Acceptable Use Policy (AUP)

Effective Date: May 10, 2026 Document Version: May 2026 Legally Binding Original Language: English

This Acceptable Use Policy (the "AUP") is incorporated into and forms an integral part of the Master Service Agreement ("MSA") between PaperOffice and Customer. Capitalized terms not defined herein shall have the meanings set forth in the MSA.

By accessing or using the Services, Customer and each Authorized User agree to comply with this AUP. Violation of this AUP may result in suspension or termination of access to the Services, in addition to any other remedies available to PaperOffice under the Agreement or applicable law.

1. Purpose and Scope

1.1 Purpose

This AUP defines the prohibited and restricted uses of the Services, the obligations of Customer in maintaining a safe and lawful operating environment, and the consequences of non-compliance.

1.2 Scope of Application

This AUP applies to:

(a) Customer and all of its Authorized Users; (b) All access to the Services through any interface, including web, mobile, API, MCP, and integrations; (c) All Customer Data uploaded, transmitted, processed, or stored through the Services; (d) All AI Outputs, Workflows, Tool Flows, and other artifacts generated through the Services; (e) All third parties acting on Customer's behalf or under Customer's instruction.

1.3 Customer Responsibility for Authorized Users

Customer is fully responsible for ensuring that each Authorized User and any third party acting on Customer's behalf complies with this AUP. Acts and omissions of Authorized Users are deemed acts and omissions of Customer.

2. Prohibited Uses

The following uses of the Services are strictly prohibited. Customer shall not use the Services, nor permit any third party to use the Services, for any of the following purposes:

2.1 Illegal Activity

(a) Any activity that violates applicable law or regulation in the jurisdiction of Customer, the jurisdiction of PaperOffice, the jurisdiction where the Services are accessed, or the jurisdiction where Customer's products or services are made available.

(b) Activity that constitutes or supports money laundering, financing of terrorism, fraud, theft, embezzlement, tax evasion, or insider trading.

(c) Activity that violates applicable export control or sanctions laws (including those of the European Union, Spain, the United Kingdom, the United States, and the United Nations).

(d) Activity that constitutes harassment, stalking, intimidation, or threats against any person.

(e) Activity that infringes the intellectual property rights of any third party (including copyright, trademark, patent, trade secret, or moral rights).

2.2 Harm to Persons

(a) Generating, distributing, or facilitating content that depicts, promotes, or facilitates child sexual abuse material (CSAM), regardless of fictional or real depiction.

(b) Generating, distributing, or facilitating content depicting non-consensual sexual material, including any material involving real persons without their consent (such as non-consensual deepfakes).

(c) Generating content that promotes self-harm, suicide, eating disorders, or that targets vulnerable individuals with manipulative content.

(d) Activity intended to physically harm any person, including planning or facilitating violence, terrorism, or mass-casualty events.

(e) Activity targeting minors with content unsuitable for minors, or attempting to exploit, groom, endanger, or harm minors.

2.3 Harm to Systems and Networks

(a) Introducing malware, viruses, ransomware, worms, trojans, spyware, or any other malicious code into the Services or into any system accessible through the Services.

(b) Conducting denial-of-service attacks, distributed denial-of-service attacks, or volumetric attacks.

(c) Probing, scanning, or testing the vulnerability of the Services or any third-party system without express written authorization (including penetration testing, network mapping, and security assessment).

(d) Circumventing or attempting to circumvent any security control, rate limit, quota, authentication mechanism, or access restriction.

(e) Reverse-engineering, decompiling, disassembling, or attempting to derive the source code, models, weights, training data, or underlying algorithms of the Services.

(f) Spoofing, phishing, pharming, or otherwise impersonating any person, entity, or system.

2.4 Misuse of AI and Generative Capabilities

(a) Generating content intended to deceive, mislead, or manipulate, including without limitation: disinformation, propaganda, misleading political messaging, fake news, manipulated election content, or false attribution to real persons or entities.

(b) Generating fraudulent identification documents (passports, driver's licenses, identity cards), counterfeit currency, or counterfeit certificates.

(d) Generating content that violates the prohibited practices set forth in Article 5 of the EU AI Act, including: subliminal manipulation, exploitation of vulnerabilities, social scoring, predictive policing based solely on profiling, untargeted scraping of biometric data, emotion recognition in workplaces or educational institutions (except for medical or safety reasons), biometric categorization to infer sensitive attributes, and real-time remote biometric identification in public spaces by law enforcement (except as permitted under strict conditions).

(e) Using AI Output to make fully automated decisions producing legal or similarly significant effects on natural persons, without compliance with Article 22 GDPR and applicable transparency, contestability, and human-oversight requirements.

(f) Bypassing or attempting to bypass safety mechanisms, content filters, or guardrails of the AI components.

(g) Using the Services as part of a workflow that systematically generates output without human review and that is then represented to third parties as if produced by a human, where such representation is material and misleading.

