Acceptable Use Policy

This policy applies to every workload, binary, network request, piece of content, and communication originated by or through the customer's organization on the Forge Metal substrate. "Customer" here means the organization identified on the account, including its users, automation, and third parties it authorizes.

The following are prohibited without exception:

• Child sexual abuse material (CSAM), or any content depicting or soliciting the sexual exploitation of minors. Reports are forwarded to NCMEC and law enforcement immediately.
• Content or operations that violate applicable export-control law (U.S. EAR, ITAR, OFAC-sanctioned destinations, analogous regimes in other jurisdictions).
• Content that promotes or facilitates imminent violence, terrorism, or targeted harassment or stalking of a named person.
• Malware, ransomware, command-and-control infrastructure, or the live hosting of credential-phishing sites.
• Unauthorized access operations — including port-scanning, credential stuffing, brute-force login, and exploit development or detonation against systems you do not own or have written permission to test.
• Spam, unsolicited bulk email, SMS blast campaigns, or abuse of transactional email delivery.
• Cryptocurrency mining and high-intensity proof-of-work operations unrelated to a workload the customer has declared to us and that is separately priced.
• Operations designed to evade another service's rate limits or Terms of Service, including but not limited to "jailbreak-farm" style LLM API abuse, scraping that circumvents technical access controls, or the distribution of ban-evasion services.
• Content that infringes the intellectual property rights of others without license, or that misuses trademarks in a way likely to cause consumer confusion.

Workloads must not be used to originate denial-of-service attacks, reflection amplification, or sustained traffic patterns designed to degrade third-party infrastructure. Sustained resource usage materially in excess of an account's declared workload profile may be rate-limited while we discuss the workload with you.

Outbound email sent through Forge Metal must comply with the CAN-SPAM Act, GDPR lawful marketing bases, and the policies of our upstream email-delivery subprocessor. Inbound mail delivered to customer mailboxes is the customer's to handle; automated campaigns, subscribe-on-behalf-of-third-parties, and credential-harvesting via email are prohibited.

Our sandbox and long-running VM products are isolation-hardened via hardware virtualization and per-tenant durable storage, but that isolation is not a license for hostile workloads. You may not attempt to break out of your VM boundary, probe other tenants, or exploit known hypervisor or host-kernel vulnerabilities. Bona-fide security research against your own tenant is encouraged under our Security Overview's disclosure terms.

If you believe a workload or account on Forge Metal is violating this policy — yours or someone else's — contact the abuse mailbox below. Reports are triaged within one business day; active abuse is mitigated sooner.

Responses to a violation range from warning, to targeted rate-limit, to account suspension, to termination, chosen proportionally to the severity of the violation and the risk to third parties. For imminent-risk situations (active DDoS origination, live CSAM, active credential-phishing), we take immediate mitigation action without prior notice and notify the administrators after the fact.

A suspension triggered by an AUP violation follows the account lifecycle; export during the suspended state remains available unless the violation requires preserving evidence.

Material changes take effect 30 days after they are announced by email to the administrators on each affected organization. The effective date at the top of this page is the date the current version took effect. Prior versions of all policies live at /policy/changelog, and every change is recorded there in commit-addressable form.

Policy identifier: acceptable-use.

Questions and requests under this policy go to abuse@anveio.com. Security reports go to security@anveio.com and take precedence over routine policy correspondence. GDPR data-protection correspondence may be directed to dpo@anveio.com; abuse reports to abuse@anveio.com.