Acceptable Use Policy

Last updated: 2026-06-01

Thoth-ATO — Acceptable Use Policy

Effective Date (target): June 9, 2026

This Acceptable Use Policy (the "AUP") governs your use of the Thoth-ATO service operated by IntegratedVS LLC ("Provider", "we", "us"). The AUP is incorporated into the Terms of Service by reference. Capitalized terms not defined here have the meaning given in the Terms of Service. Violation of the AUP is a material breach of the Terms of Service.

1. Purpose

This AUP defines what is permitted and prohibited when using Thoth-ATO. Its purpose is to:

(a) protect Provider, users, and third parties from harm;

(b) preserve the integrity, availability, and reputation of the Service;

(c) ensure compliance with applicable law and with the acceptable-use policies of Provider's upstream language-model providers (Anthropic, Google Vertex AI, OpenAI), whose AUPs flow through to your use of the Service;

(d) make clear that Thoth-ATO is a co-pilot — you remain responsible for any code, configuration, or other artifact that you adopt, deploy, or rely upon as a result of using the Service.

This AUP applies to all users on all Subscription tiers, including the Free tier, and applies to your use of any Thoth-ATO surface (Plugin, Remote Service, Platform, MCP server, API, documentation, community channels).

2. Prohibited Content

You must not use the Service to create, request, generate, store, host, transmit, or distribute content that:

2.1 Is Illegal

  • Violates applicable law in any jurisdiction where the content is created, processed, stored, or made available, including without limitation laws relating to intellectual property, privacy, export control, sanctions, defamation, fraud, securities, financial services, or controlled substances.
  • Constitutes or facilitates illegal activity, including but not limited to fraud, identity theft, money laundering, tax evasion, illegal gambling, illegal arms dealing, illegal drug trafficking, human trafficking, or unlawful surveillance.

2.2 Infringes Intellectual Property

  • Infringes any patent, trademark, trade secret, copyright, right of publicity, moral right, or other intellectual-property or proprietary right of any third party.
  • Includes proprietary or copyrighted material that you do not have the right to use.
  • Removes, defaces, or alters proprietary notices in any output.

2.3 Constitutes Child Sexual Abuse Material ("CSAM")

  • Depicts, sexualizes, exploits, or endangers minors. CSAM is absolutely prohibited under any circumstances. Suspected CSAM is reported to the U.S. National Center for Missing & Exploited Children (NCMEC) and to law enforcement as required by 18 U.S.C. § 2258A and applicable foreign law. Accounts found producing CSAM are terminated immediately and without appeal.

2.4 Is Harmful, Harassing, or Discriminatory

  • Harasses, threatens, intimidates, stalks, defames, or impersonates any person.
  • Promotes hate, violence, or discrimination against individuals or groups based on race, ethnicity, national origin, religion, disability, sex, sexual orientation, gender identity, age, or other protected characteristic.
  • Glorifies, incites, or facilitates violence against people or animals.
  • Is sexually explicit content involving any non-consenting party or any party who cannot legally consent.

2.5 Is Deceptive or Manipulative

  • Constitutes phishing, spoofing, or deceptive impersonation of any individual, entity, public official, or brand.
  • Generates synthetic media intended to deceive (e.g., deepfakes of real persons used without consent or for fraud, manipulation, election interference, or non-consensual sexual depiction).
  • Generates AI-produced content presented as human-authored in contexts where such disclosure is legally required or ethically expected (e.g., journalistic publications, academic submissions, sworn statements, regulatory filings).

2.6 Is Malicious Software or Security-Threatening

  • Constitutes, embeds, or facilitates malware, ransomware, spyware, rootkits, keyloggers, viruses, worms, botnets, command-and-control implants, or other malicious code intended to harm or gain unauthorized access to systems.
  • Constitutes credential-harvesting infrastructure, malicious phishing pages, or denial-of-service tooling targeted at infrastructure you do not own or are not authorized to test.
  • Is designed to circumvent technical security measures (e.g., authentication bypass, encryption-circumvention, anti-cheat circumvention, DRM circumvention except as expressly permitted by applicable law).

