Acceptable Use Policy

1. PURPOSE

This Acceptable Use Policy ("AUP") sets out the rules that apply to your use of the Altisium Service. It applies to Customer, all Authorised Users, and any other person who accesses the Service. Capitalized terms used and not defined in this AUP have the meanings given in the MSA.

By accessing or using the Service, you agree to comply with this AUP. Provider may update this AUP from time to time in accordance with MSA Section 9.1.

2. PROHIBITED USES

You may not use, and you may not permit any third party to use, the Service:

2.1 To violate the law

(a) in any way that violates any applicable local, national or international law or regulation, or that infringes any third-party right;

(b) to engage in or facilitate fraud, money-laundering, terrorist financing, sanctions evasion, or any other unlawful activity;

(c) to violate any applicable export-control or sanctions laws, including by accessing the Service from any country, region or by any individual or entity subject to comprehensive trade sanctions;

(d) to send unsolicited commercial communications in violation of applicable anti-spam law (e.g. CAN-SPAM, PECR, EU ePrivacy Directive); or

(e) to engage in unfair, deceptive or misleading practices.

2.2 To compromise security or integrity

(a) to gain or attempt to gain unauthorised access to the Service, any account other than your own, any system, network, or data;

(b) to introduce or transmit any malware, virus, worm, trojan, ransomware, spyware, or any other malicious code or harmful component;

(c) to conduct vulnerability scanning, penetration testing, security probing, or any similar testing of the Service without Provider's prior written authorisation;

(d) to circumvent, disable or otherwise interfere with security-related features of the Service, including any features that prevent or restrict the use or copying of any content or that enforce limitations on the use of the Service;

(e) to interfere with or disrupt the Service or the servers, networks or infrastructure on which it relies, including by mounting denial-of-service or distributed-denial-of-service attacks; or

(f) to share, transfer, sell or otherwise misuse Authorised User credentials.

2.3 To circumvent technical or commercial controls

(a) to circumvent or attempt to circumvent any rate limit, quota, usage metering, billing mechanism, or other technical or commercial limitation of the Service;

(b) to use any robot, spider, scraper or other automated means to access the Service for any purpose, except as expressly permitted by Provider through documented APIs and within the rate limits and authentication mechanisms specified in the Documentation;

(c) to reverse engineer, decompile, disassemble or otherwise attempt to derive source code, model weights, training data, prompts, system prompts, or underlying ideas, algorithms or trade secrets of the Service or any AI Model used by the Service, except to the extent this restriction is prohibited by mandatory applicable law; or

(d) to use the Service to develop, train, fine-tune or improve any product, service or model that competes with the Service.

2.4 To misuse data

(a) to upload to, store in, or transmit through the Service any content that you do not have the right to upload, store or transmit;

(b) to upload Special Category Personal Data, criminal-conviction data, payment card data, or government-issued identification data, except with Provider's prior written agreement on appropriate additional safeguards (DPA Section 2.5);

(c) to use the Service to harvest, scrape, or otherwise collect Personal Data, except where (i) such Personal Data is included as part of vendor / supplier due-diligence in the ordinary course of TPRM/SRM activities consistent with the Service's intended use, and (ii) you have a lawful basis under applicable Data Protection Laws;

(d) to use the Service to process the Personal Data of consumers (i.e. natural persons in their personal capacity) for B2C purposes; the Service is intended for B2B vendor / supplier risk management; or

(e) to use the Service to make Solely Automated Decisions concerning a Data Subject (within the meaning of Article 22 EU GDPR) without ensuring meaningful human review and the rights afforded under applicable Data Protection Laws (see AI Addendum Section 6).

2.5 To produce harmful, discriminatory or infringing content

(a) to upload, generate, share or transmit any content that is unlawful, defamatory, obscene, harassing, threatening, hateful, discriminatory, infringing, or that promotes violence, self-harm, or exploitation;

(b) to engage in conduct that is unfair, abusive, or harmful to Provider, other Customers, Authorised Users, or third parties;

(c) to use AI Features in any prohibited manner identified in the AI Addendum, including for any of the practices listed as prohibited under Article 5 of the EU AI Act; or

(d) to impersonate any person or entity or misrepresent your affiliation with any person or entity.

2.6 To compete with or harm Provider

(a) to use the Service to develop, train, market or operate any product, service, or AI model that competes with the Service;

(b) to copy any feature, function, or graphic of the Service for the purpose of building or improving any competing product or service;

(c) to use the Service to publish or distribute content that disparages Provider or its products in bad faith; or

(d) to use the Service to conduct competitive benchmarking or capacity testing without Provider's prior written consent.

3. RESPONSIBILITIES

3.1 Customer responsibility

Customer is responsible for the acts and omissions of its Authorised Users and for ensuring that each Authorised User complies with this AUP. Customer will promptly notify Provider on becoming aware of any actual or suspected violation of this AUP and will reasonably cooperate with Provider in investigating and remedying the violation.

3.2 Reporting violations

Suspected violations of this AUP may be reported to security@altisium.com.

3.3 No obligation to monitor

Provider has no general obligation to monitor Customer's or any Authorised User's use of the Service. Provider may, however, in its discretion and to the extent permitted by law, monitor use of the Service for security, abuse-prevention, AUP-compliance and operational purposes.

4. CONSEQUENCES OF VIOLATION

4.1 Range of remedies

Provider may, in its discretion and acting reasonably, take one or more of the following actions in response to a confirmed or reasonably suspected violation of this AUP:

(a) issue a written warning to Customer or the relevant Authorised User;

(b) require Customer to take specified remedial action within a stated timeframe;

(c) restrict, suspend, or disable access to the Service or any portion of it for the affected Authorised User, Customer's tenant, or both, in accordance with MSA Section 9.2;

(d) remove or disable access to specific Customer Data or content where it constitutes the violation;

(e) terminate the MSA and any Order Form for material breach in accordance with MSA Section 14.4(b); and / or

(f) report the violation to law enforcement or other competent authorities, where Provider is required or permitted to do so by law.

4.2 Proportionate response

Provider will use commercially reasonable efforts to make its response proportionate to the nature, severity and persistence of the violation. Provider will, where reasonably practicable and lawful, give Customer an opportunity to remediate before suspending or terminating service.

4.3 No liability for enforcement

Provider has no liability to Customer or any Authorised User for any action taken in good faith in accordance with this AUP, including suspension, content removal or termination.

5. CHANGES

Provider may modify this AUP from time to time by publishing an updated version at altisium.com/aup. Modifications take effect on posting unless they materially expand Customer's restrictions, in which case they take effect thirty (30) days after posting (or such later date as Provider may specify in the notice).