Acceptable Use Policy

This Acceptable Use Policy ("AUP") governs your use of ERMITS LLC ("ERMITS") Services and supplements the Master Terms of Service. By using the Services, you agree to comply with this AUP.

1 Purpose and Scope

This AUP defines prohibited activities and behavioral standards for all ERMITS users. Violation of this AUP may result in immediate suspension or termination of your access to the Services.

2 Prohibited Activities

2.1 Illegal Activities

You may not use the Services to:

• Violate any applicable laws, regulations, or ordinances
• Engage in, promote, or facilitate illegal activities
• Violate intellectual property rights, privacy rights, or other third-party rights
• Engage in fraud, money laundering, or financial crimes
• Facilitate human trafficking, child exploitation, or other serious crimes
• Violate export control or economic sanctions laws

2.2 Security Violations

You may not:

• Attempt to gain unauthorized access to Services, user accounts, or computer systems
• Interfere with or disrupt Services, servers, or networks
• Introduce malware, viruses, worms, Trojan horses, or other harmful code
• Conduct vulnerability scanning, penetration testing, or security assessments without prior written authorization
• Circumvent or attempt to circumvent authentication mechanisms or security controls
• Exploit security vulnerabilities for any purpose
• Participate in denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks
• Engage in password cracking, network sniffing, or packet manipulation
• Use automated tools to bypass rate limits or access restrictions

2.3 Data and Privacy Violations

You may not:

• Collect, store, or process personal data in violation of applicable privacy laws (GDPR, CCPA, etc.)
• Scrape, harvest, or collect user information without authorization
• Use Services to process data you do not have the right to process
• Upload or transmit data containing personally identifiable information (PII) without appropriate safeguards
• Process special categories of personal data (health, biometric, genetic, racial/ethnic origin, religious beliefs, etc.) without appropriate legal basis
• Violate data subject rights or ignore data deletion requests
• Transmit unsolicited communications (spam, phishing, etc.)
• Engage in identity theft, impersonation, or social engineering attacks

2.4 Abusive Behavior

You may not:

• Harass, threaten, intimidate, or harm others
• Engage in hate speech, discrimination, or incitement of violence
• Impersonate any person or entity or misrepresent your affiliation
• Stalk or otherwise harass individuals
• Post or transmit sexually explicit, violent, or disturbing content (unless specifically authorized for security research purposes)
• Engage in cyberbullying or coordinated harassment campaigns

2.5 System Abuse

You may not:

• Exceed rate limits, quotas, or resource allocations
• Use Services for cryptocurrency mining without authorization
• Consume excessive bandwidth, storage, or computational resources
• Interfere with other users' use of Services
• Attempt to reverse engineer, decompile, or disassemble Services (except as permitted by law)
• Create or use multiple accounts to circumvent restrictions or abuse free trials
• Share accounts or credentials with unauthorized users
• Resell, rent, or lease Services without authorization

2.6 Content Violations

You may not upload, transmit, or distribute:

• Pirated software, copyrighted materials, or illegally obtained content
• Malware, exploit code, or hacking tools (except for authorized security research)
• Content that violates export control laws
• Misleading, deceptive, or fraudulent content
• Content promoting dangerous or illegal activities

2.7 Competitive Activities

You may not:

• Use Services to develop competing products or services
• Conduct competitive benchmarking or analysis without consent
• Copy, reproduce, or reverse engineer Services for competitive purposes
• Publicly disclose performance or benchmark data without authorization

3 Acceptable Security Research

3.1 Bug Bounty and Responsible Disclosure

ERMITS encourages responsible security research. If you discover a security vulnerability:

Permitted Activities:

• Responsibly report vulnerabilities to contact@ermits.com
• Conduct good-faith security research on your own accounts
• Test security features within scope of your own data

Required Practices:

• Do not access or modify data belonging to other users
• Do not perform testing that degrades service performance
• Do not publicly disclose vulnerabilities before ERMITS has had reasonable time to remediate
• Provide detailed vulnerability reports with reproduction steps
• Allow ERMITS reasonable time to respond (90 days recommended)

Prohibited Activities:

• Social engineering of ERMITS employees or users
• Denial-of-service testing or performance degradation
• Physical attacks on ERMITS facilities
• Testing on production systems without authorization

3.2 Security Tool Use

Authorized use of security tools and malware samples:

• Security professionals may use Services to analyze malware samples and vulnerabilities
• Analysis must be conducted in isolated environments
• Malicious code must not be executed against ERMITS infrastructure or other users
• Results of security research may not be used for illegal purposes

4 Federal Contractor and CUI/FCI Handling

4.1 CUI Marking and Handling

Users processing CUI or FCI must:

