Skip to content

Legal

Acceptable Use Policy

Effective date: March 22, 2026 · Last updated: April 17, 2026

1. Overview

This Acceptable Use Policy ("AUP") governs your use of the Intended platform, APIs, SDKs, CLI tools, and related services (collectively, the "Services"). This AUP supplements the Intended Terms of Service. By using the Services, you agree to comply with this AUP. Violation of this AUP may result in throttling, suspension, or termination of your access to the Services.

2. Prohibited uses

You agree to use the Services only for lawful purposes and in accordance with these Terms. The following list illustrates but does not exhaustively describe prohibited uses. Conduct not specifically listed may still violate this AUP if it: violates applicable law or regulation, violates LLM provider policies (OpenAI, Anthropic, Hugging Face), poses unacceptable security or platform integrity risk, circumvents this AUP's intent or spirit, or violates connector targets' terms of service. Intended reserves the right to update this AUP with 30 days' advance notice, and continued use constitutes acceptance.

  • Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of any part of the Services, except as expressly permitted by applicable law
  • Gain or attempt to gain unauthorized access to the Services, other customers' accounts, data, authority decisions, or infrastructure
  • Conduct denial-of-service (DoS) or distributed denial-of-service (DDoS) attacks against the Services or any related infrastructure
  • Scrape, crawl, or use automated means to extract data from the Services beyond what is provided through the documented APIs
  • Circumvent, disable, or interfere with authority decisions issued by the Authority Engine, including attempting to use denied or expired authority tokens
  • Forge, modify, replay, or otherwise tamper with authority tokens, including altering claims, signatures, nonces, or expiry timestamps
  • Tamper with, modify, delete, or corrupt audit trail records, hash chains, or evidence bundles
  • Use the Services to process data that you do not have the legal right to process
  • Use the Services to authorize actions that violate applicable laws, regulations, or third-party rights
  • Apply or deploy generated runtime policy artifacts to third-party systems without the review and change control appropriate for the target environment
  • Share, resell, sublicense, or redistribute access to the Services without written authorization from Intended
  • Attempt to access other tenants' data, signing keys, policies, or authority decisions
  • Introduce malicious code, viruses, worms, or other harmful software through the Services or APIs
  • Use the Services in any manner that could damage, disable, overburden, or impair the Services
  • Transmit, generate, or facilitate distribution of: Child sexual abuse material (CSAM) or non-consensual intimate imagery, Instructions for creating weapons (explosives, firearms, WMDs), Instructions for manufacturing illegal drugs or controlled substances, Instructions for conducting terrorist attacks or mass violence, Materials advocating genocide, ethnic cleansing, or crimes against humanity.
  • Facilitate financial crime: Money laundering or sanctions evasion, Identity theft, credit card fraud, or account takeover, Cryptocurrency theft or wallet compromise, Unauthorized access to bank accounts or payment systems.
  • Facilitate harassment, targeting, or harm: Targeted harassment, doxing, stalking, or coordinated campaigns, Impersonation, defamation, or false information for harm, Sexual harassment, blackmail, or extortion, Stalking or tracking individuals without consent.
  • Distribute malware or compromise systems: Malware, ransomware, trojan horses, or spyware, Botnets or command-and-control infrastructure, Exploit kits or vulnerability-as-a-service offerings, Unauthorized cryptomining or resource hijacking.

2(h) Connector misuse restrictions

You may not use Intended + any connector to:

  • Violate third-party terms of service: Bypass rate-limiting, IP restrictions, or quota controls on GitHub, Slack, Stripe, Jira, ServiceNow, or other platforms, Automate account creation or violate signup/ToS terms of targets, Circumvent authentication or multi-factor authentication, Spam, bulk-message, or DDoS third-party systems via connectors.
  • Exfiltrate or misuse third-party data: Extract proprietary code, credentials, or confidential data from GitHub repositories or connectors, Scrape or mass-download data from third-party systems without authorization, Reverse-engineer API endpoints or functionality.
  • Conduct unauthorized intelligence or account takeover: Credential stuffing or password spraying against third-party targets, Unauthorized account access or impersonation via connectors, Privilege escalation or lateral movement via Intended + connectors.
  • Conduct market research or competitive intelligence: Scrape public repositories or issue trackers for competitive intelligence without authorization, Enumerate user bases or extract customer lists from third parties.
  • Intended will enforce rate-limiting on connector requests and may suspend connector access if patterns consistent with abuse are detected.

