Acceptable Use Policy

Overview

This Acceptable Use Policy ("AUP") sets forth the rules and guidelines that govern your use of the Koopic platform, including all associated APIs, agents, integrations, and documentation (collectively, the "Service"). This AUP is incorporated by reference into, and forms an integral part of, the Koopic Terms of Service (the " Agreement"). Capitalized terms not defined herein have the meanings assigned to them in the Agreement.

By accessing or using the Service, you acknowledge that you have read, understood, and agree to comply with this AUP. Koopic LLC (" Koopic," "we," or " us") reserves the right to suspend or terminate access to the Service for any Customer or Authorized User who violates this AUP, in accordance with the enforcement procedures described below.

We drafted this policy to be clear and specific rather than vague and overbroad. If a particular activity is not addressed here, that does not mean it is permitted. Common sense and good faith apply. If you are uncertain whether a contemplated use is acceptable, contact us before proceeding.

Permitted Use

The Service is designed and licensed exclusively for business-to-business IT asset management. Permitted use of the Service includes:

• Authorized business purposes. Using the Service to ingest, unify, enrich, track, and manage IT asset data across your organization, including hardware inventories, software catalogs, cloud resources, and associated metadata.
• Authorized Users only. Access to the Service is limited to individuals who have been provisioned as Authorized Users within your organization's Koopic tenant. Each Authorized User must have a unique account. Sharing of login credentials between individuals is not permitted.
• Assigned roles and permissions. Authorized Users must operate within the scope of their assigned role (viewer, member, admin, or owner). Attempting to perform actions beyond your assigned permission level is a violation of this AUP.
• Compliance with applicable law. All use of the Service must comply with applicable federal, state, local, and international laws and regulations, including but not limited to data protection, export control, and anti-corruption laws.
• Compliance with the Agreement. All use of the Service must conform to the terms and conditions set forth in the Terms of Service, this AUP, and any applicable Order Form or subscription agreement.

Prohibited Activities

The following activities are strictly prohibited. This list is illustrative, not exhaustive. Koopic reserves the right to determine, in its reasonable discretion, whether conduct not specifically enumerated below constitutes a violation of this AUP.

Unauthorized Access and Tenant Isolation Violations

• Accessing, attempting to access, or probing data belonging to another Customer's tenant. The Service employs PostgreSQL Row-Level Security to enforce tenant isolation, and any attempt to circumvent, bypass, or exploit that isolation mechanism is a serious violation.
• Attempting to bypass, escalate, or subvert the role-based access control (RBAC) system, including but not limited to manipulating tokens, headers, or API parameters to obtain privileges beyond those assigned to your account.
• Accessing or attempting to access another user's account, credentials, or session without explicit authorization.
• Impersonating another user, Authorized User, organization, or Koopic personnel.

Reverse Engineering and Intellectual Property Violations

• Reverse engineering, decompiling, disassembling, or otherwise attempting to derive the source code, algorithms, data structures, or underlying architecture of the Service or any of its components.
• Using the Service for competitive analysis, benchmarking, or to build a competing product or service, unless Koopic has provided prior written consent.
• Reselling, sublicensing, redistributing, or otherwise making the Service available to any third party except as expressly permitted under the Agreement.

Abuse of Platform Features

• Using the RestrictedPython sandbox, enrichment rules engine, or compliance rules engine to execute malicious, harmful, or intentionally resource-exhausting code. The sandbox enforces a five-second execution timeout for a reason; deliberately crafting code designed to consume maximum resources within or beyond those limits is prohibited.
• Submitting regular expressions or pattern-matching rules specifically designed to cause catastrophic backtracking or denial-of-service conditions, regardless of whether the platform's two-second regex timeout mitigates the attempt.
• Automated scraping, crawling, or systematic data extraction from the Service that exceeds published API rate limits or is conducted without proper authentication.
• Circumventing, disabling, or interfering with rate limiting, throttling, or any other security measure implemented by the Service.
• Mining cryptocurrency, training machine learning models on platform resources, or performing any computationally excessive operations that degrade service performance for other Customers.

Malicious Code and Infrastructure Interference

• Uploading, transmitting, or introducing viruses, worms, trojans, ransomware, spyware, adware, or any other malicious code or software to or through the Service, including via file uploads, API calls, or integration connectors.
• Interfering with, disrupting, or degrading the operation of the Service, its infrastructure, or its availability to other Customers, whether through denial-of-service attacks, packet flooding, or any other means.
• Attempting to exploit the Service's integration connectors (cloud APIs, on-premises agents, file uploads) to conduct server-side request forgery (SSRF), command injection, or other attacks against Koopic's infrastructure or third-party systems.

