Acceptable Use Policy

Kyvvu BV
Nijmegen, the Netherlands
Email: abuse@kyvvu.com (general) · security@kyvvu.com (security)

1. Purpose and Scope

This Acceptable Use Policy (the “AUP”) sets out the rules that apply to your use of the Kyvvu runtime compliance platform (the “Software”), including any AI agents you govern with it.

The AUP forms part of:

  • the Terms of Service for self-service accounts (Section 16.4); and
  • the Kyvvu End User Licence Agreement (“EULA”) for negotiated enterprise engagements (clause 11.4, Annex 3).

It applies to you, to your Affiliates that use the Software, and to all individuals you authorise to access or use the Software (“Authorised Users”). You are responsible for the acts and omissions of your Authorised Users as if they were your own.

We may update this AUP from time to time on reasonable notice. Updates apply with immediate effect for safety, security or legal reasons, and otherwise on thirty (30) days’ notice.

2. Lawful Use

You shall use the Software only for lawful purposes and in compliance with all applicable laws and regulations in any jurisdiction in which you or your Authorised Users operate, including data protection, intellectual property, consumer protection, anti-spam, anti-bribery, sanctions and export control laws.

3. Prohibited Content

You shall not use the Software, and shall not permit any Authorised User or any AI agent governed by the Software, to generate, store, process, transmit, host or distribute any content that:

  • is unlawful in any jurisdiction relevant to the activity, including content that infringes intellectual property rights, trade secrets or rights of publicity;
  • constitutes child sexual abuse material (CSAM), or that sexualises, grooms, abuses, exploits or endangers minors in any way;
  • incites, glorifies or facilitates violence against any individual or group, including content that promotes terrorism, mass violence or genocide;
  • targets individuals or groups with hateful conduct, harassment or threats based on a protected characteristic (such as race, ethnicity, national origin, religion, gender, sexual orientation, disability or other protected status);
  • is defamatory, libellous, fraudulent, deceptive or designed to mislead users about its origin (including by impersonation);
  • is deepfake, synthetic-media or other manipulated content created or distributed in a manner that violates applicable law (including the EU AI Act transparency requirements for AI-generated content);
  • constitutes spam, unsolicited bulk communications or other abuse of communication channels.

4. Prohibited Conduct

You shall not use the Software, and shall not permit any Authorised User or any AI agent governed by the Software, to:

  • violate the privacy rights of any individual, including by collecting, processing or disclosing personal data without a valid lawful basis;
  • conduct surveillance, profiling or tracking of individuals in a manner prohibited by applicable law (including, where applicable, mass surveillance prohibited under the EU AI Act);
  • interfere with or disrupt the integrity or performance of the Software, of any other customer’s use of the Software, or of any third-party system to which the Software is connected;
  • attempt to gain unauthorised access to the Software, to other customers’ data, to Kyvvu’s systems, or to any third-party system, including by exploiting vulnerabilities, performing security tests not authorised by the system owner, or circumventing access controls;
  • attempt to reverse engineer, decompile, disassemble or derive the source code of any part of the Software not expressly licensed for such use under the applicable agreement;
  • benchmark the Software for the purpose of building a competing product, or publish performance results without Kyvvu’s prior written consent;
  • introduce or propagate malicious code, malware, ransomware, viruses, worms, logic bombs, trojan horses or any other harmful software via or into the Software;
  • send, route or deliver any communication via the Software in a manner that violates applicable anti-spam laws (e.g. CAN-SPAM, EU ePrivacy Directive).

5. Use With AI Agents

The Software is designed to govern the behaviour of AI agents at runtime. You shall not configure, deploy or operate AI agents governed by the Software in a manner that:

  • is prohibited or restricted under the EU Artificial Intelligence Act (Regulation (EU) 2024/1689), including any prohibited AI practices under Article 5;
  • uses the Software to circumvent safety, content or compliance controls of any underlying AI model or service;
  • trains, fine-tunes or evaluates a foundation model on data ingested through the Software in a manner that the data subjects have not been informed of, or consented to, where consent is required;
  • operates without appropriate human oversight in high-risk use cases as defined under the EU AI Act, except where you have implemented, outside the Software, the human-oversight measures required by law;
  • makes consequential automated decisions about individuals (e.g. in employment, credit, insurance, education, law enforcement) without complying with applicable laws on automated decision-making (including GDPR Article 22 and the EU AI Act);
  • represents the AI agent’s outputs as if they were human-generated, or impersonates real natural persons, in contexts where applicable law requires disclosure;
  • uses the Software for the development, deployment or operation of weapons systems, surveillance systems prohibited under applicable law, or social-scoring systems prohibited under applicable law.

6. Security and Credentials

You shall:

  • use strong, unique credentials and enforce multi-factor authentication for all administrative access to the Software;
  • treat API Keys as confidential information; not share API Keys across customer engagements, projects or end customers; not embed API Keys in client-side code or public repositories; and rotate API Keys promptly on any suspected compromise;
  • promptly notify Kyvvu (via security@kyvvu.com) of any suspected unauthorised access, credential compromise, or security incident affecting the Software;
  • not perform unauthorised security testing of Kyvvu’s infrastructure. Penetration testing requires Kyvvu’s prior written authorisation; responsible disclosure of vulnerabilities is welcomed via Kyvvu’s responsible disclosure programme.

7. Resource Use and API Abuse

You shall not, and shall procure that your Authorised Users and agents do not:

  • intentionally or recklessly cause excessive load on the Software (e.g. by issuing repeated identical requests, by failing to handle rate-limit responses, or by spawning agents that loop without bound);
  • circumvent metering, rate limits, quotas or other technical controls implemented by Kyvvu;
  • use the Software to build a service whose primary purpose is to resell raw Software capacity to third parties. Resale of access in the form of an authorised reseller arrangement is permitted under a separate Reseller Agreement.

8. Reporting and Enforcement

8.1 Reporting

Suspected violations of this AUP may be reported to abuse@kyvvu.com (or such other address as Kyvvu may notify). Kyvvu will, where appropriate, acknowledge reports and investigate.

8.2 Investigation

Kyvvu may investigate suspected violations of this AUP, including by reviewing logs, requesting information from you, or engaging third-party experts. You shall provide reasonable cooperation.

8.3 Suspension

Without prejudice to Kyvvu’s other rights, Kyvvu may suspend access to the Software or revoke API Keys (in whole or in part) for a violation of this AUP, in accordance with the applicable agreement (Terms of Service Section 16.7 for self-service accounts, or EULA clause 14.4 for enterprise engagements). For violations posing imminent harm to Kyvvu, other customers, third parties or the public (including but not limited to those in Sections 3 and 5 above), Kyvvu may suspend immediately without prior notice.

8.4 Termination

Material or repeated violations of this AUP constitute a material breach of the applicable agreement and entitle Kyvvu to terminate that agreement.

8.5 Cooperation with authorities

Kyvvu may, where required by law or where it has a reasonable belief that doing so is necessary to prevent serious harm or unlawful activity, cooperate with law enforcement and other competent authorities, including by sharing relevant information.

9. No Waiver

Kyvvu’s decision to enforce or not enforce any provision of this AUP in any particular instance does not constitute a waiver of Kyvvu’s right to enforce the same or any other provision in any other instance.

10. Contact

General AUP questions and abuse reports:
abuse@kyvvu.com

Security incidents and responsible disclosure:
security@kyvvu.com

Kyvvu BV
Nijmegen, the Netherlands
Chamber of Commerce: 99594234

This AUP is effective as of the Last Updated date above.