Acceptable Use Policy

1. INTRODUCTION

1.1. Purpose

This Acceptable Use Policy ("Policy") describes the standards of conduct required when using
services, websites, software, APIs, AI systems, infrastructure, documentation, demos, proofs
of concept, customer portals, managed deployments, and other offerings made available by XData
(collectively, the "Services").

The purpose of this Policy is to protect:
(a) the integrity, security, and availability of the Services;
(b) XData, its customers, users, partners, and suppliers;
(c) individuals whose data may be processed through the Services;
(d) the public and third parties;
(e) lawful, responsible, and trustworthy use of AI and digital technologies.

1.2. Parties

This Policy applies to every customer, user, visitor, administrator, authorized user, developer,
contractor, partner, or other person who accesses or uses the Services ("Customer", "you",
or "your").

The Services are provided by:

[XDATA LEGAL ENTITY NAME]
[XDATA REGISTERED ADDRESS]
Company registration number: [INSERT]
VAT ID: [INSERT]
Website: https://xdata.si

("XData", "we", "us", or "our").

1.3. Relationship to Other Terms

This Policy forms part of and is incorporated into the applicable agreement between XData and
Customer, including any Terms of Service, Software and AI Services Agreement, Master Services
Agreement, Order Form, Proposal, Statement of Work, Data Processing Addendum, AI Terms, or
other written agreement (the "Customer Agreement").

If there is a conflict between this Policy and a signed Customer Agreement, the signed Customer
Agreement will prevail to the extent of the conflict, unless this Policy is required to protect
security, comply with law, prevent abuse, or comply with third-party provider rules.

1.4. Changes to this Policy

XData may update this Policy from time to time. Material changes may be communicated through
the Services, website, email, account notice, or another reasonable method. Continued use of
the Services after the updated Policy takes effect constitutes acceptance of the updated Policy.


2. COMPLIANCE WITH LAWS AND REGULATIONS

2.1. General Legal Compliance

You are responsible for using the Services in compliance with all laws and regulations
applicable to you, your users, your data, your jurisdiction, your industry, and your use case.

This includes, where applicable:
(a) data protection and privacy laws, including GDPR;
(b) cybersecurity laws;
(c) intellectual property laws;
(d) consumer protection laws;
(e) anti-discrimination laws;
(f) employment, education, financial, healthcare, insurance, public sector, and sector-specific laws;
(g) export control and sanctions laws;
(h) anti-corruption and anti-bribery laws;
(i) public procurement rules;
(j) AI-related laws, including the EU AI Act.

2.2. Customer Responsibility

You are responsible for ensuring that:
(a) you have the right to upload, process, transmit, or generate content through the Services;
(b) your instructions to XData are lawful;
(c) your use of AI Services is appropriate for your risk profile;
(d) your Authorized Users comply with this Policy;
(e) your integrations, systems, data sources, APIs, and credentials are lawful and authorized.


3. SERVICE CONDUCT RESTRICTIONS

While using the Services, you must not do any of the following.

3.1. Interference with Services

You must not damage, disable, overload, disrupt, degrade, interfere with, or circumvent any
aspect of the Services, including infrastructure, APIs, databases, AI systems, search systems,
safety filters, privacy controls, rate limits, usage limits, authentication systems, integrity
controls, logging systems, monitoring systems, or security safeguards.

3.2. Abuse of Service Capacity

You must not use the Services in a way that exceeds or attempts to exceed reasonable load,
capacity, rate, token, compute, storage, indexing, or usage specifications, except as expressly
permitted in the applicable agreement.

3.3. Security Testing and Scanning

You must not test, scan, probe, penetrate, fuzz, exploit, or assess the Services for security
vulnerabilities or limitations except:
(a) with XData's prior written permission; or
(b) in strict compliance with an XData responsible disclosure or bug bounty program, if one
    exists.

3.4. Circumvention

You must not bypass, disable, remove, manipulate, reverse engineer, or interfere with safety,
security, privacy, attribution, watermarking, usage, billing, moderation, content filtering,
or access control mechanisms.

