exports.
"Nothing in the cloud yet for this tenant"Sync up first for that client; pull only works after a push.
"Live send is an MSP-tier feature"Live send needs the msp entitlement. See Sending safely.

More in Troubleshooting → Sync & entitlements.

← Sending safely Next: Security & privacy →