2.5 Abuse of Resources

(a) Using the Services in a manner that imposes an unreasonable or disproportionate load on PaperOffice's infrastructure.

(b) Exceeding documented rate limits, concurrency limits, or fair-use quotas through any means, including by parallel accounts, automation, or distributed access.

(c) Using the Services for cryptocurrency mining, distributed computing for unrelated purposes, or any other use that is not the intended business use of document management, AI processing, or related Services.

(d) Operating the Services as a public anonymizer, proxy, VPN endpoint, or open relay for third-party traffic.

(e) Using the Services to send unsolicited bulk communications (spam), phishing emails, or unwanted commercial communications, in violation of applicable e-privacy or anti-spam law.

2.6 Use for Competitive Purposes

(a) Using the Services or any AI Output to develop, train, fine-tune, evaluate, benchmark, or improve any competing product, service, or AI model.

(b) Using the Services to extract or reconstruct PaperOffice's models, prompts, system instructions, training data, or proprietary techniques.

(d) Reselling, sublicensing, redistributing, or making the Services available to third parties except under a separate written reseller, OEM, partner, or whitelabel agreement.

2.7 Privacy and Data Protection Violations

(a) Processing personal data through the Services in violation of applicable data protection law (including the GDPR, the LOPDGDD, and equivalent laws).

(b) Uploading personal data without a valid legal basis under Article 6 GDPR or, where applicable, Article 9 GDPR for special-category data.

(d) Failing to enter into a Data Processing Agreement (DPA) with PaperOffice where one is legally required (DPA available via the in-platform Compliance Package generator).

(e) Failing to provide required notices, disclosures, or transparency information to data subjects.

(f) Using the Services to process special-category data (such as health data, biometric data, racial or ethnic origin, religious beliefs) in a manner that is not appropriate to the purpose, scale, and risk.

2.8 Misuse Targeting PaperOffice

(a) Misusing the support channels (overwhelming support with frivolous, abusive, or vexatious tickets; making threats; impersonating other customers).

(b) Posting or causing to be posted false or defamatory statements about PaperOffice in any forum.

(d) Creating multiple Accounts to evade limits, suspensions, terminations, payment obligations, or to fragment usage to avoid quota detection.

2.9 High-Risk and Safety-Critical Use Without Appropriate Safeguards

(a) Using the Services in High-Risk Activities (as defined in Section 9.4 of the MSA) without appropriate independent safeguards, validation, redundancy, and human oversight.

(b) Relying solely on AI Output for medical diagnosis or treatment, legal decisions affecting rights, safety-critical engineering decisions, or similar consequential decisions, without qualified professional review.

(c) Using the Services in safety-of-life applications, life support systems, weapons systems, or in any application where Service failure could foreseeably cause death, serious bodily injury, or severe environmental damage.

3. Restricted Uses

The following uses are not categorically prohibited but require additional safeguards, agreements, or approvals.

3.1 Processing of Special Category Data

Customer may process special-category personal data (health data, biometric data, etc.) through the Services subject to: (i) a valid legal basis under Article 9 GDPR or equivalent; (ii) an executed DPA; (iii) appropriate technical and organizational measures; and (iv) compliance with sector-specific regulations (such as HIPAA where applicable in the United States, requiring a separate Business Associate Addendum).

3.2 Customer-Facing AI Deployment

Where Customer deploys AI features of the Services to serve Customer's own end users (for example, a customer-facing chatbot or agent), Customer shall:

(a) provide clear notice that the end user is interacting with an AI system, in accordance with Article 50 of the EU AI Act and equivalent transparency obligations;

(b) provide appropriate guardrails and content filtering;

(d) implement human oversight as appropriate to the use case;

(e) accept full responsibility for the AI Outputs displayed to its end users.

3.3 Automated Decision-Making

Where Customer uses AI Output for fully automated decision-making with legal or similarly significant effects on natural persons (Article 22 GDPR), Customer shall implement: (i) the right to obtain human intervention; (ii) the right to express a point of view; (iii) the right to contest the decision; (iv) appropriate explainability and transparency; and (v) all other obligations under applicable data protection and AI law.

3.4 Use in Regulated Industries

Customers operating in regulated industries (financial services, healthcare, legal, government, insurance, telecommunications, energy, defense) shall ensure that their use of the Services complies with all applicable sector-specific regulations. PaperOffice does not assume responsibility for sector-specific compliance and disclaims warranties of suitability for regulated use cases unless expressly agreed under a separate Order Form.

3.5 Penetration Testing of the Services

Penetration testing, vulnerability scanning, or security assessment of the Services requires prior written authorization from PaperOffice. Unauthorized testing is a violation of this AUP and may also constitute a criminal offense under applicable computer-crime law.

3.6 Training of Customer-Specific Models

Customer-specific fine-tuning or training of models, where offered as a feature, is subject to additional terms specified in the relevant feature documentation or Order Form.