3.5. Unauthorized Access

You must not attempt to gain unauthorized access to the Services, accounts, data, systems,
networks, models, prompts, logs, repositories, infrastructure, or customer environments.

3.6. Credential Abuse

You must not share accounts, share passwords, share API keys, resell access, use stolen
credentials, use credential stuffing, use automated login attempts, or otherwise misuse
authentication mechanisms.

3.7. Fee Avoidance

You must not access or use the Services in a manner intended to avoid fees, usage charges,
seat limits, subscription limits, token limits, compute charges, AI credits, storage fees,
or other payment obligations.

3.8. Scraping and Data Mining

You must not scrape, crawl, data mine, harvest, bulk download, automatically extract, or
programmatically access the Services or Service content except as expressly permitted by XData
in writing or through documented APIs.

3.9. Competitive Misuse

You must not use the Services to copy, benchmark, clone, reverse engineer, replicate, or
compete with XData by copying ideas, features, functionality, workflows, prompts, layouts,
designs, documentation, system behavior, model routing logic, or graphics of the Services.

3.10. Misrepresentation and Impersonation

You must not impersonate any person or entity, misrepresent your identity, misrepresent your
connection with any person or organization, create fake accounts, or hide the origin of your
communications.

3.11. Bad Faith

You must not act in bad faith, abuse support processes, submit fraudulent requests, manipulate
usage metrics, evade enforcement, repeatedly violate this Policy, or encourage others to do so.

3.12. High-Risk Safety-Critical Use

You must not use the Services for activities where use or failure of the Services could
reasonably lead to death, bodily injury, environmental damage, serious property damage,
critical infrastructure disruption, or other safety-critical harm, unless expressly agreed
in writing and supported by appropriate controls.

3.13. Sanctions and Export Control Evasion

You must not use the Services in a manner intended to evade sanctions, export controls, trade
restrictions, embargoes, or other legal restrictions applicable to individuals, organizations,
regions, technologies, software, models, data, or services.

3.14. Unauthorized Code Modification

You must not modify, interfere with, or use tools that modify XData code, code execution,
runtime behavior, client-side restrictions, server-side controls, or security mechanisms,
unless expressly permitted by XData.

3.15. Spam and Unwanted Communications

You must not use the Services to send, generate, facilitate, or optimize spam, unwanted
communications, unsolicited bulk messages, fake engagement, deceptive campaigns, or abusive
outreach.

3.16. Third-Party Content Misuse

You must not use content, data, files, images, code, datasets, documents, or other materials
belonging to third parties unless you have the necessary rights, permissions, licenses, or
legal basis.

3.17. Platform Abuse

You must not use the Services to host, distribute, coordinate, facilitate, or conceal illegal,
harmful, abusive, deceptive, infringing, or malicious activity.


4. CONTENT RESTRICTIONS

You must not upload, publish, transmit, process, distribute, create, collect, generate, store,
or make available through the Services content that falls into the categories below.

4.1. Fraudulent or Deceptive Content

Content that is fraudulent, false, misleading, deceptive, impersonating, manipulative, or
intended to trick individuals, organizations, systems, regulators, or the public.

4.2. Defamatory or Offensive Content

Content that is defamatory, obscene, pornographic, vulgar, excessively offensive, harassing,
bullying, threatening, or abusive.

4.3. Hate, Harassment, and Discrimination

Content that promotes, incites, or supports discrimination, bigotry, racism, hatred,
harassment, bullying, dehumanization, or harm against an individual or group based on
protected characteristics or vulnerable status.

4.4. Violence and Threats

Content that is violent, threatening, glorifies violence, encourages self-harm, promotes harm
against individuals or organizations, or provides instructions for violent activity.

4.5. Illegal or Harmful Activities

Content that promotes, facilitates, or instructs illegal or harmful activities, including
terrorism, human trafficking, exploitation, counterfeiting, illegal drugs, illegal weapons,
organized crime, fraud, or other unlawful conduct.

4.6. Malware and Destructive Software

Content that includes or facilitates malware, viruses, worms, trojan horses, spyware,
ransomware, dishonest adware, scareware, crimeware, botnets, destructive scripts, credential
stealers, exploit kits, or malicious code.