2.7 Is Weapons-Related

  • Provides operational uplift for designing, manufacturing, acquiring, or deploying chemical, biological, radiological, nuclear, or high-yield explosive ("CBRNE") weapons, weapons of mass destruction, or autonomous weapons systems prohibited by international law.
  • Provides operational uplift for cyber-weapons targeting critical infrastructure (power grids, water systems, financial systems, hospitals) absent explicit authorization from the operator of the targeted infrastructure.

2.8 Violates Upstream AUPs

  • Violates the Anthropic Usage Policies (https://www.anthropic.com/aup), the Google Vertex AI Generative AI Prohibited Use Policy, the OpenAI Usage Policies, or the acceptable-use policy of any other upstream language-model provider whose model is used to fulfill your cycles. Because Provider routes cycles to these providers, their AUPs apply to your prompts and outputs.

3. Prohibited Uses

You must not use the Service in any of the following ways:

3.1 Service Abuse

  • Automate, scrape, crawl, or otherwise programmatically access the Service in a way that exceeds the rate limits or quota of your Subscription tier, or that we have not authorized.
  • Attempt to disrupt, overload, or impair the Service or its infrastructure, including via distributed denial-of-service, application-layer attacks, slow-loris, request amplification, or exhaustion of compute or storage quotas.
  • Submit a volume of cycles, prompts, or API requests intended to circumvent fair-use limits, including by sharding workload across multiple accounts to evade per-account quotas.

3.2 Reselling and Sublicensing

  • Resell, sublicense, lease, time-share, or otherwise commercially exploit the Service to third parties, except as expressly permitted by the Team or Enterprise Subscription tier and any applicable Order Form.
  • Operate a service-bureau, white-label, or competing AI-engineering co-pilot using the Service as a backend.
  • Use the Service to deliver outputs to end users who have not accepted the Terms of Service and AUP, unless your Subscription tier expressly contemplates such redistribution.

3.3 Security Probing

  • Test, probe, scan, or attempt to circumvent the security of the Service, our infrastructure, our subprocessors, or third-party systems you do not own, except in accordance with our Coordinated Vulnerability Disclosure policy at https://thothato.io/.well-known/security.txt. Coordinated, in-good-faith vulnerability research that complies with that policy is welcomed and not a breach of this Section 3.3.
  • Use the Service to enumerate, fingerprint, or attack third-party systems without the express written authorization of those systems' operators.

3.4 Account and Credential Abuse

  • Share Account credentials, API keys, or session tokens with unauthorized persons.
  • Use another person's Account without authorization.
  • Misrepresent your identity, your authority to act on behalf of an entity, or your eligibility under Section 3.1 of the Terms of Service.

3.5 Evasion

  • Use VPNs, proxies, anonymizers, or other techniques to evade geographic restrictions, sanctions screening, or account-level enforcement actions, unless doing so for ordinary privacy purposes and not to evade enforcement.
  • Create new Accounts after suspension or termination of a prior Account for AUP violations.

3.6 Reverse Engineering, Benchmarking, and Competitor Research

  • Reverse engineer, decompile, or disassemble the Service, except to the extent applicable law expressly permits notwithstanding contractual restriction (e.g., interoperability under Article 6 of EU Directive 2009/24/EC).
  • Publish or distribute benchmark results regarding the Service without our prior written consent. (You may discuss the Service publicly, including your own qualitative assessments; this restriction applies to formalized benchmark publications.)
  • Use the Service to design, develop, train, fine-tune, or evaluate a competing AI engineering co-pilot or substantially similar product.

