Acceptable Use Policy (AUP)

2. Scope

This AUP applies to:

• All Customers and Authorized Users
• All accounts, keys, tokens, API connections, and orchestrated model calls
• All automated systems, including scripts, bots, agents, scheduled jobs, and background processes
• All data, content, Customer Data, prompts, Outputs, metadata, logs, and derivative works
• All interactions between Customer systems and Concentrate's routing infrastructure
• Any use of the Services, whether direct or via integration with third-party or Customer-developed software

3. Definitions

For purposes of this AUP:

3.1 "Automated Decision System (ADS)" means any algorithmic or AI system that makes or meaningfully influences decisions affecting individuals' rights, eligibility, benefits, or opportunities.

3.2 "High-Risk Use" means any use that could materially affect human rights, physical integrity, legal rights, or financial harm.

3.3 "Regulated Data" includes data protected under GDPR, CPRA/CCPA, HIPAA, GLBA, FERPA, COPPA, PCI-DSS, state privacy laws, and similar data protection frameworks.

3.4 "Sensitive Data" includes: health, biometric identifiers, genetic data, financial account numbers, precise geolocation, minors' information, criminal history, sexual orientation, immigration status, and any category designated sensitive under law.

3.5 "Personal Data" means any information relating to an identified or identifiable individual, as defined under applicable privacy law and the DPA.

3.6 "Model Provider" has the meaning given in the Agreement.

3.7 "Export-Controlled Information" means information, software, or technology subject to export control or sanctions laws, including U.S. EAR or ITAR, or similar laws in other jurisdictions.

4. Relationship to the Agreement

This AUP does not expand Customer's license rights provided under the Agreement. Concentrate retains all rights, title, and interest in and to the Services, as set forth in the Agreement.

5. Customer Responsibilities

Customer is fully responsible for:

• All actions of its Authorized Users and integrated systems.
• Securely managing all credentials, keys, tokens, and administrative access.
• Implementing access controls, logging, monitoring, and permissions.
• Ensuring compliance with privacy, security, AI, and sectoral laws applicable to Customer and its Authorized Users.
• Providing Authorized User notices and disclosures required under the Transparency in Frontier Artificial Intelligence Act (TFAIA), GDPR, CPRA, and similar laws.
• Ensuring downstream uses and Outputs are subject to meaningful human oversight where required.
• Maintaining backups, redundancies, and operational controls external to the Services.
• Ensuring model Outputs are reviewed and validated before use in high-stakes contexts.

6. General Use Obligations

Customer and Authorized Users must:

• Use the Services only for lawful, authorized purposes.
• Comply with all applicable laws and industry standards.
• Use industry-standard security controls to protect Customer environments.
• Prevent unauthorized access or misuse of API keys or tokens.
• Promptly notify Concentrate of suspected misuse or incidents.
• Accurately represent Customer Data and not attempt to obscure source identity or intent.

7. Account & Credential Security Requirements

Customer and Authorized Users must:

• Keep all keys, tokens, passwords, and secrets strictly confidential.
• Comply with applicable policies to rotate keys periodically and revoke access when personnel change roles.
• Use multi-factor authentication (MFA) where available.
• Not embed keys in client-side code or public repositories.
• Restrict production keys to servers or secure secret-management systems.
• Segregate development, staging, and production keys.

8. Data Protection and Privacy Requirements

Customer is responsible for configuring routing controls consistent with applicable cross-border data transfer laws and internal governance requirements, including restrictions applicable to internationally hosted models (see Section 11.7). Customer will not submit Regulated Data or Sensitive Data to the Services except where expressly permitted under the Agreement and configured in accordance with Customer's internal governance.

Customer and Authorized Users must not:

• Upload Sensitive Data to the Services unless expressly permitted by the Agreement.
• Provide any data of a person under the age of 18 without legally required parental or guardian consent.
• Use the Services to collect Personal Data (as defined in the Data Processing Addendum available at concentrate.ai/legal/data-processing-addendum, the "DPA") without proper notice and legal basis.
• Attempt to re-identify pseudonymized or deidentified datasets.
• Upload data scraped in violation of third-party terms or law.
• Violate GDPR, CPRA, HIPAA, COPPA, GLBA, FERPA, PCI-DSS, or any similar privacy framework.

