/

Acceptable Use Policy

Subduxion Acceptable Use Policy

Last updated

October 1, 2025

Version: 1.0
Company: Subduxion B.V. (“Subduxion”)
Registered office: High Tech Campus 5, 5656 AE Eindhoven, the Netherlands
Contact: privacy@subduxion.com | abuse@subduxion.com | security@subduxion.com
Governing Law: Laws of the Netherlands; exclusive jurisdiction of the Dutch courts

1. Introduction & Acceptance

1.1 This AUP governs access to and use of Subduxion’s managed AI solutions and related professional services, including any integrated components, connectors, agents, models, plugins, tooling, or documentation (collectively, the “Services”).
1.2 This AUP binds each Subduxion customer (“Customer”) and its authorised end users (“End Users”). By using the Services, Customer and End Users accept this AUP.
1.3 The AUP forms part of the contractual framework with Subduxion and should be read alongside the Master Services Agreement (“MSA”), the Data Processing Agreement (“DPA”), the Terms and Conditions (“T&C”), the Information Security Policy, the Responsible AI Policy, the Privacy Policy, and the Cookie Notice.

In the event of any conflict or inconsistency between these documents, the following order of precedence shall apply (highest to lowest):
(i) the MSA;
(ii) the DPA;
(iii) the T&C;
(iv) this AUP;
(v) the Information Security Policy;
(vi) the Responsible AI Policy;
(vii) the Privacy Policy and Cookie Notice.

2. Definitions

Artifacts”: configurations, prompts, chains, agents, retrieval settings, orchestration logic, and related implementation materials.
Confidential Information”: non-public information disclosed by a party, including trade secrets and security architecture.
Controller / Processor / Sub-processor”: as defined by applicable data protection laws.
Customer Data”: data provided by or on behalf of Customer to the Services.
End User”: an individual authorised by Customer to use the Services.
Harmful Activity”: activity reasonably likely to cause harm to persons, property, systems, or rights.
High-Risk Use”: uses defined in §6 requiring prohibition or prior written approval.
Malware”: code intended to disrupt, damage, or gain unauthorised access.
Output”: content generated or returned by the Services.
Personal Data”: information relating to an identified or identifiable individual.
Security Event”: unauthorised access to or acquisition of Customer Data within the Services.
Sensitive Data”: special categories under GDPR and comparable laws, plus children’s data, precise geolocation, financial account numbers, government IDs, health/biometric templates.
Services”: see §1.1.
Upstream Providers: third-party providers of models, hosting, vector stores, CDNs, and related components integrated into the Services.

3. Deployment Modes & Data Flow

3.1 Subduxion may deliver the Services via: (a) Customer-managed tenant; (b) Subduxion-managed tenant; or (c) hybrid.
3.2 Customer is responsible for approving integrations, data sources, and connectors, and for validating data rights. Subduxion orchestrates approved third-party services and does not provide a base foundation model.
3.3 Data locations, logging, and storage are described in the DPA and relevant implementation documentation.

4. Applicability & Flow-Down

4.1 Customer and End Users must comply with this AUP and applicable Upstream Provider terms and safety policies. If this AUP, an Upstream Provider policy, or the AI Act impose different requirements, the stricter requirement applies.
4.2 Customer is responsible for the acts and omissions of its End Users and for reasonable admin controls (RBAC, SSO/MFA, key hygiene).

5. Customer & End-User Responsibilities

5.1 Use the Services lawfully; provide accurate account details; protect credentials and API keys; respect rate limits; do not disable safety, moderation, audit, or governance controls.
5.2 Implement human-in-the-loop review for critical decisions and prior to reliance on Outputs.
5.3 Configure data sources, retrieval, prompts/agents, and integrations responsibly; ensure you have a lawful basis and sufficient rights to ingest data.
5.4 Do not upload malicious code or otherwise degrade or stress the Services.

