Acceptable Use Policy

1. Core Principles

• Lawful use: You may use the Services only for lawful purposes and in compliance with Applicable Law.
• Network integrity: Your activity must not impair, disrupt, or damage our infrastructure, our Infrastructure Providers' networks, or other customers' services.
• Safety and trust: You must not use the Services to harm others, steal credentials, distribute malware, or deceive users.
• Abuse prevention: We operate under strict upstream provider and payment‑processor requirements; fast response to abuse is mandatory.
• Shared responsibility: For Self‑Managed Services, you are responsible for your application, content, and security configuration. For Managed Services, we share operational responsibility within the scope defined in your plan.

2. Prohibited Activities

2.1 Malware, exploits, and unauthorized access

• Distributing malware, ransomware, spyware, keyloggers, or other malicious code.
• Operating botnets, command‑and‑control servers, or malware distribution infrastructure.
• Phishing, credential harvesting, "fake login" pages, or any attempt to obtain passwords, tokens, or payment data fraudulently.
• Unauthorized access attempts, exploitation of vulnerabilities, brute force attacks, credential stuffing, or scanning without permission.
• Hosting or distributing exploit kits, unauthorized "cracks", or tools designed primarily for unlawful intrusion.

2.2 Spam and email abuse

• Sending unsolicited bulk emails, messages, or advertisements ("spam").
• Using purchased/rented lists, harvesting email addresses, or sending to recipients without valid consent or a lawful basis.
• Operating open mail relays or misconfigured SMTP servers that enable abuse.
• Activities causing blocklisting of our IP ranges or domains (e.g., high complaint rates, deceptive headers, spoofing, abusive bounces).
• Violations of anti‑spam legislation, including the EU ePrivacy Directive, UK PECR, the U.S. CAN‑SPAM Act, and Canada's Anti‑Spam Legislation (CASL).

We may block outbound SMTP ports, impose rate limits, or require verified sender authentication (SPF/DKIM/DMARC). Deliverability is not guaranteed.

2.3 DDoS, traffic flooding, and network attacks

• Launching or participating in DDoS attacks, reflection/amplification attacks, or traffic flooding.
• Operating open DNS resolvers, NTP amplifiers, open proxies, or other services that can be abused for attacks.
• Attempting to disrupt network routing, peering, or upstream services.

2.4 Illegal content and harmful content

• Content that violates criminal laws, including child sexual abuse material (CSAM) — zero tolerance; reported to authorities and removed immediately.
• Content that promotes violence or terrorism, or that is intended to facilitate serious wrongdoing.
• Deceptive or fraudulent schemes, including impersonation, fake "support" pages, or scam storefronts.
• Content that infringes intellectual property rights (copyright, trademarks) or privacy rights.
• Pornographic, sexually explicit, or adult content, unless explicitly approved in writing. This restriction is imposed by our Infrastructure Providers and applies to all service tiers.
• "Hate" sites or content that could reasonably be considered discriminatory (by race, sex, age, religion, sexual orientation, disability, or other protected characteristics).
• Content involving theft, fraud, drug trafficking, money laundering, or terrorism.

2.5 Cryptocurrency mining NEW

The operation of applications for mining, farming, or plotting cryptocurrencies is prohibited on all service tiers, including shared hosting, VPS, and managed plans. This includes, but is not limited to: proof‑of‑work mining, proof‑of‑space plotting, proof‑of‑stake validation requiring sustained compute, and any similar blockchain computation that consumes excessive resources. This restriction is imposed by our Infrastructure Providers and is enforced without exception.

2.6 High‑risk and restricted commerce

Unless expressly approved in writing, you must not use the Services to sell or promote:

• Illegal drugs or controlled substances, or instructions for illegal manufacture.
• Counterfeit goods or "replica" items.
• Stolen payment data, "carding" content, or fraud tutorials.
• Unlicensed financial services or deceptive investment schemes.
• Illegal gambling sites.
• Pirated software, media, or content.