3.7 Output Misuse

  • Represent that any Customer Output is licensed-professional advice (legal, medical, financial, engineering certification) without independent licensed-professional review.
  • Use Customer Outputs to make consequential decisions about specific natural persons (such as employment, credit, insurance, housing, healthcare, education, or government-services decisions) without applying the legally required human review, transparency, and contestation procedures under, e.g., the Colorado AI Act (Colo. Rev. Stat. § 6-1-1701 et seq.), the EU AI Act (Regulation (EU) 2024/1689) Articles 26 and 86, New York City Local Law 144 for automated employment decision tools, or any other applicable algorithmic-discrimination law.

4. AI-Specific Provisions

The Service uses AI. The following provisions clarify responsibility for AI outputs.

4.1 Co-Pilot, Not Delegated Authority

Thoth-ATO is a co-pilot. Its outputs are recommendations and drafts. You are responsible for reviewing, validating, and deciding whether to adopt or deploy any Customer Output. Provider does not assume professional responsibility for the soundness of Customer Outputs.

4.2 Hallucination Awareness

Outputs produced by AI systems can contain errors, fabricated facts, fabricated citations, plausible-but-wrong code, and unsafe code paths. You must review outputs with the same diligence you would apply to work product produced by a junior contributor. Outputs are not authoritative sources; they are starting points.

4.3 EU AI Act — Deployer Obligations

If you deploy Thoth-ATO outputs (or systems built using Thoth-ATO outputs) in any use case classified as "high-risk" under Annex III of the EU AI Act, you are a deployer under EU AI Act Article 26 and must satisfy the corresponding obligations, including:

(a) using the system in accordance with the instructions for use (Section 4.5 below and the Documentation);

(b) ensuring human oversight by appropriately competent persons (Article 14);

(c) maintaining records of automatically generated logs to the extent under your control (Article 26(6));

(d) informing affected workers and their representatives where the system is used in employment contexts (Article 26(7));

(e) conducting a fundamental rights impact assessment where required (Article 27); and

(f) providing affected persons with the right to a meaningful explanation of individual decision-making (Article 86).

These obligations are yours, not Provider's. Provider's obligations as a provider under EU AI Act Article 16 attach to the Service itself; deployer-side obligations attach to your use of the Service in a high-risk context.

4.4 Colorado AI Act — Algorithmic Discrimination

If you are a "developer" or "deployer" of a "high-risk artificial intelligence system" within the meaning of Colo. Rev. Stat. § 6-1-1701 et seq., you must comply with the duties of reasonable care to protect Colorado residents from known or reasonably foreseeable risks of algorithmic discrimination, including documentation, transparency to consumers, post-deployment monitoring, and reporting of discovered algorithmic discrimination to the Colorado Attorney General within ninety (90) days. These obligations are yours, not Provider's.

4.5 Instructions for Use

You must use the Service in accordance with the Documentation, including any model-card, capability-and-limitation statement, or operational guidance for the Service or for the language-model models routed through it. The Documentation is available at https://docs.thothato.io.

4.6 Outputs Are Yours, and Their Effects Are Yours

You retain the rights and responsibilities for Customer Outputs as set out in Section 6 of the Terms of Service. Provider does not assume liability for outputs you adopt, deploy, distribute, or rely upon.

4.7 Prompt Injection and Adversarial Inputs

You acknowledge that AI systems are subject to a class of attacks broadly known as "prompt injection", "jailbreaking", and "indirect prompt injection". You must not:

(a) intentionally construct prompts, file contents, web pages, or external tool responses designed to cause the Service to produce content prohibited by Section 2 or to bypass safety, policy, or alignment controls implemented by Provider or by the upstream language-model providers;

(b) chain the Service with other systems in a way that you know or should know will produce prohibited content; or

(c) embed adversarial payloads in shared projects, sample documents, or community contributions intended to attack other users of the Service.

Coordinated adversarial-robustness research, conducted under our Coordinated Vulnerability Disclosure policy (Section 5.2), is permitted.