6. Prohibited Content & Activities

The following are prohibited (non-exhaustive):
a) Illegal activity; infringement; scraping protected content without rights.
b) Child sexual abuse material, exploitation, trafficking; non-consensual intimate imagery.
c) Hate, harassment, threats, incitement, terrorism, or extremist content.
d) Weapons, explosives, or CBRN construction/procurement guidance.
e) Malware, ransomware, spyware; credential attacks; prompt-injection or evasion of safety/security controls.
f) Fraud, scams, phishing, identity theft, money laundering.
g) Illegal surveillance, doxxing, or invasion of privacy.
h) Deceptive impersonation or deepfakes without lawful authority and clear disclosure.
i) Reverse engineering or extraction of models, embeddings, weights, hidden prompts; benchmarking intended to disclose or manipulate confidential performance.
j) Overriding rate limits; stress or penetration testing without Subduxion’s prior written approval.

7. High-Risk Uses & Sectoral Restrictions

7.1 Prohibited or Subduxion-preapproved only: medical diagnosis/treatment, emergency response, legal/financial advice, credit scoring, employment or housing eligibility, biometric identification, critical infrastructure, law enforcement, migration/asylum decisions, or any use with legal or similarly significant effects.
7.2 If expressly approved in writing, Customer must implement heightened controls (human review, disclosures, audit logs, risk assessments, and data minimisation).
7.3 For any use falling within or analogous to Annex III high-risk areas under the AI Act, Subduxion’s prior written approval is required. Where applicable, Customer must complete and maintain (i) a Fundamental Rights Impact Assessment (FRIA) and (ii) any required transparency notices, human-oversight measures, and record-keeping, and align with any Data Protection Impact Assessment (DPIA) under GDPR.

8. Sensitive Data Restrictions

8.1 Do not submit Sensitive Data unless (i) expressly permitted in the MSA/DPA and (ii) processed in a documented, compliant environment approved by Subduxion in writing.
8.2 Customer must ensure a valid legal basis and all required notices/consents for any Personal Data submitted.
8.3 If the Customer or its End Users submit or otherwise process Sensitive Data in violation of this AUP or the contractual framework, the Customer shall be solely responsible and fully liable for any resulting damages, claims, losses, fines, or regulatory actions. Subduxion shall have no liability in this respect and the Customer shall indemnify and hold Subduxion harmless from any related third-party claims or enforcement actions.

9. Data, Privacy, and Security

9.1 Roles: typically Customer = Controller of Customer Data; Subduxion = Processor (see DPA).
9.2 Processing details, retention/deletion, and Sub-processors are governed by the DPA and live lists referenced therein.
9.3 Telemetry/logs may be collected for security, abuse prevention, service quality, and support; default retention: 12 months (unless otherwise agreed or required by law).
9.4 Security: encryption in transit and at rest where applicable; industry-standard controls. Incident cooperation per DPA (Customer→Subduxion on suspected compromise; Subduxion→Customer on confirmed Security Events).

10. Outputs & Reliance

10.1 Outputs may be inaccurate, incomplete, or contextually inappropriate. Customer must apply human review before relying on Outputs, especially in regulated contexts.
10.2 Do not present Outputs as regulated professional advice unless Customer independently satisfies all regulatory duties and Subduxion authorises such use in writing.

11. Intellectual Property & Feedback

11.1 Customer retains rights in Customer Data. Output and Artifact allocation follows the MSA. Subduxion will not train foundation models on Customer Data unless expressly agreed.
11.2 Customer grants Subduxion a non-exclusive, royalty-free, sublicensable licence to use Feedback to improve the Services (subject to any agreed opt-out).

12. Upstream Providers & Third-Party Terms

12.1 The Customer must comply with the applicable terms, conditions, and safety policies of any third-party providers integrated into the Services (“Upstream Providers”), including but not limited to hosting providers, AI model providers, and vector database providers.
12.2 A current list of Upstream Providers relevant to the Services is maintained by Subduxion and may be provided to the Customer upon request. Subduxion may update the list of Upstream Providers from time to time by written notice (including by email or update in the Documentation). Continued use of the Services after such notice constitutes acceptance of such updates.
12.3 Subduxion shall not be liable for any interruption, defect, or damage caused by Upstream Providers, except to the extent caused by Subduxion’s own gross negligence or willful misconduct.

