Acceptable Use Policy

Product: Exceptao / paraKSCol / Cyberzgodnošć EDU  ·  Last updated: 2026-05-15

1. Permitted use

The Service may be used solely for lawful, professional governance, risk, and compliance (GRC) operations, including:

• Tracking and managing IT and information security policy exceptions within the Tenant’s own organisation;
• Maintaining a risk register and associated treatment plans;
• Operating incident and compliance workflows under NIS2, KSC, or equivalent regulatory obligations;
• Generating audit packs, evidence exports, and reports for the Tenant’s own auditors, regulators, or management;
• Performing self-identification (samoidentyfikacja) and KSC obligation tracking in the NIS2 Schools module;
• Exporting and archiving compliance records for legal retention purposes.

Use outside these purposes — including use for the benefit of a third party not covered by the Tenant’s subscription — is not permitted without prior written agreement with the Operator.

2. Prohibited conduct

The following conduct is strictly prohibited. Violations may result in immediate suspension or termination of access (see §4).

2.1 Security and infrastructure attacks

• Attempting to breach tenant isolation — including testing, probing, or exploiting any mechanism intended to separate one Tenant’s data from another, including Postgres Row-Level Security, application-layer access controls, or network-layer controls;
• Attempting to bypass, disable, degrade, or circumvent any security control of the Service, including authentication, authorisation, session management, rate limiting, or audit logging;
• Conducting port scanning, vulnerability scanning, fuzzing, or penetration testing against the Service, its infrastructure, its subprocessors, or any shared component without a prior written Penetration Testing Authorisation Agreement signed by the Operator (responsible coordinated disclosure is always welcome — see §3);
• Distributing, uploading, or injecting malware, ransomware, trojans, spyware, adware, cryptominers, or any other malicious code via evidence file uploads, exception descriptions, incident reports, or any other Service input mechanism;
• Attempting denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against the Service, its infrastructure, or any other Tenant or user of shared infrastructure;
• Attempting to extract, reverse-engineer, or reproduce the Operator’s cryptographic schemes, database schemas, hash-chain construction, or proprietary algorithms beyond what is publicly documented in the Security Whitepaper at /legal/security.

2.2 Data misuse and unauthorised access

• Accessing, extracting, copying, or exfiltrating another Tenant’s data, including audit log data, exception records, evidence files, or any other data that is not within the requesting Tenant’s own tenancy;
• Accessing or exfiltrating the Tenant’s own audit log data for purposes not covered by a lawful basis under applicable data protection law;
• Storing, processing, or transmitting data in violation of applicable law within the Service;
• Uploading content that is illegal, defamatory, obscene, or that infringes third-party intellectual property rights, privacy rights, or other legal rights;
• Attempting to access administrative interfaces, internal APIs, database management tools, or operational systems of the Operator that are not part of the published Service API.

2.3 Identity, impersonation, and account misuse

• Impersonating another Tenant, User, the Operator, a supervisory authority, a regulator, or any other third party within the Service or in communications with the Operator;
• Creating or using accounts with false, incomplete, or materially misleading registration information;
• Sharing login credentials (username and password, TOTP codes, WebAuthn passkeys) between multiple Users — each User must have their own individual account;
• Knowingly permitting a person who is not an authorised User under the Tenant’s subscription to access the Service using another User’s account;
• Attempting to obtain another User’s or Tenant’s credentials by phishing, social engineering, credential stuffing, or any other method.

2.4 Abuse of platform resources

• Automated scraping, crawling, or systematic harvesting of Service data at a rate or in a manner that materially degrades the performance of the Service for other Tenants or Users (normal programmatic API use within the documented rate limits is permitted);
• Using the Service to generate, store, or transmit unsolicited commercial communications (spam);
• Circumventing or manipulating fair-use caps on active users, active exceptions, storage volume, or integrations through artificial technical means;
• Using the Service’s computational resources for any purpose unrelated to the GRC use cases above, including cryptocurrency mining or general-purpose computation.