Credential and Account Misuse

• Sharing account credentials, OAuth tokens, or authenticated sessions with individuals who are not Authorized Users within your organization.
• Storing integration credentials (such as cloud storage keys, agent tokens, or service account files) in publicly accessible repositories, files, or locations.
• Sending unsolicited communications, spam, or bulk messages using any feature of the Service.

Illegal Content and Prohibited Data

• Using the Service to store, process, transmit, or distribute content that is illegal, fraudulent, defamatory, obscene, or otherwise objectionable under applicable law.
• Using the Service in connection with any activity that violates applicable sanctions, export control regulations, or anti-money-laundering laws.

System Integrity

Maintaining the integrity, availability, and performance of the Service is a shared responsibility. The following requirements apply to all Customers and Authorized Users:

• No interference with service operation. You shall not take any action that interferes with the proper functioning of the Service, including its servers, networks, databases, and supporting infrastructure.
• No unauthorized testing. Load testing, stress testing, penetration testing, vulnerability scanning, and similar activities directed at the Service or its infrastructure require prior written approval from Koopic. Contact [email protected] to coordinate authorized testing.
• Responsible disclosure of vulnerabilities. If you discover a security vulnerability in the Service, you must report it promptly to [email protected] rather than exploiting it, disclosing it publicly, or sharing it with third parties. We take vulnerability reports seriously and will work with you to understand and address the issue. Exploiting a known vulnerability, even to demonstrate its existence, is a violation of this AUP.
• No tampering with audit logs. The Service maintains comprehensive audit logs for security and compliance purposes. Any attempt to alter, delete, forge, or suppress audit log entries is strictly prohibited.
• No circumvention of technical safeguards. The Service implements numerous technical safeguards including SSRF prevention, sandboxed code execution, regex timeout enforcement, and encrypted credential storage. Deliberately circumventing or attempting to circumvent any of these safeguards is prohibited.

Data and Content Standards

The Service is purpose-built for IT asset management. The data you import, store, and process through the Service must be appropriate for that purpose.

• Legality of imported data. You are solely responsible for ensuring that all data you import into the Service -- whether via cloud API integrations, on-premises agent collectors, file uploads, or manual entry -- has been lawfully collected and that you have the right to process it through the Service.
• Appropriate data types. The Service is designed to manage IT asset metadata: hardware specifications, software inventories, license information, network configurations, cloud resource identifiers, and similar operational data. You must not use the Service to store sensitive personal data, protected health information (PHI), payment card data (PCI), or categories of personally identifiable information (PII) beyond what is reasonably necessary for IT asset management (e.g., device assignment to named users).
• Export control compliance. If you use the Service's integration connectors or on-premises agents to transfer data across jurisdictional boundaries, you are responsible for ensuring compliance with applicable export control laws and regulations, including the U.S. Export Administration Regulations (EAR) and, where applicable, the International Traffic in Arms Regulations (ITAR).
• Data accuracy. While the Service provides tools for data enrichment, deduplication, and unification, you remain responsible for the accuracy and completeness of the source data you provide.

Security Responsibilities

Security is a shared responsibility between Koopic and its Customers. While we implement robust security controls at the platform level, the following responsibilities rest with you:

• Credential security. You must maintain the confidentiality of all account credentials, OAuth tokens, and authentication sessions associated with your use of the Service. Credentials must not be shared, posted publicly, or stored in insecure locations.
• Identity provider security. All authentication to the Service is performed through federated identity providers (social sign-in providers such as Google, or your organization's enterprise identity provider via OIDC or SAML). You are solely responsible for the security configuration of the identity provider through which your Authorized Users authenticate, including but not limited to the enforcement of multi-factor authentication (MFA), password policies, session duration settings, and account recovery procedures. Koopic is not liable for unauthorized access resulting from a compromise of your identity provider or the failure to enforce adequate authentication controls.
• Enterprise SSO. Enterprise Customers may configure their own identity provider (OIDC or SAML) for centralized authentication, automated provisioning and deprovisioning via just-in-time (JIT) provisioning, and consistent enforcement of organizational authentication policies. We strongly recommend that all enterprise Customers configure their own identity provider for production use.
• Integration credential management. The Service stores encrypted credentials for third-party integrations (cloud storage, endpoint management, on-premises agents). You are responsible for rotating these credentials in accordance with your organization's security policies and for revoking credentials promptly when they are no longer needed.
• Token and session hygiene. OAuth tokens and authenticated sessions issued for access to the Service must be treated as sensitive. Do not share active sessions across devices in ways that circumvent your identity provider's security controls, and ensure that Authorized Users sign out of the Service when using shared or public devices.
• Prompt incident reporting. If you become aware of or reasonably suspect any security incident, unauthorized access, credential compromise, or other breach affecting your use of the Service, you must notify Koopic promptly at [email protected]. Prompt reporting enables us to contain potential damage and protect all Customers.
• User lifecycle management. You are responsible for promptly deprovisioning Authorized Users who leave your organization or no longer require access to the Service. Koopic provides RBAC tools and SSO-based just-in-time provisioning to facilitate this process, but the obligation to manage your user roster remains with you.

