Acceptable Use Policy

Version 1.0 · Draft under counsel review. This document supplements the Vindicara Terms of Service. Capitalized terms not defined here have the meanings given in the Terms of Service.

Effective Date: April 22, 2026 Last Updated: April 22, 2026

1. Purpose and Scope

This Acceptable Use Policy ("AUP") describes activities that are prohibited when using the Site, the OSS Software, the Team Tier, the Enterprise Tier, and any other Services offered by Vindicara, Inc. ("Vindicara"). Violation of this AUP is a material breach of the Terms of Service and may result in suspension or termination of your access to the Services, without refund, and may expose you to civil or criminal liability.

This AUP applies to Customers, Authorized Users, and any person accessing the Services, regardless of subscription tier. It applies in addition to, and does not limit, any restrictions in the Terms of Service, your Enterprise Master Services Agreement, or applicable law.

2. Core Principle

Project AIR™ is a forensic and incident-response tool for AI agents. It is a security product used by security engineers, platform teams, and compliance officers to observe, record, analyze, and respond to agent behavior. It is not a weapon. It is not an offensive security tool. It is not a platform for conducting unauthorized testing, surveillance, or harm.

You may not use Vindicara Services for any purpose that is illegal, harmful to others, or inconsistent with the defensive security mission of the product.

3. Prohibited Activities

The following are strictly prohibited.

3.1 Illegal Activity

  • Activity that violates any applicable law, regulation, or court order in any jurisdiction where you access the Services, operate, or target systems.
  • Activity that violates any applicable export-control or sanctions regime (see Terms of Service Section 17).
  • Activity that violates the computer-crime laws of any applicable jurisdiction, including the U.S. Computer Fraud and Abuse Act (CFAA, 18 U.S.C. § 1030), the EU NIS2 Directive, the UK Computer Misuse Act 1990, and analogous laws in your jurisdiction.
  • Activity that facilitates, conceals, or evades taxation, money laundering, or terrorism financing.

3.2 Unauthorized Access or Testing

  • Using the Services to conduct security testing, reconnaissance, exploitation, or attacks against any system, network, application, or agent you are not authorized in writing by the system's operator to test.
  • Using the Services to ingest, process, or analyze data from systems you do not own or do not have explicit authorization to monitor.
  • Using the Services to bypass authentication, authorization, or access controls on any system.
  • Using the Services to impersonate any person or entity, or to misrepresent the origin, authorship, or integrity of any record.

3.3 Tampering With Forensic Integrity

Because Project AIR™ produces records that may be presented as evidence in legal, regulatory, or insurance proceedings, tampering with those records or presenting them in misleading ways is a fundamental breach of trust and is strictly prohibited.

  • Forging Intent Capsules, forensic records, signatures, agent registries, forensic reports, or Article 72 reports.
  • Modifying a forensic chain after creation and representing the modified chain as original.
  • Counterfeiting or stripping the cryptographic artifacts (signatures, content hashes, signing keys) from any record.
  • Misrepresenting Vindicara-generated records as having been verified when they have not been, or as having been signed by an authority that did not sign them.
  • Using the Services in connection with any scheme to submit false evidence in any legal, regulatory, insurance, or administrative proceeding.

3.4 Violating Privacy or Surveillance Regulations

  • Using the Services to process Personal Information in violation of applicable privacy law (GDPR, UK GDPR, CCPA, state privacy laws, HIPAA where applicable, APPI, PIPA, PIPEDA, LGPD, etc.).
  • Using the Services to monitor or analyze individuals, employees, customers, or other persons in violation of their privacy rights or applicable disclosure obligations.
  • Uploading Personal Information or sensitive data you are not authorized to process.
  • Using the Services for stalking, harassment, doxxing, or non-consensual surveillance.
  • Uploading protected health information (PHI) without a Business Associate Agreement (BAA) in place with Vindicara.
  • Uploading payment card industry data (PCI Data) beyond what is necessary for billing Vindicara.

3.5 Intellectual Property Violations

  • Uploading, distributing, or using content that infringes or misappropriates any third party's intellectual property rights (copyright, trademark, patent, trade secret, moral rights, or publicity rights).
  • Using Vindicara trademarks ("Vindicara," "Project AIR™," and related marks) in a way that implies endorsement, certification, partnership, or sponsorship that Vindicara has not granted in writing.
  • Using OWASP trademarks (including "OWASP Top 10," "OWASP Top 10 for Agentic Applications," "OWASP Top 10 for LLM Applications," and "OWASP Agentic Security Initiative") in any manner that is inconsistent with OWASP's trademark guidelines or that implies OWASP certification, endorsement, or formal partnership.