2(j) Autonomous agent restrictions

You may not use Intended to configure, deploy, or authorize autonomous AI agents for:

  • Social engineering and phishing: Credential harvesting or password theft via social engineering, Phishing attacks (emails, SMS, chat messages), Pretexting or baiting campaigns targeting individuals or organizations.
  • Surveillance and coordinated harassment: Automated surveillance, tracking, or location stalking, Coordinated harassment campaigns or brigading, Automated abuse reporting, flag abuse, or false reporting.
  • Fraud and financial crime at scale: Automated fraud schemes (romance scams, advance-fee fraud, etc.), Mass credential compromise or account-takeover automation, Automated money laundering or sanctions evasion.
  • Generation and distribution of illegal content: Automated generation of CSAM or non-consensual imagery, Automated generation of instructions for weapons, drugs, explosives, Automated generation of malware or exploit code.
  • Circumventing security controls: Automated bypassing of CAPTCHAs, biometric, or authentication, Automated exploitation of known vulnerabilities, Automated privilege escalation or lateral movement.
  • Violating this section may result in immediate account termination and escalation to law enforcement or affected platforms (GitHub, Slack, etc.).

2(l) Sanctions and export control compliance

You may not use Intended to execute, authorize, or facilitate actions on behalf of:

  • Sanctioned jurisdictions and entities: Any person or entity listed on the OFAC Specially Designated Nationals (SDN) List, Any entity in comprehensive U.S. sanctions: Iran, Syria, North Korea, Crimea, Donetsk, Luhansk, Any person subject to OFAC secondary sanctions or sectoral sanctions.
  • Export control violations: Controlled technologies subject to Export Administration Regulations (EAR) or International Traffic in Arms Regulations (ITAR), Transfers of technology or services to embargoed destinations.
  • End-use restrictions: Military use (weapons development, targeting systems), Nuclear weapons development, Biological or chemical weapons, Missile technology.
  • This policy supplements Terms Section 20 (Export Compliance). Violating this section may result in account suspension and reporting to OFAC and Department of Commerce.

4. Sectoral compliance and gating

You may not use Intended in the following sectors without advance compliance agreement:

  • Healthcare: No use with Protected Health Information (PHI) without executed Business Associate Agreement (BAA), No use in clinical decision-making or patient eligibility determination without HIPAA compliance review, Request: email security@intended.so, subject 'HIPAA Compliance'.
  • Finance and Payments: No use in lending decisions, credit risk assessment, or payment authorization without regulatory approval, No PCI DSS-in-scope use without compliance verification, Request: email security@intended.so, subject 'Financial Services Compliance'.
  • Critical Infrastructure (Energy, Water, Transportation, Communications): No use without advance notice to Intended, No use in life-safety or grid-critical systems without CISA notification and remediation plan, Request: email security@intended.so, subject 'Critical Infrastructure'.
  • Intended will respond to compliance requests within 5 business days. Unauthorized use in gated sectors may result in account suspension.

3(i) End-user and sub-agent compliance

You ("Customer") are responsible for ensuring that all individuals, contractors, agents, AI agents, and delegation chains with access to Intended:

  • Receive a copy of this Acceptable Use Policy
  • Agree to this AUP as a condition of access
  • Understand that you (Customer) bear responsibility for their compliance
  • Are prohibited from delegating Intended access to others without your explicit authorization
  • You remain liable for all violations of this AUP by any such party, including end-users, AI agents you configure, contractors, and upstream or downstream processors. If you become aware that an end-user, AI agent, or contractor is violating this AUP, you must immediately notify Intended at abuse@intended.so and take corrective action.

3(j) Competitive use and model training restrictions

You may not:

  • Export, share, or sell Intended's audit logs, decision artifacts, compiled policies, or authority decisions to third parties for competitive purposes
  • Use Intended audit logs or decision records to train, benchmark, improve, or develop competing policy engines, intent-compilation systems, risk-scoring systems, or ML models
  • Reverse-engineer, decompile, or disassemble policy evaluation logic based on authority decision outcomes
  • Export generated runtime artifacts (policy bundles, preset configurations, endpoint metadata) for third-party use or commercial purposes without written authorization
  • Use Intended's performance, security, or compliance metrics for competitive benchmarking or public disclosure without permission
  • Violation of this section may result in account termination and, if damages result, civil liability for breach of Terms §28 (Competitive Use).