13. Compliance with AI & Export Laws

13.1 Customer must comply with export control, sanctions, anti-corruption, and import laws. No use by or for Restricted Parties or in Embargoed Territories.
13.2 Where the Services are used in the EEA/UK, Customer and its End Users must comply with the EU Artificial Intelligence Act (the “AI Act”) as applicable to their role (including “deployer” obligations). If Customer white-labels, substantially modifies, or determines the intended purpose of an AI system in a way that triggers “provider” status under the AI Act, Customer will comply with all provider obligations and must not cause Subduxion to breach the AI Act or any applicable flow-down terms. Customer will promptly furnish Subduxion with evidence of its AI Act compliance on reasonable request.
13.3 The Customer shall indemnify and hold harmless Subduxion, its Affiliates, and Personnel against any claims, fines, penalties, or enforcement measures arising out of or in connection with the Customer’s failure to comply with obligations under the EU Artificial Intelligence Act or analogous regulations, insofar as such failure is attributable to the Customer’s use of the Services.

14. Monitoring, Enforcement, and Suspension

14.1 Subduxion may monitor use for compliance, investigate suspected breaches, and request information.
14.2 Enforcement ladder: warning → temporary restriction → suspension → termination for cause, at Subduxion’s discretion and proportional to risk.
14.3 Immediate suspension may occur for egregious harm, legal risk, or threats to the Services or others.
14.4 The Customer shall be responsible for all costs, damages, and third-party claims arising from breaches of this AUP, including but not limited to reasonable remediation costs, legal expenses, regulatory fines, and reputational mitigation costs attributable to the Customer’s conduct.
14.5 Any breach of this AUP by the Customer or its End Users shall constitute a material breach of the Terms and Conditions and entitle Subduxion to suspend or terminate the Services in accordance with the termination provisions of the Terms and Conditions, without prejudice to Subduxion’s other rights and remedies.

15. Notice-and-Takedown / Repeat Infringer Policy

15.1 Report abuse or infringement to abuse@subduxion.com. Subduxion may disable or remove content and suspend access.
15.2 Repeat infringers may be terminated.

16. Changes to this AUP

16.1 Subduxion may update this AUP from time to time. Material changes will be notified at least 30 days in advance unless earlier changes are required for safety, security, or legal compliance. Continued use after the effective date constitutes acceptance.

17. Contact

Subduxion B.V., High Tech Campus 5, 5656 AE Eindhoven, the Netherlands
privacy@subduxion.com | abuse@subduxion.com | security@subduxion.com

Annex A - Prohibited Content & Activities (Matrix)

Area

Prohibition

Examples (non-exhaustive)

Illegal & IP

Unlawful use; IP infringement; unauthorised scraping

Circumventing paywalls; copying datasets without licence

Safety & Harm

Child exploitation; hate/harassment; incitement; terrorism

Threats, recruitment, glorification of violence

Weapons/CBRN

Construction/procurement guidance

Bomb-making steps; chemical weaponization

Security Abuse

Malware; credential attacks; safety bypass

Key-logging scripts; prompt-injection to exfiltrate secrets

Fraud & Deception

Scams, phishing, identity theft, money laundering

Synthetic IDs; mule recruitment scripts

Privacy Violations

Illegal surveillance; doxxing; non-consensual imagery

Stalkerware; deanonymisation attempts

Misrepresentation

Deceptive impersonation; undisclosed deepfakes

Fake CEO voice to authorise payment

Reverse Engineering

Extracting models/weights/prompts; hostile benchmarking

Attempting to recover hidden system prompts

Service Integrity

Rate-limit evasion; unapproved stress/pen tests

Traffic flooding; automated scraping beyond limits

Annex B - High-Risk Use Controls (Pre-Approval Required)

The following minimum controls apply to any High-Risk Use approved in writing by Subduxion. They are non-exhaustive; Subduxion may require additional measures based on context, law, or Upstream Provider terms. Customer (as deployer) is responsible for implementing and evidencing these controls.