4.7. Illegal Content

Content that is illegal or solicits conduct that is illegal under laws applicable to you,
XData, the Services, or affected third parties.

4.8. Infringing Content

Content that violates intellectual property, privacy, publicity, confidentiality, database,
contractual, trade secret, or other rights of others.

4.9. Regulated Sensitive Information

Content that includes sensitive information subject to special regulation or protection unless
the applicable Customer Agreement expressly permits such processing and appropriate safeguards
are in place.

This may include:
(a) Special Categories of Personal Data under GDPR;
(b) data revealing race, ethnicity, religion, politics, trade union membership, genetics,
    biometrics, health, sex life, or sexual orientation;
(c) criminal offence data;
(d) patient, medical, or health information;
(e) children's data;
(f) government identifiers;
(g) passport, identity card, tax number, social security number, or similar identifiers;
(h) financial account data;
(i) credit or debit card information;
(j) payment credentials;
(k) authentication secrets;
(l) highly confidential client data;
(m) classified or government-restricted information.

4.10. Financial and Payment Data

Content that includes credit card data, debit card data, payment credentials, bank account
credentials, financial access codes, or other regulated payment information, unless expressly
permitted in writing and protected by appropriate controls.

4.11. Minors' Data

Content that includes protected data about minors or children unless the applicable Customer
Agreement expressly permits such processing and Customer has all required legal basis, notices,
consents, and safeguards.

4.12. Government Restricted Information

Content that includes government, defense, classified, export-controlled, or restricted
information requiring specific handling or security controls beyond those expressly provided
by XData in the applicable agreement.

4.13. Secrets and Credentials

Content that includes private keys, access tokens, passwords, API keys, production secrets,
database credentials, signing keys, SSH keys, certificates, or other secrets, unless the
Service is specifically designed and contracted for such use.

4.14. Excessive Personal Data

Content that includes unnecessary, excessive, irrelevant, or unlawfully collected Personal Data.
You must follow data minimization principles when using the Services.


5. AI-SPECIFIC ACCEPTABLE USE RULES

If you use XData AI Services, you must follow the additional rules below.

5.1. AI Output Transparency

You must not deceive or mislead any person into believing that AI-generated output was solely
human-generated where disclosure is required by law, contract, platform policy, or context.

You must not remove, obscure, tamper with, or alter metadata, digital signatures, provenance
signals, watermarks, or labels that identify AI-generated output where such measures are
required or provided by the Services.

5.2. Bias, Harm, and Discrimination

You must not use AI Services in a way that causes, is intended to cause, or materially risks
unlawful bias, discrimination, exclusion, harassment, or harm against individuals or groups.

5.3. Automated Decisions About Individuals

You must not use AI Services to make solely automated decisions about individuals that could
have legal or similarly significant effects, unless such use is lawful, expressly permitted
in writing, and supported by appropriate human review, transparency, appeal mechanisms, risk
management, and data protection controls.

5.4. Prohibited AI Practices

You must not use AI Services for prohibited AI practices under applicable law, including
unlawful manipulation, exploitation of vulnerabilities, certain biometric identification or
categorization uses, social scoring, or other prohibited practices under the EU AI Act or
other applicable laws.

5.5. High-Risk AI Systems

You must not use AI Services as part of a high-risk AI system unless:
(a) the applicable Customer Agreement expressly permits such use;
(b) the parties agree role allocation under applicable AI laws;
(c) required risk management, documentation, logging, data governance, human oversight,
    accuracy, robustness, cybersecurity, post-market monitoring, and conformity requirements
    are addressed;
(d) appropriate legal and technical review has been completed.

5.6. Professional Advice

You must not present AI output as legal, medical, tax, financial, investment, employment,
insurance, regulatory, cybersecurity certification, or other professional advice unless
reviewed and approved by a qualified professional and legally permitted.

5.7. Safety-Critical AI Use

You must not use AI Services in safety-critical contexts, including emergency response,
medical treatment, autonomous vehicles, weapons systems, critical infrastructure control,
aviation, industrial safety, or similar high-risk contexts unless expressly agreed in writing
and supported by appropriate safeguards.