4. Customer Obligations

4.1 Lawful Use

Customer shall use the Services in compliance with all applicable laws, regulations, and industry standards.

4.2 Account Security

Customer shall:

(a) maintain the confidentiality of all credentials, API keys, MCP tokens, and access keys;

(b) implement reasonable security measures, including strong passwords, two-factor authentication where available, and role-based access control;

(d) promptly notify PaperOffice of any actual or suspected security breach, credential compromise, or unauthorized access at security@paperoffice.ai;

(e) keep contact information current.

4.3 Data Cleanliness

Customer shall:

(a) scan files for malware before upload, where reasonably possible;

(b) not upload data containing known malicious payloads;

(d) not upload data the Customer is contractually or legally prohibited from disclosing.

4.4 Tier and Workflow Configuration

Customer is responsible for selecting an appropriate AI Tier and configuring Workflows, prompts, and Tool Flows in a manner suitable for the intended use. Customer acknowledges the inherent probabilistic nature of AI Outputs (see the AI Acceptable Use and Output Disclaimer).

4.5 End-User Disclosures

Where Customer's use of the Services involves natural-person end users (such as customers of Customer interacting with Customer's chatbots, signing documents, or being processed by Customer's Workflows), Customer shall provide all required disclosures, notices, and consents under applicable law.

4.6 Cooperation with Investigations

Customer shall cooperate reasonably with PaperOffice's investigations of suspected AUP violations, including by providing relevant logs, configuration data, and other information reasonably requested.

5. Enforcement

5.1 PaperOffice's Discretion

PaperOffice has sole discretion to determine whether use of the Services violates this AUP. Decisions are based on the totality of circumstances and may include consideration of pattern, intent, scale, harm, and prior history.

5.2 Range of Responses

Depending on the nature, severity, and frequency of the violation, PaperOffice may take any one or more of the following actions:

(a) Warning. Notify Customer of the violation and request remediation.

(b) Throttling. Reduce rate limits, quotas, or processing priority.

(d) Account Suspension. Suspend Customer's Account access pending investigation or remediation.

(e) Termination. Terminate the Agreement under Section 7.4 of the MSA.

(f) Removal of Content. Remove Customer Data or AI Output that violates this AUP.

(g) Reporting to Authorities. Report suspected illegal activity to law enforcement, regulatory authorities, or other appropriate parties, as legally required or permitted.

(h) Cooperation with Third Parties. Cooperate with affected third parties (such as rights holders, payment processors, or hosting providers) in their legitimate enforcement actions.

(i) Recovery of Costs. Recover from Customer the reasonable costs incurred by PaperOffice as a result of the violation, including investigation, remediation, and legal fees.

5.3 Immediate Action

Where the violation poses an imminent risk of harm to persons, systems, third parties, or PaperOffice, PaperOffice may take immediate action without prior notice, including suspension or content removal.

5.4 No Obligation to Monitor

PaperOffice has no general obligation to monitor Customer's use of the Services or Customer Data. PaperOffice may, however, monitor in connection with: (i) suspected violations; (ii) security incident response; (iii) legally compelled disclosure; or (iv) protection of PaperOffice's, customers', or third parties' rights.

5.5 No Refund on AUP Termination

Termination by PaperOffice for AUP violation does not entitle Customer to any refund of pre-paid Fees or Wallet balances, to the maximum extent permitted by applicable law.

5.6 Survival of Obligations

Customer's obligations under this AUP survive termination of the Agreement to the extent necessary to address violations occurring during the Term.

6. Reporting Violations

6.1 How to Report

Suspected violations of this AUP may be reported to PaperOffice via:

Email: legal@paperoffice.ai (general legal matters)
Email: security@paperoffice.ai (security incidents and abuse)
Email: privacy@paperoffice.ai (privacy and data protection concerns)

6.2 Information to Include

Reports should include, where possible:

(a) The nature of the violation; (b) The Account, URL, or other identifier of the suspected violator (where known); (c) Supporting evidence (screenshots, logs, samples); (d) Reporter's contact information for follow-up; (e) Whether the reporter is the affected party or a third party.

6.3 Investigation

PaperOffice will investigate credible reports in good faith and respond to the reporter where reasonable. PaperOffice does not commit to specific response times for AUP reports unless covered by an applicable SLA or DPA notification obligation.

6.4 Confidentiality of Reporters

PaperOffice will, to the extent reasonable, protect the identity of reporters of AUP violations, except where disclosure is legally required or necessary to address the violation.

7. Updates to this AUP

PaperOffice may update this AUP from time to time as set forth in Section 11 of the MSA. Updates take effect upon publication unless a longer notice period is specified. Continued use of the Services after the effective date of an update constitutes acceptance of the updated AUP.

8. Relationship to Other Agreement Documents

This AUP supplements the MSA and the AI Acceptable Use and Output Disclaimer. In the event of conflict between this AUP and another Agreement Document, the order of precedence in Section 1.2 of the MSA applies.

Last updated: May 10, 2026