2.7 Resource abuse

• Running workloads that unreasonably consume CPU, RAM, disk I/O, or network bandwidth and degrade service for others in shared environments.
• Using the Services primarily as a file dump, public mirror, public file‑sharing service, or media distribution platform when not included in your plan.
• Operating file‑sharing tools (e.g., BitTorrent clients, eDonkey) on shared hosting. On VPS, file‑sharing is permitted only where it does not violate upstream provider policies or cause abuse complaints.

2.8 Proxies, VPNs, and anonymisation services

• Operating open proxies, open VPN endpoints, SOCKS relays, or "bulletproof" hosting services is prohibited.
• Tor exit nodes and similar anonymisation exit services are prohibited unless explicitly approved in writing, due to high abuse risk and upstream policy constraints.
• Reverse proxies for your own lawful website are allowed, provided they are not open to the public and do not enable third‑party abuse.

2.9 Prohibited testing

• Penetration testing, port scanning, or vulnerability exploitation against our infrastructure without prior written permission.
• Benchmarking or load‑testing that could impact other customers without coordinating with support.

2.10 Illegal or sensitive data processing

You are responsible for ensuring you have a lawful basis to process personal data and that you provide required notices to end users. Unless we explicitly agree in writing, you must not use the Services to process highly regulated data requiring specialised compliance frameworks, including:

• Payment card data as a primary storage system (PCI DSS environments must be properly scoped and secured).
• Protected health information subject to HIPAA or equivalent healthcare laws where a specific business associate agreement is required.
• Government classified information or export‑controlled technical data requiring special handling.

3. Security and Operational Requirements

3.1 Account security

You must use strong passwords and enable multi‑factor authentication where available. You are responsible for all actions performed via your credentials. Compromised accounts are a major cause of abuse; we may suspend services until you remediate.

3.2 Software maintenance

You must keep your CMS, plugins, themes, frameworks, and server packages up to date. Outdated software is commonly exploited. If we detect a critical vulnerability on your service, we may notify you and require you to patch within a defined timeframe. In urgent cases, we may temporarily disable the vulnerable component. For Managed plans, software updates within the managed scope are handled by us; you remain responsible for application‑level code and content.

3.3 Web application firewalls and rate limits

We may use WAF rules, bot filtering, and rate limits. You must not attempt to bypass them. If your legitimate traffic is blocked, contact support with details and we will investigate.

3.4 Compromise and cleanup requirements

If your account is compromised, you must promptly reset credentials, patch vulnerable software, remove malicious files, and close attack vectors. We may require you to:

• Provide a remediation plan and confirm completion.
• Rebuild a VPS from a clean image if integrity is uncertain.
• Implement MFA and IP allowlisting for administrative interfaces where feasible.

If repeated compromise occurs, we may require you to upgrade to a managed security service or we may terminate service to protect the network.

3.5 IP reputation and reverse DNS

For dedicated IP services, you are responsible for maintaining good sending practices. We may require rDNS alignment, SPF/DKIM/DMARC configuration, and removal of compromised scripts. If your activity harms IP reputation (e.g., blocklisting), we may reassign or revoke IP resources or require use of external mail delivery services.

4. Abuse Handling and Enforcement

4.1 How to report abuse

Report abuse to [email protected] and include: affected domain/IP, timestamps, log excerpts (if any), and a description of the issue. For copyright complaints, see the Terms of Service (Appendix E). For illegal content reports under the EU Digital Services Act, see the Terms of Service (Section 18.4).

4.2 Our response

We triage abuse based on severity:

• Critical (immediate action): malware, phishing, botnets, DDoS, CSAM, active exploitation. We may suspend immediately and notify you after containment.
• High (urgent): spam outbreaks, repeated compromise, serious policy breaches. We may require remediation within hours.
• Standard: content complaints, minor technical policy issues. We may provide a cure period (typically 24–48 hours).