• Properly mark CUI according to NIST SP 800-171 and 32 CFR Part 2002
• Use encryption features and self-managed deployment options
• Implement appropriate access controls and authentication
• Maintain audit logs of CUI access
• Report cyber incidents as required by DFARS 252.204-7012

4.2 Prohibited CUI Activities

You may not:

• Process CUI without appropriate safeguards
• Share CUI with unauthorized users or countries
• Export CUI in violation of export control laws
• Fail to report cyber incidents involving CUI within required timeframes (72 hours to DoD)
• Store CUI on unauthorized systems or in unauthorized locations
• Transmit CUI over unsecured channels without encryption

5 Resource Limits and Fair Use

5.1 Resource Quotas

Services include resource limits based on your subscription tier:

• API Rate Limits: Requests per minute/hour/day
• Storage Limits: Total data storage allocation
• Concurrent Users: Maximum simultaneous users
• File Upload Limits: Maximum file size and quantity
• Bandwidth Limits: Data transfer quotas

5.2 Fair Use

You agree to use resources reasonably and not to:

• Significantly exceed your allocated resource quotas
• Use automated tools to generate excessive requests
• Store unnecessary or redundant data
• Hoard resources to the detriment of other users
• Circumvent usage tracking or metering

5.3 Consequences of Excessive Use

ERMITS may, at its discretion:

• Throttle or rate-limit excessive usage
• Suspend access until usage returns to normal levels
• Request upgrade to higher-tier subscription
• Charge overage fees for excessive usage (with prior notice)
• Terminate accounts engaging in persistent abuse

6 Reporting Violations

6.1 How to Report

If you become aware of violations of this AUP:

• Email: contact@ermits.com (Subject: "AUP Violation Report")
• Include: Detailed description, evidence, affected accounts/systems
• Confidential: Reports are treated confidentially

6.2 Good Faith Reporting

ERMITS will not take adverse action against users who:

• Report violations in good faith
• Discover violations in the course of authorized security research
• Report their own accidental violations and take corrective action

6.3 False Reports

Making false or malicious reports is prohibited and may result in:

• Account suspension or termination
• Legal action for damages
• Reporting to law enforcement if appropriate

7 Enforcement and Consequences

7.1 Investigation

ERMITS may investigate suspected violations by:

• Reviewing account activity and usage patterns
• Examining audit logs and system logs (pseudonymized)
• Requesting information from the user
• Cooperating with law enforcement or regulatory authorities

Privacy Note: Due to Privacy-First Architecture, ERMITS cannot access encrypted User Data. Investigations rely on metadata, logs, and user cooperation.

7.2 Enforcement Actions

Depending on violation severity, ERMITS may:

Warning:

• Email notification of violation
• Request for corrective action
• Monitoring of future compliance

Temporary Suspension:

• Immediate suspension of account access
• Opportunity to respond and remediate
• Reinstatement upon resolution

Permanent Termination:

• Immediate and permanent account closure
• No refund of fees
• Ban from future use of Services
• Reporting to authorities if required

Legal Action:

• Pursuit of damages for harm caused
• Injunctive relief to prevent ongoing violations
• Cooperation with law enforcement investigations

7.3 Appeals

If you believe an enforcement action was made in error:

• Contact contact@ermits.com (Subject: "AUP Enforcement Appeal")
• Provide detailed explanation and evidence
• ERMITS will review and respond within 10 business days
• Decision is final and at ERMITS' sole discretion

8 Cooperation with Law Enforcement

8.1 Legal Requests

ERMITS will cooperate with lawful requests from:

• Law enforcement agencies
• Regulatory authorities
• Court orders and subpoenas
• National security investigations

8.2 User Notification

When legally permitted, ERMITS will:

• Notify affected users of legal requests
• Provide reasonable time to challenge requests
• Disclose only information required by law

8.3 Emergency Situations

In emergencies involving imminent threat to life or serious bodily harm:

• ERMITS may disclose information without prior notice
• Users will be notified after emergency resolution
• Disclosure limited to minimum necessary

9 Third-Party Services and Integrations

When using third-party integrations through ERMITS Services:

• You are subject to third-party acceptable use policies
• ERMITS is not responsible for third-party service violations
• Violations of third-party policies may result in integration termination
• You must comply with all applicable third-party terms

10 Updates to This Policy

ERMITS may update this AUP to reflect:

• Evolving security threats and abuse patterns
• Legal and regulatory changes
• New Services or features
• Industry best practices

Notification:

• Material changes: 30 days' advance notice
• Non-material changes: Effective immediately upon posting
• Continued use constitutes acceptance

11 Contact Information