Customer and Authorized Users must:

• Provide required privacy notices to data subjects.
• Maintain lawful bases for all Personal Data processed.
• Honor data subject rights requests where applicable.
• Ensure cross-border transfers follow DPF, SCCs, or equivalent safeguards.

9. AI-Specific Governance Requirements

Customer and Authorized Users must:

• Maintain human oversight in all high-stakes decision-making.
• Not rely exclusively on model Outputs for legal, medical, financial, or safety-critical decisions.
• Document intended use cases for high-risk models.
• Implement internal controls preventing unauthorized model use in the Services.
• Use Outputs responsibly, acknowledging that models may generate errors or hallucinations.

10. High-Risk Use Restrictions

The Services may not be used for:

• Life-critical decisions (medical diagnosis, legal services, financial services, emergency services, biological threat detection, or otherwise material decisions which generally require professional advice).
• Surgical, pharmacological, or therapeutic decision support.
• Military, weapons, combat, intelligence operations, or surveillance.
• Immigration, asylum, refugee, or border-control decisions.
• Credit underwriting, insurance eligibility, housing eligibility, or employment decisions without human review.
• Scoring individuals' behavior, reliability, or "worthiness."

11. Prohibited Uses (Extended List)

Customer must also comply with any use restrictions imposed by applicable Model Providers, as communicated through the Services, documentation, or an Order Form. Customer and Authorized Users may NOT use the Services for:

11.1 Illegal, Harmful, or Abusive Conduct

• Illegal activity of any kind.
• Harassment, hate, discrimination, violence, or abuse.
• Encouraging self-harm, suicidal ideation, or dangerous acts.
• Manipulation, coercion, psychological harm, or exploitation.
• Human trafficking, sexual exploitation, escorting, or prostitution-related activity.
• Fraud, scams, phishing, impersonation, or social engineering.
• Election interference, targeted political manipulation, or civic misinformation.
• Disinformation campaigns or deceptive narratives.
• Deepfake or synthetic media that falsely represents a real individual in a manner likely to cause harm or deception, without that individual's consent or other lawful authorization.
• Unauthorized scraping or surveillance.

11.2 Security Violations

• Attempting to bypass authentication or authorization controls.
• Probing, scanning, or testing vulnerabilities.
• Conducting DDoS, flooding, or stability attacks.
• Circumventing rate limits, quotas, or billing meters.
• Sharing, reselling, or sublicensing keys or tokens.
• Using the Services to obfuscate fraudulent origin of traffic.
• Deploying bots designed to degrade availability.

11.3 Data Misuse

• Uploading sensitive, regulated, or highly personal data without permission.
• Using the Services to create consumer profiles without required notices.
• Attempting to re-identify individuals from aggregate outputs.
• Uploading data obtained through unauthorized scraping or breaches.

11.4 AI-Specific Prohibitions

• Model extraction, weight reconstruction, or architecture inference.
• Jailbreaking or circumventing model safety.
• Building systems intended to replicate or compete with Concentrate's orchestration logic.
• Using outputs to train competing models.
• Generating synthetic identities used for fraud or deception.
• Automating bots pretending to be human without disclosure.

11.5 Interference & Abuse

• Excessive load, spam requests, recursive calls, or traffic floods.
• Attempts to manipulate routing logic or vendor selection.
• Artificially inflating usage or triggering billing anomalies.
• Using the Service as a proxy to perform banned activities on other platforms.

11.6 Multimodal Copyright and Dataset Abuse

Customer and Authorized Users must not use the Services to ingest, reproduce, transform, or analyze copyrighted audiovisual, image, audio, video, or literary works for the purpose of building, training, fine-tuning, evaluating, or improving datasets or models without authorization from the rights holder.

The Services may not be used to strip watermarks, remove copyright management information, bypass technological protection measures, or extract substantial portions of copyrighted works, including in violation of 17 U.S.C. § 1201 or similar laws.

Customer must not use multimodal capabilities to systematically process third-party media libraries, subscription databases, streaming content, news archives, or proprietary image/audio/video repositories in a manner inconsistent with the applicable terms of service or intellectual property law.