4.3 Upstream provider enforcement NEW

Our Infrastructure Providers (Hetzner, UpCloud, and others) operate their own abuse teams and may independently detect and act on policy violations on infrastructure they provide. If an upstream provider contacts us about a violation, we may be required to act within their specified timeframe (which may be shorter than our standard cure periods). In some cases, an upstream provider may lock IP addresses or suspend services directly. We will communicate upstream actions to you as promptly as possible and work with you to resolve the issue.

4.4 Statement of reasons (DSA compliance) NEW

Where we restrict or remove content, suspend an Account, or impose other restrictions in response to illegal content or a terms‑of‑service violation, we will provide you with a clear and specific statement of reasons as described in the Terms of Service (Section 18.5). This includes the restriction applied, the factual basis, the legal or contractual ground, and information about redress mechanisms.

4.5 Suspension and termination

We may suspend or terminate Services for AUP violations. We may remove or disable access to content that violates this AUP or Applicable Law. We may permanently block repeat offenders or accounts associated with fraud. In some cases (e.g., confirmed CSAM or fraud), we may refuse any future service.

4.6 Logs and evidence preservation

We may preserve logs and relevant data to investigate abuse, comply with law, or respond to upstream providers. We may share necessary information with competent authorities or affected parties where legally permitted.

4.7 Appeals

If you believe an enforcement action was taken in error, you may appeal via the client portal or by emailing [email protected]. Provide evidence and a clear explanation. We will review in good faith and respond within a reasonable timeframe, but we may keep a suspension in place until we are satisfied the risk is mitigated.

5. Managed Services NEW

If you have purchased a Managed plan, the following additional terms apply:

• Shared responsibility: We are responsible for platform and OS‑level maintenance, updates, security hardening, and monitoring within the scope of the managed plan. You remain responsible for application‑level content, code, and compliance with this AUP.
• Cooperation: Where we detect a vulnerability, compromise, or abuse issue in your application layer, we will notify you and may take temporary protective measures (such as disabling a vulnerable plugin) while you remediate. For urgent threats, we may act immediately.
• Scope limits: Managed does not mean we review all your content for legality. You remain responsible for ensuring that Customer Content complies with this AUP and Applicable Law.
• Access: We require administrative access to managed infrastructure to perform our obligations. You must not revoke or interfere with this access without prior agreement.

6. Additional Rules for Hosting, Email, and Domains

6.1 Outbound email and high‑risk ports

To protect our network reputation, upstream providers, and other customers, we may restrict or rate‑limit outbound email (SMTP) and certain ports by default on some plans or for new accounts. We may require identity/business verification before enabling outbound email or removing restrictions. You must not use our services to send spam, unsolicited bulk messages, or messages that violate applicable law.

6.2 Self‑Managed responsibility

Self‑Managed means you are responsible for the security and operation of your applications and websites. You must keep your CMS, plugins, themes, and dependencies up to date, and you must promptly remediate compromised scripts, phishing pages, and malware within your account. Repeated compromise or failure to remediate may result in suspension or termination.

6.3 Domain abuse

You must not register or use domains for phishing, brand impersonation, malware distribution, unlawful content, or other abusive activity. We may suspend DNS, redirect, lock, or disable domain‑related services where required by a registry/registrar, a lawful request, or to mitigate abuse.

6.4 Copyright and intellectual property complaints

We take IP rights seriously. If we receive a sufficiently detailed complaint (including identification of the protected work and the allegedly infringing material), we may disable access to the material and notify you. For U.S. complaints, we apply a DMCA‑style process as described in the Terms of Service (Appendix E). Repeat infringers may have their Services terminated.

7. Contact and Updates

If you have questions about this AUP, contact [email protected]. Abuse reports should be sent to [email protected].

We may update this AUP as our services and upstream requirements evolve. Material changes will be notified in accordance with the Terms of Service. Continued use after updates constitutes acceptance.

Nothing in this AUP prevents lawful security research or testing conducted exclusively on systems you own or have explicit permission to test, provided it does not impact our infrastructure or other customers.