3. AI agent rules

AI agents connected to the Intended platform must comply with the following rules. As the customer, you are responsible for ensuring your AI agents' compliance:

  • Agents must not attempt to bypass, circumvent, or manipulate authority decisions. If an intent is denied, the agent must respect the denial and not resubmit equivalent intents designed to evade the policy
  • Agents must not submit fraudulent, misleading, or intentionally malformed intents designed to exploit the risk scoring engine, policy evaluation logic, or intent classification system
  • Agents must not attempt privilege escalation by submitting intents with inflated permissions, spoofed identifiers, or manipulated context parameters
  • Agents must not attempt to exfiltrate data from the Authority Engine, including other tenants' policies, decisions, or configuration data
  • Agents must respect rate limits and must not engage in automated retry patterns that constitute abuse
  • Agents must not attempt to use authority tokens issued to other agents, tenants, or for different actions than those specified in the token claims
  • Agents must include accurate and complete metadata in intent submissions, including correct action types, target systems, and environment identifiers
  • Agents and operators must not represent customer-operated third-party runtimes or preview integrations as Intended-managed services where Intended does not actually operate the runtime

4. Rate limiting and abuse

Intended enforces rate limits to protect the availability and performance of the Services for all customers. The following policies apply:

  • API rate limits are set per plan tier and are documented in the API reference. Exceeding rate limits will result in HTTP 429 responses
  • Automated patterns consistent with abuse — including rapid-fire intent submissions, credential stuffing, or systematic probing of the API — may result in immediate temporary throttling
  • Persistent abuse patterns may result in permanent rate limit reduction or suspension of API access
  • Intended reserves the right to implement adaptive rate limiting based on usage patterns to protect platform integrity
  • If you believe your legitimate use case requires higher rate limits, contact your account team or support@intended.so to discuss plan adjustments

5. Reporting violations

If you become aware of a violation of this AUP, or if you believe another user is engaging in prohibited conduct, please report it promptly:

  • Email: abuse@intended.so
  • Include: a description of the violation, any relevant evidence (logs, timestamps, identifiers), and your contact information
  • Intended will investigate all credible reports and take appropriate action
  • Reports are treated confidentially. Intended will not disclose reporter identity to the accused party except as required by law

6. Suspension and termination

(a) Immediate Suspension (No Notice Required): Intended may immediately suspend your access without notice if: Actual or imminent threat to platform security, data integrity, or other customers, Active CSAM, terrorism, weapons, or sanctions violations, Ongoing DDoS, bot, or abuse attack, Emergency breach investigation or forensic preservation. (b) Suspension with Notice (Non-Emergency): For non-emergency material breaches, Intended will provide 48 hours' advance written notice via email and opportunity to respond before suspension becomes effective. (c) Duration: Suspension remains in effect until material breach is cured or Intended determines risk has been remediated. Suspension exceeding 30 days constitutes constructive termination. (d) Termination: Either party may terminate the Services agreement with 30 days' written notice. Upon termination, Customer may export data for 30 days in accordance with Terms §13 (Data Portability). (e) Continued Violations: If Customer reengages in prohibited conduct after suspension lift, Intended may immediately terminate without additional notice.

6.5 Investigation and cooperation

To investigate alleged AUP violations, Intended reserves the right to:

  • Access your API logs, intent submissions, authority decisions, audit records, and connector activity logs
  • Request explanations, compliance evidence, or documentation of your use case
  • Engage third-party forensics experts or security researchers if needed
  • Cooperate with law enforcement, regulators, affected platforms (GitHub, Slack, etc.), or third-party victims
  • Preserve evidence and restrict your account access during investigation
  • You agree to cooperate fully with investigations, providing responsive documentation and explanations within 5 business days unless legally prohibited. Failure to cooperate may result in account termination. If Intended discovers evidence of criminal conduct (CSAM, terrorism, financial crime), Intended will cooperate with law enforcement and report as required by law.

7. Customer responsibility for AI agents

You are solely responsible for the behavior of AI agents you connect to the Intended platform. Intended provides the Authority Runtime as a policy enforcement and audit layer, but does not control or monitor the internal behavior of your AI agents. You acknowledge and agree that:

  • Intended shall have no liability for actions taken by your AI agents, whether or not those actions were authorized by the Authority Engine
  • You are responsible for configuring appropriate policies, risk thresholds, and escalation workflows to govern your AI agents
  • You are responsible for monitoring your AI agents' behavior and promptly addressing any violations of this AUP
  • You are responsible for securing and operating any third-party runtime, gateway, or target system that you configure with Intended-generated artifacts or credentials
  • If your AI agent's behavior violates this AUP, Intended may take enforcement action against your account, including throttling, suspension, or termination
  • You will indemnify Intended against claims arising from your AI agents' behavior, as specified in the Terms of Service

8. Changes to this policy

We may update this AUP to address new threats, technologies, or regulatory requirements. Material changes will be communicated with at least 30 days advance notice through the Services or by email. Continued use of the Services after the effective date constitutes acceptance of the updated AUP.

9. Contact

For questions about this Acceptable Use Policy, contact legal@intended.so. To report abuse or violations, contact abuse@intended.so.

Acceptable Use Policy | Intended