11.7 International Model Hosting and Jurisdictional Restrictions

Customer and Authorized Users must not submit Regulated Data, Sensitive Data, export-controlled information, trade secrets, or data subject to contractual data-residency obligations to any model hosted in a jurisdiction designated by Customer as restricted under its internal governance policies.

Where a model is hosted in the People's Republic of China or another jurisdiction subject to heightened government access, data localization, or national security laws, Customer must independently assess and ensure that its use complies with applicable law, contractual commitments, and cross-border data transfer requirements, including GDPR, UK GDPR, CPRA, export control laws, and similar frameworks.

Customer is solely responsible for configuring routing controls, access restrictions, and data classification policies to prevent submission of restricted or regulated data to models hosted in higher-risk jurisdictions. Concentrate does not validate Customer's data classification decisions and assumes no responsibility for Customer's failure to restrict such data.

12. Intellectual Property Restrictions

Customer and Authorized Users may not:

• Reverse engineer, decompile, or attempt to derive source code from any part of the Services.
• Build or assist in building competitor platforms using insights from the Services.
• Use outputs to develop model-selection, orchestration, or routing engines competing with Concentrate.
• Remove or alter proprietary notices, branding, or metadata.
• Use the Services in any manner prohibited under the Agreement.

13. Transparency, TFAIA, & Automated Decision-Making Obligations

Customer and Authorized Users must:

• Provide any end-users with required TFAIA notices when using automated decision systems.
• Disclose when AI meaningfully influences decisions about individuals.
• Disclose when AI has been used to create any information, data, imagery, content or otherwise materials, as required under applicable law.
• Provide a channel for human review or appeal where required by law.
• Inform data subjects of their rights under GDPR/CPRA.

Concentrate will provide Customers with required provider-side TFAIA disclosures.

14. Service Integrity & Performance Protections

Concentrate may:

• Throttle or limit traffic to protect system stability.
• Reject requests that violate safety, legal, or ethical guidelines.
• Implement automated and manual monitoring to detect abuse.
• Modify safety and routing rules to comply with applicable law or Model Provider requirements.

15. Monitoring & Investigation

Concentrate may:

• Review logs, metadata, and behavioral patterns for security and compliance.
• Investigate suspected misuse pursuant to the Agreement and this AUP.
• Request additional information from Customer when necessary.
• Cooperate with legal authorities as required.

Concentrate does not inspect Customer content (including Customer Data) except as permitted by law and required for security.

16. Reporting Violations

Users must promptly report violations or security incidents to: [email protected]

17. Suspension & Termination

Concentrate may suspend or terminate access immediately if: (a) Customer or any Authorized User behavior endangers security or stability of the Services or any information related thereto; (b) Customer or Authorized User violates this AUP; (c) Customer fails to remedy noncompliance after notice; or (d) as required for legal or regulatory reasons at Concentrate's sole discretion.

18. Government, Legal Holds, and Regulatory Compliance

Concentrate may retain logs or metadata, including Usage Data and Derived Data, as required by or necessary for any legal holds, government inquiries, regulatory demands or security investigations, at Concentrate's sole discretion.

19. Updates to the AUP

19.1 Right to Modify

Concentrate may modify this AUP from time to time to reflect changes in applicable law, regulatory guidance, Model Provider requirements, security standards, abuse or fraud risks, industry practices, or changes to the Services.

19.2 Effective Date

Unless otherwise specified, modifications to this AUP become effective upon posting or otherwise making the updated AUP available through the Services or at concentrate.ai.

19.3 Notice of Material Changes

If a modification materially reduces Customer's rights or materially increases Customer's obligations under this AUP, Concentrate will provide notice consistent with the modification provisions of the Agreement. Nothing in this Section limits Concentrate's ability to implement immediate changes where necessary to: (a) comply with law, regulation, or binding legal process; (b) address a security vulnerability, active misuse, fraud, or system integrity risk; or (c) comply with Model Provider requirements that must be implemented without delay.

19.4 Continued Use

Customer's continued access to or use of the Services after the effective date of a modification constitutes acceptance of the updated AUP.

19.5 Conflicts

This AUP is incorporated into and forms part of the Agreement. In the event of a conflict between this AUP and the Agreement, the Agreement controls.

20. No Waiver

Failure to enforce any provision does not constitute a waiver of rights.