3.6 Deceptive or Fraudulent Activity

  • Using the Services to perpetrate, facilitate, or conceal fraud against any person, entity, insurer, regulator, or court.
  • Using the Services as part of a scheme to deceive a third party (including claiming false detector findings, fabricating chain-of-custody evidence, producing synthetic Intent Capsules represented as genuine, or backfilling records to appear contemporaneous).
  • Misrepresenting your identity, company, role, or authority to Vindicara or to third parties in connection with the Services.

3.7 Abuse, Harassment, and Harmful Content

  • Uploading, generating, or distributing content that is unlawful, defamatory, threatening, harassing, obscene, pornographic (including CSAM), or that promotes violence, terrorism, or self-harm.
  • Using the Services to target, threaten, or harass any individual or group.
  • Using the Services to build profiles or take adverse actions against individuals based on protected characteristics in violation of applicable anti-discrimination law.

3.8 Harming the Services or Other Users

  • Interfering with or disrupting the Services, the infrastructure that supports them, or other users' access.
  • Launching denial-of-service or distributed denial-of-service attacks against Vindicara or any third party.
  • Attempting to probe, scan, or test the vulnerability of any Vindicara system without prior written authorization (see the Security Disclosure Policy for authorized testing).
  • Introducing malware, ransomware, cryptocurrency miners, spyware, or other hostile code into the Services.
  • Circumventing rate limits, subscription caps, billing mechanisms, or access controls.
  • Creating Vindicara accounts using automated means, false identities, or for sock-puppetry purposes.
  • Sending unsolicited commercial email or other spam through or in connection with the Services.

3.9 Reverse Engineering

  • Reverse engineering, decompiling, disassembling, or attempting to derive the source code or trade secrets of any closed-source Service, except to the minimum extent expressly permitted by law notwithstanding a contractual prohibition (for example, certain interoperability rights in the EU).

3.10 High-Risk Uses Requiring Additional Authorization

Unless separately authorized in writing by Vindicara in a specific Enterprise agreement:

  • Nuclear, chemical, biological, or radiological weapons design, development, testing, or stockpiling.
  • Missile design, delivery systems, or weapons of mass destruction.
  • Life-critical medical decision-making without independent clinical validation.
  • Commercial aviation safety-critical systems.
  • Operational technology governing electrical grid, water treatment, or other critical infrastructure.
  • Autonomous weapons or lethal autonomous systems.
  • Systems with direct authority to detain, deport, or deprive any person of liberty.

4. Acceptable Uses (Non-Exhaustive)

The following categories of use are expressly acceptable under this AUP, assuming they are conducted lawfully and in compliance with the Terms of Service:

  • Observing, logging, analyzing, and investigating the behavior of AI agents you operate or for which you have contractual authority.
  • Producing forensic evidence about your own agent operations for internal security review, customer disclosure, regulatory compliance, insurance claims, or legal proceedings.
  • Generating EU AI Act Article 72 post-market monitoring evidence templates from your own agent traces.
  • Evaluating detector coverage against your own adversarial test suites.
  • Conducting authorized security research in accordance with applicable law, including but not limited to research you publish responsibly (see the Security Disclosure Policy).
  • Integrating Project AIR™ output into your own SIEM, alerting, incident-response, or compliance pipeline.
  • Using the OSS Software for educational, research, journalism, or non-commercial purposes in accordance with the MIT License.
  • Contributing to the Project AIR™ open-source codebase in accordance with the applicable contribution terms.

5. Reporting Abuse

If you become aware of any violation of this AUP or any abuse of the Services, please report it to security@vindicara.io. Reports should include:

  • A description of the violation
  • The date, time, and nature of the activity
  • Affected systems, accounts, or users (where known)
  • Any supporting evidence you are lawfully permitted to share

Vindicara will respond to credible reports in a reasonable and confidential manner.

6. Enforcement

Vindicara reserves the right to investigate suspected violations of this AUP. Investigation may include review of account activity, Customer Data (subject to applicable legal constraints and your Terms of Service and any DPA), and communications with the affected Customer.

Vindicara may, in its sole discretion and without prior notice:

  • Suspend or terminate the account, access, or subscription of any Customer found in violation of this AUP;
  • Remove or disable access to infringing, abusive, or unlawful content;
  • Report violations to law enforcement, regulatory authorities, or third-party rights-holders;
  • Preserve records and cooperate with investigations as required by applicable law or court order;
  • Seek monetary and injunctive remedies in a court of competent jurisdiction.

Termination for AUP violation is without refund. Outstanding fees remain due and payable.

7. Changes to This AUP

Vindicara may update this AUP from time to time. Material changes will take effect thirty (30) days after notice (via the Services, email to the address associated with your account, or update to the "Last Updated" date at the top of this AUP), unless they must take effect sooner to comply with legal requirements.

8. Contact

Vindicara, Inc. Reporting: security@vindicara.io Legal inquiries: legal@vindicara.io Privacy inquiries: privacy@vindicara.io General: Kevin.Minn@vindicara.io Website: https://vindicara.io