2.5 Regulatory, legal, and compliance violations

• Using the Service in a jurisdiction where doing so is prohibited by applicable law, export controls, or sanctions (including EU sanctions and Polish law implementing EU Council regulations);
• Using the Service to facilitate, conceal, or further any fraud, money laundering, terrorist financing, corruption, or other criminal activity;
• Using the Service to process special category personal data (GDPR Art. 9) without: (a) a documented lawful basis under GDPR Art. 9(2); (b) appropriate technical and organisational safeguards; and (c) a DPIA if required under GDPR Art. 35;
• Misrepresenting the Tenant’s NIS2/KSC compliance status (e.g. filing samoidentyfikacja decisions known to be incorrect) within the Service.

3. Responsible disclosure

The Operator welcomes coordinated security disclosure from researchers and Tenants. If you discover a vulnerability in the Service:

1. Do not exploit the vulnerability or access, exfiltrate, or modify any data beyond what is necessary to demonstrate the existence of the issue.
2. Do not disclose the vulnerability publicly before the Operator has had a reasonable opportunity to investigate and remediate.
3. Report the vulnerability to security@exceptao.com with a clear description of: the affected component, the nature of the vulnerability, steps to reproduce, and any supporting evidence (screenshots, request/response samples).
4. The Operator will acknowledge receipt within 2 business days, provide an initial assessment within 7 business days, and keep you informed of remediation progress.
5. Researchers acting in good faith under this disclosure process will not be subject to legal action by the Operator for the act of responsible disclosure itself.

This disclosure process does not constitute authorisation to conduct penetration testing beyond the minimum necessary to demonstrate the vulnerability. Full penetration testing requires a signed Penetration Testing Authorisation Agreement.

4. Reporting violations

Reports are treated in confidence. The Operator will investigate all credible reports and take appropriate action. Anonymous reports are accepted but limit the Operator’s ability to follow up with the reporter.

5. Enforcement

5.1 Investigation

Upon becoming aware of a potential AUP violation — through a report, automated detection, audit log review, or other means — the Operator will conduct a proportionate investigation. The Operator may: review the affected Tenant’s audit log records (scoped to that Tenant’s own chain); request information from the Tenant Admin in writing; engage law enforcement or regulatory authorities where required by law or where criminal conduct is suspected.

5.2 Notice and opportunity to remediate

Where a violation is confirmed and does not require immediate action, the Operator will:

1. Notify the Tenant Admin in writing describing: the specific conduct that constitutes the violation, the applicable AUP provision, the required remediation steps, and the deadline for remediation.
2. Allow a remediation period of at least 7 calendar days for non-critical violations.
3. Confirm in writing when the Tenant’s remediation is accepted as sufficient, or specify what further steps are required.

5.3 Immediate suspension

The Operator may suspend the Tenant’s access to the Service immediately and without prior notice where:

• The violation poses an active, ongoing security risk to the Service, to other Tenants, or to any data subject;
• The violation involves unlawful conduct that requires immediate action to prevent further harm;
• The Tenant has repeatedly violated this AUP after receiving written remediation notices (three or more confirmed violations within a 12-month period);
• The Operator is required to suspend by law, court order, or directive of a competent authority.

In the case of an immediate suspension, the Operator will notify the Tenant Admin as soon as reasonably practicable (and in any case within 24 hours), explaining the grounds for suspension and the conditions for reinstatement (if any).

5.4 Termination

Material or repeated violations of this AUP constitute material breach of the Terms of Service. The Operator may terminate the Tenant’s subscription under the termination provisions of the Terms of Service (§13 of the Terms). Termination does not entitle the Tenant to a refund of prepaid subscription fees.

5.5 Appeals

A Tenant that disagrees with an enforcement action may appeal by:

1. Emailing legal@exceptao.com within 14 calendar days of the enforcement action;
2. Stating clearly: the enforcement action being appealed, the grounds for the appeal, and any supporting evidence.

The Operator will acknowledge the appeal within 3 business days and issue a written decision within 14 calendar days of receiving the appeal. During an appeal, suspension may be maintained if the Operator reasonably believes that reinstatement would pose a risk to other Tenants or the Service.

6. Changes to this policy

The Operator will notify Tenants of material changes to this AUP at least 30 days before the changes take effect, consistent with the notification process in the Terms of Service. Material changes are those that introduce new categories of prohibited conduct or that materially change the enforcement process.

7. Contact