  1. Purpose & Legal Basis - Document the intended purpose, lawful basis, and a risk assessment; conduct a DPIA and, where applicable, a Fundamental Rights Impact Assessment (FRIA).

  2. Human Oversight - Assign qualified human reviewers, define escalation paths, and require human sign-off before any legally/significantly impactful action.

  3. Guardrails - Enable safety filters, RBAC, and dual-control for critical actions; do not disable moderation or governance controls.

  4. Audit Logging - Maintain immutable, time-stamped logs sufficient for traceability and investigations; retain for the longer of the period required by law/regulator or the period agreed in the MSA/DPA.

  5. Transparency - Provide required notices/disclosures to affected individuals and stakeholders; offer opt-out where mandated.

  6. Data Minimisation & Retention - Limit inputs/outputs to what is necessary; align retention with legal and contractual requirements.

  7. Testing & Quality - Perform pre-deployment and periodic testing proportionate to risk (e.g., bias/fairness checks, red-teaming); maintain a rollback plan.

  8. Incident Readiness - Maintain playbooks for detection, containment, notification timelines, and remediation; cooperate with Subduxion on investigations.

Subduxion may withhold approval or suspend a High-Risk Use if these controls are not maintained, or if required by law, safety, or Upstream Provider obligations.

Annex C - Upstream Provider Flow-Downs

Subduxion maintains an internal schedule of Upstream Providers applicable to the Services. This schedule contains the identity of the provider, a description of the relevant service, and any salient obligations imposed by such provider. Subduxion will provide the current schedule to the Customer upon request and will notify the Customer in writing of any material changes. The Customer must at all times comply with such flow-down obligations as communicated by Subduxion.

Key obligations:

  • Follow content safety policies; do not bypass filters or rate limits.

  • No attempts to extract training data, embeddings, weights, or hidden prompts.

  • Comply with applicable export/sanctions restrictions.

  • Respect IP rights and lawful data sourcing.

  • No use for generating malware or facilitating unlawful activity.

(The live schedule lists current providers, policy links, and salient restrictions. Subduxion may update this list by notice.)

Annex D - Jurisdictional Addendum

EU/UK (GDPR & ePrivacy):

  • Roles: Customer = Controller; Subduxion = Processor (see DPA).

  • SCCs/UK addendum for international transfers where applicable.

  • Cookie and tracking technologies governed by the Cookie Notice.

  • Where the EU AI Act applies to Customer as a deployer, Customer must meet deployer duties (risk management, human oversight, record-keeping, transparency) commensurate with risk and use case.

United States:

  • Comply with sectoral and state laws (e.g., consumer privacy, unfair/deceptive practices).

  • COPPA is not targeted; Services are B2B and not directed to children.

Other regions:

  • Where local law imposes stricter requirements, the stricter standard governs.

Annex E - “AUP at a Glance” (Plain-Language Summary)

  • Who this applies to: Subduxion customers and their authorised users.

  • Golden rules: Use the Services lawfully, keep credentials safe, don’t disable safety controls, review AI outputs before acting.

  • Never allowed: Illegal content, IP theft, child exploitation, hate/violence, weapons/CBRN guidance, malware or security abuse, fraud, privacy invasion, deceptive impersonation, extracting hidden model details, evading rate limits.

  • High-risk uses: Medical, legal, financial, biometric, critical infrastructure, law enforcement, and similar uses are banned or require Subduxion’s written approval plus extra controls.

  • Sensitive data: Don’t submit special categories/children’s data/IDs/biometrics unless explicitly permitted in the MSA/DPA and processed in a compliant environment.

  • Data & security: Customer is Controller; Subduxion is Processor. We keep security logs and may act on abuse.

  • Enforcement: We can warn, restrict, suspend, or terminate for violations—immediately for serious risk.

  • Need help or to report abuse? abuse@subduxion.com