Acceptable Use Policy (AUP)

Last updated: YYYY-MM-DD

This Acceptable Use Policy (AUP) applies to all use of the services provided by dec0de.xyz / 1406557 B.C. LTD (the “Provider”). It is incorporated by reference into the Provider’s Terms of Use and any service agreements, quotes or statements of work.

9.1 General Prohibitions

The Customer shall not use the Services for, or facilitate others to use the Services for, any of the following activities:

• Sending spam, bulk unsolicited email, or other forms of unsolicited mass communications, including “blast” emails, SMS/MMS campaigns, push notifications, or auto-dial/robocall campaigns, unless:
  • explicitly permitted under a separate written contract; and
  • compliant with all applicable laws (e.g., CAN-SPAM, CASL, TCPA, GDPR).
• Launching, participating in, or facilitating any Distributed Denial-of-Service (DDoS) attacks, flood attacks, amplification attacks, or other network/resource abuse intended to render a target unreachable or degrade performance for others.
• Hosting, distributing or supporting malware, viruses, worms, trojan horses, rootkits, spyware, ransomware, botnets, command-and-control servers, or other malicious code or infrastructure designed to attack, infiltrate or otherwise compromise networks, systems or data.
• Engaging in or supporting phishing campaigns, spear-phishing, identity-theft attacks, credential stuffing, brute-force attacks, or other forms of unauthorized access attempts.
• Illegal file-sharing, peer-to-peer distribution of copyrighted content without authorization, or otherwise infringing or facilitating infringement of copyrights, trademarks, patents, trade secrets, or other intellectual property rights.
• Cryptocurrency mining in a manner that:
  • exceeds or violates agreed resource usage levels; or
  • imposes excessive, unsustainable load on the Platform or network(s); or
  • materially degrades service for other customers.
• Any activity that materially interferes with other customers, infrastructure, operations, the Platform, backbone or routing systems (including transit and peering relationships).
• Transmitting, storing or making available content that:
  • is unlawful under applicable law;
  • is defamatory, abusive, harassing, threatening, hateful, or promotes violence or self-harm;
  • is obscene or sexually explicit, particularly involving minors;
  • encourages or depicts terrorism, human trafficking, organized crime or other serious criminal activity.
• Violating export control laws, sanctions regimes, or using Services to support prohibited military or dual-use activities (including certain chemical, biological, nuclear or missile-related programs) without required licenses.
• Operating or facilitating:
  • open proxies;
  • open mail relays;
  • open recursive DNS servers;
  • or other network services that allow unrestricted access by unauthenticated external parties,
  unless explicitly contracted and properly secured.
• Forging, misrepresenting, omitting or deleting message or packet headers, IP addresses, routing information, or other origin metadata (e.g., email “From” fields, TCP/IP packet headers) with the intent to conceal or misidentify the origin of traffic or communications.
• Using the Services to evade fees, quotas, usage limits, or system restrictions, including:
  • deliberately masking or misreporting usage;
  • artificially inflating or shifting workloads to avoid billing;
  • or bypassing technical or contractual limits in place on the Platform.
• Any conduct that, in the Provider’s reasonable judgment, would expose the Provider, its network, carriers, or peers to risk of civil or criminal liability, regulatory action, blacklisting, increased costs, or material damage to reputation.

9.2 Security, Network & Routing

The Customer shall not:

• Scan, probe, hack or attempt to penetrate the security of any network, system or account to which the Customer does not have explicit authorization, including but not limited to:
  • port scanning;
  • vulnerability scanning;
  • brute-force password attempts;
  • use of exploit frameworks or similar tools.
• Interfere with routing or BGP announcements in a way that:
  • amounts to route hijacking or spoofing;
  • announces unapproved prefixes;
  • uses unallocated IP space; or
  • falsifies AS-path or community attributes.
• Impair or attempt to impair the backbone, transit, peering, or external connectivity of the Platform, including via misconfiguration of routing daemons or anycast arrangements.

The Customer must:

• Maintain appropriate security configurations for all systems, services, and endpoints deployed on the Platform (e.g., patching, firewall rules, strong authentication).
• Ensure that API keys, SSH keys, VPN certificates, passwords and other secrets are stored securely and rotated regularly.
• Promptly remediate vulnerabilities or misconfigurations identified by the Provider or by the Customer’s own testing.

The Provider may, at its sole discretion, throttle, filter, blackhole or re-route traffic (including specific IPs or prefixes) if necessary to protect the Platform, the Provider’s upstream carriers or other customers.

9.3 Region-Based Legal Compliance

The Provider operates infrastructure in, and routes traffic through, multiple regions and jurisdictions. The Customer agrees to:

• Comply with the laws of:
  • the jurisdiction where the Services are provisioned (hosted region); and
  • the jurisdiction(s) where traffic terminates or is primarily directed (routed region(s)).
• Respect applicable telecom, data protection, privacy, cybercrime, content and export control laws for those regions, including (where applicable) PIPEDA (Canada), GDPR (EU/UK), CCPA (California), and similar frameworks.
• Not use the Services to deliberately circumvent geo-blocking, sanctions, or other regionally-applied legal or regulatory controls (for example, routing via another country to bypass export or sanctions restrictions).
• Ensure that any personal data stored or transmitted via the Services complies with region-specific data residency, consent and retention requirements.

Where Customer workloads create additional regulatory obligations (such as cross-border personal data transfers or sector-specific rules), the Customer is solely responsible for ensuring compliance and for obtaining any necessary consents or approvals.

9.4 Monitoring, Enforcement & Reporting

To protect the Platform and its users, the Provider reserves the right (but not the obligation) to:

• Monitor network traffic and platform usage patterns for signs of abuse, security incidents, or violations of this AUP, subject to applicable privacy laws.
• Investigate suspected violations, including reviewing logs, configuration data and limited content where necessary and lawful.
• Filter, rate-limit, block, or re-route traffic that appears to be abusive, harmful or otherwise in violation of this AUP.
• Suspend or terminate specific Services, VMs, IPs, accounts, or the entire Customer relationship if violations are confirmed or reasonably suspected.
• Cooperate with law enforcement, regulators, upstream carriers, and security response teams as required by law or when reasonably necessary to address abuse.

The Customer shall:

• Promptly notify the Provider if the Customer becomes aware of any actual or suspected violation of this AUP, or any security incident involving the Services.
• Cooperate with the Provider in investigating and remediating any such incidents.

Violation of this AUP may result in immediate suspension or termination of the Services (in whole or in part), at the Provider’s sole discretion, and without refund of fees already paid. Service credits, if any, may be forfeited.

9.5 Amendments & Relationship to Other Terms

This AUP forms part of the Provider’s overall Terms of Use and any Master Services Agreement or statement of work. In the event of conflict between this AUP and other documents, the document explicitly designated as controlling will prevail; otherwise, the interpretation most protective of the Platform and lawful use will apply.

The Provider may update this AUP from time to time. Updated versions will be posted at a URL designated by the Provider (for example, on the dec0de.xyz website). Continued use of the Services after an update is posted constitutes acceptance of the updated AUP.

The Customer is responsible for ensuring that its own users, clients, subcontractors and affiliates who make use of the Services also comply with this AUP. Any violation by such third parties will be treated as a violation by the Customer.

If you have questions about what is or is not allowed, or you’re planning something unusual and want to stay on the right side of this AUP, reach out before you deploy. We generally prefer helping you design it safely rather than shutting it down later.