5.8. AI Cyber Abuse

You must not use AI Services to generate, optimize, or facilitate malware, phishing, credential
theft, exploit development, evasion techniques, vulnerability abuse, unauthorized scanning,
or other cyber abuse.

5.9. AI Fraud and Deception

You must not use AI Services to generate or facilitate scams, fraud, impersonation, fake
reviews, fake identity documents, social engineering, misinformation, deceptive political
or commercial persuasion, or other deceptive activity.

5.10. Model Abuse

You must not intentionally prompt, jailbreak, manipulate, or attack AI Services to bypass
safety controls, access hidden system instructions, reveal confidential information, extract
training data, generate prohibited content, or evade restrictions.

5.11. Personal Data in AI

You must not submit Personal Data to AI Services unless you have a lawful basis and the
applicable Customer Agreement permits such processing. You must not submit Special Categories
of Personal Data or other regulated sensitive data unless expressly permitted in writing.

5.12. AI Provider Policies

Where AI Services use third-party AI providers, you must comply with applicable provider
policies, which may include, depending on the configured service:
(a) OpenAI usage policies;
(b) Anthropic usage policies;
(c) Google AI usage policies;
(d) Microsoft AI code of conduct or usage rules;
(e) AWS Responsible AI Policy;
(f) Mistral or other model provider terms;
(g) open-source model license terms;
(h) other provider policies identified in the applicable Service description or Order.

5.13. AI Filters and Restrictions

AI Services may include safety filters, usage filters, attribution requirements, provider
restrictions, content moderation, logging, monitoring, or other controls. You are responsible
for complying with those controls and must not bypass or disable them unless expressly
authorized by XData.


6. API, AUTOMATION, AND INTEGRATION RULES

6.1. API Use

You must use APIs only as documented and only within permitted rate, usage, and access limits.

6.2. Automation

You must not use bots, scripts, crawlers, automation, agents, or integrations in a way that
abuses the Services, bypasses usage limits, causes excessive load, violates third-party rights,
or performs unauthorized actions.

6.3. Connected Systems

You are responsible for systems, repositories, databases, cloud services, email accounts,
calendars, storage, documents, communication tools, and other third-party systems that you
connect to the Services.

6.4. Credentials and Permissions

You must ensure that credentials, tokens, API keys, OAuth permissions, repository permissions,
cloud permissions, and other integration rights are lawful, authorized, current, and limited
to what is necessary.

6.5. Customer-Hosted Deployments

For customer-hosted deployments, you are responsible for the security, legality, and acceptable
use of the infrastructure, network, endpoints, identity systems, access controls, logs, and
connected data sources under your control.


7. SECURITY AND RESPONSIBLE DISCLOSURE

7.1. Reporting Vulnerabilities

If you discover a potential vulnerability in the Services, you should report it responsibly to:

[INSERT SECURITY CONTACT EMAIL]

You must not publicly disclose a vulnerability until XData has had a reasonable opportunity
to investigate and remediate it.

7.2. Prohibited Security Conduct

You must not:
(a) access, modify, delete, or exfiltrate data that does not belong to you;
(b) disrupt service availability;
(c) perform social engineering;
(d) access production secrets;
(e) pivot into third-party systems;
(f) install malware or persistence;
(g) perform denial-of-service testing;
(h) bypass authentication or authorization except within an approved test scope;
(i) continue testing after XData asks you to stop.

7.3. Good-Faith Research

XData may consider good-faith security research differently from malicious activity, but only
where research is conducted responsibly, lawfully, minimally, and within an approved scope.


8. INTELLECTUAL PROPERTY AND COPYRIGHT

8.1. Respect for Rights

XData respects intellectual property rights and expects users to do the same.

You must not use the Services to upload, copy, process, generate, publish, distribute, or
commercialize content that infringes copyright, trademarks, patents, trade secrets, database
rights, personality rights, privacy rights, or other rights.