4.8 Use in Safety-Critical Systems

The Service is not designed, intended, or certified for use in safety-critical applications, including without limitation: aviation systems, life-support medical devices, motor-vehicle control systems, nuclear-facility operations, weapons-targeting systems, or any application where failure of the Service could reasonably be expected to result in death, personal injury, or substantial environmental damage. Use of the Service in such applications is at your sole risk and expressly outside the scope of any warranty or representation made by Provider.

4.9 Open-Source License Compliance

Customer Outputs may incorporate or be derived from open-source software. You are responsible for tracking and complying with open-source license obligations attaching to any third-party code that the Service surfaces, suggests, or copies into your Customer Materials, including without limitation attribution requirements, copyleft propagation, and source-disclosure requirements. The Service may include tooling to assist with license tracking, but final responsibility rests with you.

5. Reporting Violations

If you become aware of a violation of this AUP — including content, conduct, or use that you reasonably believe violates Sections 2, 3, or 4 — please report it.

5.1 General Abuse Reports

[email protected]

5.2 Security Reports

[email protected] (see also https://thothato.io/.well-known/security.txt for our coordinated-vulnerability-disclosure policy).

5.3 CSAM Reports

[email protected] with subject line beginning [CSAM]. We escalate confirmed CSAM reports to the U.S. National Center for Missing & Exploited Children (NCMEC) under 18 U.S.C. § 2258A and to law enforcement as required.

5.4 Intellectual Property / DMCA

For copyright infringement claims under the U.S. Digital Millennium Copyright Act, follow the procedure at https://thothato.io/legal/dmca.

We will investigate reports promptly and proportionately. We may, but are not obligated to, share the outcome of an investigation with the reporting party.

6. Enforcement

Violations of this AUP can result in a range of consequences, applied proportionately to the severity, intent, and history of the violation.

6.1 Enforcement Ladder (Non-Severe)

For first-time, non-severe, good-faith violations, our default approach is:

  1. Warning — written notice, with a description of the violation and a request for cessation.
  2. Throttle or feature limitation — temporary throttling of cycles, suspension of specific features, or revocation of API keys.
  3. Suspension — temporary suspension of access (typically 7 to 30 days), with the option to remediate.
  4. Termination — permanent termination of the Account (Section 11.4 of the Terms of Service).

6.2 Severity Override

For severe violations — including but not limited to CSAM (Section 2.3), CBRNE uplift (Section 2.7), large-scale credential abuse, attacks on third-party infrastructure, or violations causing immediate harm — we may proceed directly to suspension or termination without prior warning, and we may notify law enforcement and affected third parties.

6.3 Disclosure to Law Enforcement

We cooperate with lawful requests from law enforcement and may disclose information as described in the Privacy Policy. For CSAM, we report as required by law without prior notice to the reported user.

6.4 Refunds

We do not refund Subscription fees for the period during which a user is suspended or terminated for an AUP violation, except where required by law or where the suspension or termination was made in error.

7. Appeals

If you believe an enforcement action against your Account was taken in error, you may appeal.

7.1 Window

Appeals must be submitted within five (5) business days of the enforcement action.

7.2 How to Appeal

Send an email to [email protected] with:

  • Your Account email address
  • A brief description of the enforcement action
  • The specific factual or legal grounds on which you believe the action was in error
  • Any supporting evidence

7.3 Review

A reviewer not involved in the original enforcement decision will evaluate the appeal and respond within ten (10) business days of receipt. The reviewer may (a) reverse the action and restore access; (b) modify the action (e.g., convert termination to a warning); or (c) uphold the action with a written explanation.

7.4 Final Decision

The reviewer's decision is final at the AUP level. Your other rights under the Terms of Service (including dispute resolution under Terms of Service Section 13) are unaffected by the appeal procedure.

7.5 No Appeal for Certain Violations

Appeals are not available for confirmed CSAM violations (Section 2.3) or for confirmed CBRNE-uplift violations (Section 2.7). These categories are terminated without appeal.

8. Updates

We may update this AUP from time to time. Updates take effect on the date stated in the updated version. We will notify users of material changes through the channels described in the Terms of Service Section 14.

9. Contact