Addendum: Multimodal Content

1. Scope

This Addendum applies to use of the Services with any text, image, audio, video, or other non-text inputs or outputs (collectively, "Multimodal Content"). Customer is responsible for all Multimodal Content submitted to, generated through, or processed via the Services by Customer or its Authorized Users. In the event of conflict between this Addendum and another provision of this AUP, the stricter restriction applies, subject to the Agreement's order-of-precedence provisions.

2. No General Monitoring Duty

Concentrate does not undertake a general obligation to monitor Multimodal Content transmitted or processed through the Services. Concentrate may take action when it receives a credible report, a valid legal notice, or otherwise obtains actual knowledge of unlawful or prohibited activity.

3. Child Sexual Abuse Material and Child Exploitation

Customer must not use the Services to create, request, upload, transmit, store, process, facilitate, or distribute Child Sexual Abuse Material ("CSAM") or any content that sexually exploits or endangers minors. This prohibition applies regardless of format and includes real, manipulated, morphed, animated, or synthetic depictions, as well as any attempt to sexualize minors.

If Concentrate becomes aware of apparent CSAM, Concentrate may take action consistent with applicable law, which may include restricting access, preserving records where legally required, and making reports to appropriate authorities pursuant to 18 U.S.C. § 2258A.

4. Non-Consensual Intimate Imagery

Customer must not use the Services to generate, distribute, or threaten to distribute intimate imagery of any person without that person's consent. This includes deepfakes, manipulated media, voyeuristic imagery, or any content intended to harass, extort, or exploit an individual.

5. Sexual Content Involving Minors, Grooming, and Sexual Exploitation

Customer must not use the Services to solicit sexual content from minors, facilitate grooming, enable sexual exploitation, or produce content that encourages sexual activity involving minors. Customer must not use the Services to engage in or enable trafficking, sexual coercion, or exploitation of any person.

6. Copyright and Intellectual Property Infringement

Customer must not use the Services to upload, reproduce, distribute, publicly perform, publicly display, or prepare derivative works of copyrighted material without authorization, except to the extent permitted by law. Customer must not use the Services to remove or alter copyright management information, or to circumvent technological protection measures, including in violation of 17 U.S.C. § 1201.

Concentrate may respond to legally sufficient notices of alleged copyright infringement consistent with the Digital Millennium Copyright Act, 17 U.S.C. § 512, including by disabling access to identified material and providing notice to the relevant account as required by law.

7. Privacy Violations and Unauthorized Surveillance

Customer must not use the Services to invade privacy, unlawfully collect personal data, or engage in unauthorized surveillance. Customer must not use the Services to identify, dox, track, or infer sensitive personal information about an individual in violation of applicable law or rights.

8. Fraud, Impersonation, and Deceptive Practices

Customer must not use the Services for fraud, impersonation, or deceptive practices, including generating or distributing content that misrepresents identity, authority, origin, or authenticity in a manner likely to cause harm. Customer must not use the Services to forge documents, facilitate scams, or enable social engineering targeting individuals or organizations.

9. Malware, Exploitation, and Security Abuse

Customer must not use the Services to develop, generate, distribute, or operationalize malware, exploits, phishing content, credential theft, unauthorized intrusion, denial-of-service activity, or instructions intended to facilitate wrongdoing. Customer must not use the Services to bypass security controls, probe vulnerabilities without authorization, or misuse the Services to compromise systems or accounts.

10. Hate, Harassment, and Violence

Customer must not use the Services to promote violence, threaten physical harm, incite hatred, or harass or target individuals or protected groups. Customer must not use the Services to facilitate violent wrongdoing, terrorism, or unlawful extremist activity.

11. Enforcement

If Concentrate receives a credible report, a valid legal notice, or otherwise obtains actual knowledge of unlawful or prohibited use, Concentrate may take action to protect the Services and comply with law. Such action may include restricting access to specific content, suspending or terminating accounts, preserving records where legally required, and cooperating with valid legal process.

12. Customer Controls and Compliance

Customer is responsible for configuring its use of the Services in a manner consistent with applicable law and this AUP, including restricting the submission of regulated, export-controlled, sensitive, or otherwise restricted data where required. Concentrate does not provide legal advice and does not determine Customer's compliance obligations.