AffixIOAFFIXIO
Contact

Acceptable Use Policy

Last updated: 2 June 2026

1. Purpose

This Acceptable Use Policy (“AUP”) sets rules for use of AffixIO’s stateless yes/no eligibility verification Services, APIs, SDKs, dashboards, and signed proof features. It protects AffixIO, our customers, data subjects, and the integrity of verification outcomes. Violations may result in suspension or termination under our Terms of Service.

AffixIO is built for lawful eligibility checks with minimal data at the verifier. Use that undermines privacy, security, or public trust is prohibited even if technically possible.

2. Applicability

This AUP applies to all users of the Services, including employees, contractors, agents, and integrators acting on behalf of a customer account. Customers are responsible for violations by their personnel and downstream integrators. If you disagree with this AUP, do not use the Services.

3. Permitted Uses

Subject to law and your Order, you may use AffixIO to:

  • evaluate whether a subject meets defined eligibility criteria and return yes/no or enumerated verdicts;
  • issue and verify signed proofs for audit, reconciliation, and dispute resolution;
  • integrate verification into payment flows, government benefit or permit systems, licensed agent onboarding, and compliance monitoring;
  • test and develop integrations in sandbox environments with synthetic or anonymised data;
  • document policies and circuits for internal governance and regulator examination where authorised.

Permitted use requires appropriate notices, lawful bases, and technical minimisation on your side, as described in our Privacy Policy and your regulatory obligations.

4. Prohibited Uses

You must not use the Services to:

4.1 Unlawful or harmful activity

  • violate applicable criminal, civil, or regulatory law;
  • facilitate fraud, money laundering, sanctions evasion, or terrorist financing;
  • discriminate unlawfully or deploy biased rules without required safeguards and oversight;
  • harass, threaten, or endanger individuals;
  • interfere with elections or democratic processes except under lawful government authority with appropriate transparency.

4.2 Data misuse

  • submit special category personal data (health, biometrics for identification, etc.) unless explicitly permitted under a signed DPA and technical controls;
  • use AffixIO as a general-purpose identity datastore or document vault;
  • attempt to reconstruct suppressed PII from verdicts, proofs, or side channels;
  • sell or license access to raw eligibility inputs obtained from third parties without rights;
  • retain data at the verifier in violation of default no-PII configuration without written opt-in.

4.3 Technical abuse

  • probe, scan, or test vulnerabilities except through our coordinated disclosure programme;
  • overload infrastructure, bypass rate limits, or share API keys across unauthorised parties;
  • forge, replay, or tamper with signed proofs or present forged proofs as genuine;
  • reverse engineer the Services to replicate proprietary formats for competing products;
  • use the Services to distribute malware or command-and-control traffic.

4.4 Misrepresentation

  • represent AffixIO verdicts as legal determinations, credit scores, or government approvals unless accurate and authorised;
  • remove or alter proof signatures or misstate policy versions;
  • imply endorsement by AffixIO of your product without written permission.

5. Data Minimisation and Inputs

Customers must configure circuits to request only attributes necessary for the decision. Bulk uploads of full identity files, complete payment track data, or medical records are prohibited unless covered by an enterprise architecture review.

You must not use production credentials with real subject data in demonstration environments. Sandbox keys are provided for testing.

  1. Hash or tokenise stable identifiers where possible before transmission.
  2. Avoid sending cleartext government ID numbers when a token suffices for the policy.
  3. Log verdicts and proof identifiers on your side; do not log full inputs in client-side code.

6. Payments Use Cases

Payment customers may use AffixIO for authorisation assistance, merchant category gating, and risk-based yes/no checks. You must:

  • remain compliant with PCI DSS, card network rules, and anti-fraud regulations applicable to your role;
  • not use AffixIO as a substitute for required strong customer authentication where mandated;
  • provide clear consumer communication when a transaction is declined based on automated checks;
  • maintain records required by acquirers and regulators outside AffixIO.

7. Government Use Cases

Public-sector users must deploy policies consistent with administrative law, official secrecy, and citizen rights. Prohibited activities include covert surveillance, undisclosed profiling, and denial of benefits without appeal paths where required. AffixIO does not replace published statutory criteria; customers must map circuits to legal authority.

8. Agents, Brokers, and Compliance

Licensed agent and compliance workflows may gate product access using AffixIO. You must honour fair lending, insurance, and professional licensing rules, including human review where regulators require. Using yes/no outputs to conceal unlawful redlining or exclusionary practices is prohibited.

9. Signed Proofs

Signed proofs attest to AffixIO’s issuance of a verdict under a identified policy version. You must verify proofs using current public keys, respect key rotation, and not strip or alter cryptographic material. Presenting expired or forged proofs to third parties, courts, or regulators is prohibited.

10. Security Obligations

Customers must implement reasonable security measures, including:

  • protecting API keys and rotating compromised credentials immediately;
  • using TLS 1.2 or higher for all production traffic;
  • restricting dashboard access by role;
  • reporting suspected incidents through our Security page without undue delay.

Failure to remediate critical vulnerabilities in your integration after notice may be treated as an AUP violation.

11. Rate Limits and Fair Use

Automated traffic must respect published rate limits and burst policies. Scraping public documentation is permitted at reasonable volume; attacking status endpoints or conducting denial-of-service tests without written authorization is not. We may throttle or block traffic that degrades service for others.

12. Monitoring and Enforcement

AffixIO may monitor usage metadata, security signals, and anonymised patterns to enforce this AUP and protect the platform. We do not use monitoring to rebuild personal profiles of end subjects at the verifier.

Enforcement actions include warnings, temporary suspension, permanent termination, and cooperation with law enforcement where legally required. Appeals may be submitted through the contact page with factual detail; we respond where appropriate but are not obligated to reinstate accounts that pose ongoing risk.

13. Reporting Violations

To report suspected violations of this AUP or abuse originating from an AffixIO customer, use the Contact Us page with relevant logs, timestamps, and account identifiers if known. Security vulnerabilities should be reported separately under our security disclosure process.

14. Changes

We may update this AUP to address new risks or legal requirements. Continued use after the posted effective date constitutes acceptance where permitted. Material restrictions will be communicated to registered customers when practicable.