Monitoring and Enforcement

Koopic reserves the right, but does not assume the obligation, to monitor use of the Service for compliance with this AUP. We are not in the business of policing our Customers, but we will act decisively when necessary to protect the Service and its users.

• Monitoring. We may monitor Service usage patterns, API call volumes, error rates, and system logs to detect anomalous or potentially harmful activity. Monitoring is conducted at the platform level and is focused on security and operational integrity, not on the substance of Customer data.
• Investigation. If we become aware of a suspected AUP violation, we may investigate by reviewing relevant logs, usage data, and system events. We will make reasonable efforts to contact the affected Customer before taking enforcement action, except where immediate action is necessary to prevent harm to the Service or other Customers.
• Enforcement actions. Depending on the nature and severity of the violation, Koopic may take one or more of the following actions: issue a written warning; require corrective action within a specified timeframe; temporarily suspend the offending account or tenant; permanently terminate access to the Service; or report the violation to appropriate law enforcement authorities.
• No obligation to act. The fact that Koopic does not enforce the AUP in every instance does not constitute a waiver of our right to enforce it in any particular instance.
• Cooperation. Customers shall cooperate with Koopic in any investigation of a suspected AUP violation, including by providing information and access reasonably requested by Koopic to complete its investigation.

Reporting Violations

We rely on our community of Customers and users to help maintain the integrity of the Service. If you become aware of conduct that you believe violates this AUP, we encourage you to report it.

• AUP violations. Report suspected violations of this AUP to [email protected]. Please include as much detail as possible, including the nature of the suspected violation, any relevant timestamps, and the identities of the parties involved (if known).
• Security vulnerabilities. If you discover a vulnerability in the Service, report it to [email protected]. We follow a responsible disclosure model: report the vulnerability privately, give us a reasonable period to investigate and remediate, and refrain from public disclosure until we have had an opportunity to address the issue. We will acknowledge receipt of your report within two (2) business days and provide an initial assessment within ten (10) business days.
• No retaliation. Koopic will not take adverse action against any Customer or Authorized User who reports a suspected violation or vulnerability in good faith, even if the report ultimately proves to be unfounded.

Consequences of Violation

Koopic employs a graduated enforcement approach that is proportionate to the severity and recurrence of the violation. However, we reserve the right to bypass intermediate steps and proceed directly to suspension or termination when the circumstances warrant it.

• Written warning. For first-time or minor violations, we will typically issue a written notice identifying the violation and specifying any required corrective action. You will have a reasonable period (typically fourteen (14) days) to cure the violation.
• Temporary suspension. For repeated violations, uncured violations following a warning, or violations that pose an ongoing risk to the Service or other Customers, we may temporarily suspend your access to the Service. During a suspension, your data remains intact and accessible upon reinstatement.
• Termination. For severe violations, persistent non-compliance, or violations that cannot be cured, we may terminate your access to the Service in accordance with the termination provisions of the Terms of Service.
• Immediate termination. The following categories of violation may result in immediate termination without prior warning: unauthorized access to another tenant's data; uploading malware or malicious code; conducting attacks against the Service or its infrastructure; using the Service for illegal activity; and any conduct that poses an imminent threat to the security, integrity, or availability of the Service.
• No refund. If your access to the Service is terminated due to a violation of this AUP, you are not entitled to a refund of any prepaid fees for the remainder of the then-current subscription term.
• Data retrieval. Following termination for an AUP violation, Koopic will make your data available for export for a period of thirty (30) days, subject to applicable law and the terms of the Agreement. After that period, your data will be deleted in accordance with our standard data retention practices as described in our Privacy Policy.

Changes to This Policy

Koopic may update this AUP from time to time to reflect changes in our Service, evolving security threats, or changes in applicable law or industry practice.

We will provide at least thirty (30) days' prior notice of any material changes to this AUP by posting the updated policy on our website with a new effective date and, where practicable, by notifying affected Customers via email or an in-application notice.

Your continued use of the Service after the effective date of an updated AUP constitutes your acceptance of the updated terms. If you do not agree with the changes, you may terminate your subscription in accordance with the Terms of Service.

We maintain an archive of prior versions of this AUP and will provide copies of previous versions upon request.

Contact

Questions, concerns, or reports related to this Acceptable Use Policy may be directed to:

• Security and AUP violations: [email protected]
• Legal inquiries: [email protected]
• Entity: Koopic LLC, a Virginia limited liability company
• Location: Virginia, USA