8.2. Copyright Complaints

XData may provide a process for copyright or intellectual property complaints at:

[INSERT COPYRIGHT OR LEGAL CONTACT EMAIL / URL]

8.3. Repeat Infringers

XData may suspend or terminate accounts of repeat infringers or users who repeatedly submit
or distribute infringing content.

8.4. Third-Party Datasets and Media

You are responsible for ensuring that any third-party datasets, media, images, fonts, code,
documents, or other materials used with the Services are properly licensed and permitted for
the intended use.

8.5. Open-Source Licenses

You are responsible for complying with open-source licenses that apply to code, models,
datasets, or components you upload, use, generate, modify, or distribute through the Services.


9. ENFORCEMENT

9.1. Enforcement Actions

If XData reasonably believes that you have violated this Policy, encouraged others to violate
it, allowed others to violate it through your account, or used the Services in a way that
creates risk, XData may take any action it considers necessary to protect XData, users,
customers, third parties, and the public.

Such actions may include:
(a) warning you;
(b) requiring remediation;
(c) limiting or throttling usage;
(d) disabling features;
(e) blocking prompts, outputs, files, or requests;
(f) removing content;
(g) quarantining data;
(h) deleting prohibited content;
(i) suspending accounts or Services;
(j) terminating access;
(k) refusing future service;
(l) notifying affected customers or users;
(m) notifying authorities where legally required or appropriate;
(n) preserving evidence where required by law or necessary for security.

9.2. No Compensation for Policy Violations

You will not be entitled to credits, refunds, service level credits, or other compensation
for interruption, suspension, deletion, or termination caused by your violation of this Policy.

9.3. Investigation

XData may investigate suspected violations of this Policy. You agree to cooperate reasonably
with investigations, including by providing relevant information where appropriate.

9.4. Removal of Content

XData may remove or restrict access to content that violates this Policy, applicable law,
third-party rights, provider policies, or the Customer Agreement.

9.5. Preservation

XData may preserve content, logs, account information, and related evidence where necessary
for legal compliance, security investigation, fraud prevention, dispute resolution, or
enforcement of this Policy.

9.6. Appeals

Where XData provides an appeal or review process, you may request review of an enforcement
decision through the process specified by XData.


10. CONTACTS

10.1. Abuse Reports

Reports of abuse, illegal content, spam, impersonation, or misuse should be sent to:

[INSERT ABUSE CONTACT EMAIL]

10.2. Security Reports

Security vulnerability reports should be sent to:

[INSERT SECURITY CONTACT EMAIL]

10.3. Legal and Copyright Notices

Legal, copyright, intellectual property, or regulatory notices should be sent to:

[INSERT LEGAL CONTACT EMAIL]

10.4. Privacy Notices

Privacy and data protection notices should be sent to:

[INSERT PRIVACY CONTACT EMAIL]


11. DEFINITIONS

11.1. "AI Services" means Services that use, integrate, route, host, configure, orchestrate,
or otherwise rely on artificial intelligence, machine learning, large language models,
embedding models, generative AI, classifiers, agents, retrieval systems, or automation
workflows.

11.2. "Authorized User" means any user authorized by Customer to access or use the Services.

11.3. "Customer Agreement" has the meaning given in Section 1.3.

11.4. "Customer Content" means content, data, prompts, files, documents, code, configurations,
images, media, knowledge bases, records, outputs, and other materials uploaded to, submitted
to, processed by, generated through, or made available to the Services by Customer or its
Authorized Users.

11.5. "Personal Data" means any information relating to an identified or identifiable natural
person, and any other information treated as personal data or personal information under
applicable law.

11.6. "Services" has the meaning given in Section 1.1.

11.7. "Special Categories of Personal Data" means special categories of personal data under
GDPR and similar sensitive categories under applicable data protection laws.

Image

Transforming organizations for the AI era through strategy, research, education and implementation.

SOLUTIONS

INSIGHTS

COMPANY

STAY INFORMED

Get the latest insights, research and frameworks delivered to your inbox.

EU Based & Compliant

GDPR • AI Act • ISO 42001

Secure & Sovereign

Your data. Your control.

Research Driven

Powered by Cognitio Labs

Proven Impact

Measurable results