← All legal documents

Acceptable Use Policy

Version 2026-05-10 · Effective 2026-05-10

⚠ Draft — not yet reviewed by counsel

This document was generated by AI as a starting point tailored to the Arbor codebase and operating model. It has not been reviewed by a licensed attorney. Do not rely on it for binding legal effect until a qualified lawyer has reviewed and approved it. Acceptance recorded against this version will need to be re-collected when counsel-approved language replaces this draft.

This Acceptable Use Policy ("AUP") describes prohibited uses of the Arbor Service. It supplements the Terms of Service. Violation is grounds for immediate suspension or termination.

1. Prohibited content

You may not use the Service to upload, transmit, or share content that:

  • infringes any patent, trademark, copyright, trade secret, or other intellectual property right;
  • is defamatory, obscene, harassing, threatening, or otherwise unlawful;
  • contains malicious code, malware, viruses, or destructive payloads;
  • contains real Protected Health Information unless an executed BAA is in place;
  • contains payment card numbers, government IDs, or other sensitive identifiers outside the documented PHI fields under an executed BAA;
  • was obtained without the consent or legal right of the data subjects.

2. Prohibited activities

You may not:

  • attempt to probe, scan, or test the vulnerability of the Service except via our coordinated disclosure program (email security@arbor.app);
  • interfere with or disrupt the Service, the servers or networks connected to the Service, or any other user's use of the Service;
  • generate excessive load — including (a) calling /api/v1/* above the published rate limit, (b) generating webhook deliveries to internal/private addresses, (c) running uncoordinated bulk imports that exceed reasonable per-org volumes;
  • impersonate any person or entity, or misrepresent your affiliation with a person or entity;
  • attempt to gain unauthorized access to any portion of the Service, or to any other systems or networks connected to the Service;
  • sell, lease, or sublicense access to the Service except under an executed Reseller Agreement (see /legal/reseller-agreement);
  • use the Service to send unsolicited mass communications, market third-party products, or violate the CAN-SPAM Act, GDPR e-Privacy directive, or equivalent laws;
  • attempt to circumvent technical limitations, including the SSRF allowlist on outbound webhooks, the IP/email throttle on agency signup, the rate limit on REST endpoints, or the role-based access controls within an organization.

3. Webhook and API integrations

You are responsible for the security and lawful operation of any endpoint you register to receive Arbor webhooks, and any system that uses an Arbor API key. In particular:

  • do not register webhook URLs that resolve to private/internal addresses or cloud metadata services — these are blocked by our SSRF guard, which will fail your deliveries;
  • rotate API keys promptly if compromised. Keys can be revoked immediately at /admin/settings/api;
  • treat the webhook signing secret as a credential. Verify X-Arbor-Signature on every inbound delivery.

4. Reporting violations

Report suspected violations to security@arbor.app. We aim to acknowledge within one business day.

5. Enforcement

We may, at our discretion and without prior notice in case of imminent risk, suspend or terminate access for any user, organization, or agency we believe has violated this AUP. For non-imminent issues we will normally provide written notice and a reasonable cure period.