This Acceptable Use Policy (“AUP”) governs your use of all Mataki Labs LLC (“AuditStore”) services, products, websites, and APIs (the “Services”). This AUP is incorporated by reference into the Terms of Service and any Master Services Agreement between you and AuditStore.

Violation of this AUP may result in suspension or termination of your access to the Services.

1. Intended Use

AuditStore is designed exclusively for recording actor-initiated state changes as immutable, hash-chained audit events. Permitted uses include:

  • Recording user actions, system events, and authorization decisions for compliance and forensic purposes
  • Querying and exporting audit trail data for security reviews, incident investigations, and regulatory compliance
  • Verifying Ledger integrity using Merkle proofs and hash-chain verification
  • Integrating the SDK into your applications to capture audit context automatically
  • Using the API to build audit trail interfaces for your end users

2. Prohibited Activities

You may not use the Services to:

2.1 Illegal Activity

  • Violate any applicable law, regulation, or governmental order.
  • Facilitate, promote, or engage in illegal activities, including money laundering, terrorism financing, or trafficking.

2.2 Harmful Content

  • Emit events containing content that is defamatory, libelous, obscene, or that promotes violence or discrimination.
  • Emit events containing material that infringes or misappropriates third-party intellectual property rights.
  • Distribute, host, or transmit malware, viruses, worms, ransomware, spyware, or other malicious code through the Services.
  • Emit events containing child sexual abuse material (CSAM). AuditStore will report any discovered CSAM to the National Center for Missing and Exploited Children (NCMEC) and to law enforcement.

2.3 Misuse of the Audit Ledger

  • Store operational telemetry. AuditStore is not a logging pipeline, metrics store, or application performance monitoring tool. System health signals, error rates, request latency data, and other operational telemetry should be directed to appropriate observability tools (e.g., Datadog, Grafana, Prometheus). The boundary between audit events (actor-initiated state changes) and operational telemetry (system-generated signals) is non-negotiable.
  • Store primary application data. The Services are a compliance record, not a database. Do not use AuditStore as a primary data store for application state, user profiles, content, or transactional data.
  • Circumvent immutability. Do not attempt to modify, backdate, delete, or tamper with events in any Ledger through any means, including API manipulation, exploiting system vulnerabilities, or social engineering of AuditStore personnel.
  • Abuse Legal Holds. Do not apply Legal Holds for purposes unrelated to legitimate legal, regulatory, or compliance requirements.

2.4 Abuse and Exploitation

  • Send unsolicited bulk messages (spam) using data obtained from the Services.
  • Engage in phishing, social engineering, or any deceptive practice intended to obtain credentials, personal information, or financial information.
  • Harvest, scrape, or collect information about other AuditStore customers without their consent.
  • Interfere with or disrupt the integrity, performance, or availability of the Services, including denial-of-service attacks, resource exhaustion, or intentional overloading.

2.5 Unauthorized Access

  • Access or attempt to access accounts, Ledgers, or data that you are not authorized to access.
  • Circumvent, disable, or interfere with any security, authentication, rate-limiting, or access-control mechanisms of the Services.
  • Reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code of the Services, except to the extent expressly permitted by applicable law or for open-source SDK components under their applicable licenses.
  • Use the Services to probe, scan, or test the vulnerability of any system or network, except with AuditStore’s prior written authorization for legitimate security testing of your own account.

2.6 Resource Abuse

  • Use the Services for cryptocurrency mining, distributed computing, or workloads unrelated to the intended use of the Services.
  • Attempt to exceed or circumvent usage limits, rate limits, or quota restrictions associated with your service tier.
  • Create multiple accounts to circumvent Dev tier limits or to evade enforcement actions.
  • Use automated tools to create accounts, emit events, or make API calls in a manner that is inconsistent with the Documentation or intended use of the Services.

2.7 Competitive Misuse

  • Use the Services to develop, train, or improve a product or service that competes with the Services, except to the extent your use is limited to the open-source SDK components under their applicable licenses.
  • Conduct benchmarking or performance testing of the Services for publication without AuditStore’s prior written consent.
  • Resell, sublicense, or redistribute access to the Services except as expressly permitted in your agreement with AuditStore.

2.8 High-Risk Use

  • Use the Services in any application where failure could lead to death, personal injury, or environmental damage (e.g., medical life-support systems, nuclear facilities, air traffic control) without AuditStore’s prior written authorization and appropriate contractual safeguards.

3. Your Responsibilities

3.1 Data Responsibility

You are solely responsible for all data and content you emit to the Services (“Customer Data”), including all audit events, actor identifiers, resource identifiers, metadata, and context fields. You represent and warrant that you have all necessary rights and legal basis to emit Customer Data to the Services and that Customer Data does not include information you are not authorized to store in an immutable audit ledger.

3.2 End User Compliance

If you permit third parties (including your end users, customers, or authorized users) to access the Services through your account or API keys, you are responsible for ensuring that their use complies with this AUP. You will establish and enforce an acceptable use policy for your end users that is no less restrictive than this AUP.

3.3 Security

You are responsible for maintaining the security of your account credentials and API keys. You will not share API keys or embed them in publicly accessible code. You will promptly notify AuditStore at security@auditstore.dev if you become aware of any unauthorized access to your account or any Ledger.

3.4 Personal Data in Audit Events

You acknowledge that audit events are immutable once recorded. If you emit events containing personal data, you are responsible for ensuring you have a lawful basis for immutable storage for the duration of the applicable Retention Policy. See the Data Processing Addendum for details.

4. Enforcement

4.1 Monitoring

AuditStore does not proactively monitor Customer Data for violations of this AUP. However, AuditStore may investigate violations that come to its attention through automated systems (e.g., abuse detection, rate limiting), third-party reports, or law enforcement requests.

4.2 Actions

If AuditStore reasonably determines that a violation of this AUP has occurred or is occurring, AuditStore may, in its sole discretion:

  • Issue a warning and request that you cease the violating activity.
  • Suspend access to the affected Services or account, in whole or in part.
  • Throttle or restrict API access for the affected account or Ledger.
  • Terminate your account.
  • Report the violation to law enforcement or other appropriate authorities.

4.3 Notice

Except where immediate action is reasonably necessary to protect the Services, other customers, or third parties, AuditStore will provide you with reasonable notice and an opportunity to cure before taking enforcement action. Where immediate action is taken, AuditStore will notify you as soon as practicable thereafter.

4.4 No Obligation

AuditStore has no obligation to enforce this AUP against other users on your behalf. This AUP does not create any obligation for AuditStore to monitor or police your use of the Services.

5. Reporting Violations

If you become aware of a violation of this AUP, please report it to abuse@auditstore.dev. Reports should include: the nature of the violation, the account or resource involved (if known), and any supporting evidence.

6. Changes to This Policy

AuditStore may update this AUP from time to time. We will notify you of material changes at least thirty (30) days in advance. Your continued use of the Services after the effective date constitutes acceptance of the updated AUP.

7. Contact

Questions about this AUP should be directed to abuse@auditstore.dev or legal@auditstore.dev.