This Acceptable Use Policy ("AUP") governs access to and use of the Klarefi service, including hosted intake, workflow automation, document handling, operator review, evidence-backed intake support, APIs, integrations, webhooks, and related documentation and services (collectively, the "Service").

This AUP applies to customers, their affiliates using the Service under an applicable agreement, their employees, contractors, and other authorized users, and any applicants or end users interacting with customer-configured hosted intake experiences where relevant. It also applies to any person, software, or system accessing the Service through API keys, integrations, imports, exports, webhooks, service accounts, or similar mechanisms.

Customers are responsible for use of the Service under their accounts, credentials, organization, workflows, endpoints, and integrations. If a customer allows another party to access or interact with the Service, the customer must ensure that party complies with this AUP.

Customers and users must use the Service in compliance with applicable law, regulation, industry rules, contractual obligations, and internal policies. Customers remain responsible for determining whether the Service is appropriate for their use case and regulated environment.

Customers are responsible for:

• configuring workflows, notices, retention settings, review steps, and operational controls appropriately;
• obtaining and maintaining any required consents, disclosures, notices, permissions, and authorizations;
• deciding when human review, escalation, or supervisory approval is required; and
• complying with sector-specific obligations that apply to their intake process, submissions, documents, and downstream decisions.

Customers and users may not use the Service to:

• violate law or regulation, or facilitate unlawful conduct;
• commit or support fraud, impersonation, scams, laundering, unlawful evasion, or false pretenses;
• create deceptive, manipulative, or unlawful decisioning or intake flows;
• misrepresent the identity of a customer, operator, applicant, submitter, or data source; or
• conceal material review, eligibility, routing, or case-handling logic in a deceptive manner.

Klarefi is designed for intake operations in regulated environments. It may not be used to create deceptive or unlawful intake or decision-support processes.

Customers and users may not:

• gain or attempt to gain unauthorized access to the Service, another tenant, another customer's data, or related systems;
• bypass authentication, authorization, rate limits, entitlement checks, billing controls, or other security mechanisms;
• scan, probe, enumerate, or test the Service for vulnerabilities without Klarefi's prior written authorization;
• probe the platform for model vulnerabilities, prompt extraction, hidden system instructions, or private workflow logic; or
• reverse engineer private prompts, workflows, retrieval behavior, or security controls, except to the limited extent non-waivable law expressly permits.

Customers and users may not interfere with, disrupt, degrade, or destabilize the availability, reliability, or performance of the Service for Klarefi or for other customers.

Prohibited conduct includes:

• denial-of-service activity or abusive concurrency;
• queue flooding, event storms, retry storms, or replay floods;
• intentionally malformed submissions, files, payloads, or requests; and
• workflows or traffic patterns designed primarily to trigger excessive system activity, processing cost, or operational burden without a legitimate intake purpose.

Users may not:

• share credentials except where an approved service account or supported shared access method is expressly permitted;
• transfer accounts, sessions, tokens, or API keys to others;
• access or attempt to access data, cases, workflows, or endpoints they are not authorized to access; or
• use another person's identity or authentication artifacts.

Customers must safeguard credentials, manage access promptly, and notify Klarefi without undue delay if they suspect compromise, theft, or unauthorized access.

Klarefi is designed for intake operations. It is not a mass consumer chatbot service, spam engine, or general-purpose conversational front-end.

Customers and users may not:

• use the Service primarily for mass consumer chatbot traffic or unrelated general conversation workloads;
• scrape hosted intake, operator interfaces, documentation, or other product surfaces except through supported interfaces and permissions;
• generate synthetic or abusive traffic to stress, benchmark, or extract service capabilities without authorization; or
• automate interactions primarily to harvest outputs, infer internal behavior, or impose disproportionate load.

Customers and users may not upload, transmit, store, or deliver:

• malware, ransomware, spyware, trojans, worms, logic bombs, backdoors, or similar harmful code;
• exploit code or payloads intended to disable, damage, surveil, or gain unauthorized access to systems, users, or data;
• documents or files intentionally crafted to trigger parser abuse, sandbox escape, or execution vulnerabilities; or
• harmful macros, attachments, or embedded payloads.

Customers and users may not misuse APIs, integrations, webhooks, or developer access methods. Prohibited conduct includes:

• rate abuse or traffic beyond published or contracted limits;
• fraudulent, fabricated, manipulated, or duplicate events;
• abusive webhook replay, delivery flooding, or endpoint misuse;
• unauthorized data exfiltration through integrations, exports, connectors, callbacks, or webhooks;
• using integrations to bypass normal workflow, billing, entitlement, or security controls; and
• sending data or callbacks to endpoints the customer is not authorized to use.

Examples include replaying processed-intake events to avoid billing, generating false case or usage activity, or using webhooks to siphon data outside authorized customer systems.

Customers and users may not attempt to avoid, suppress, manipulate, or reclassify pricing, quotas, feature entitlements, seat limits, usage metering, billing events, invoice triggers, or commercial controls.

Without limitation, prohibited conduct includes:

• manipulating or replaying processed-intake events to avoid billing;
• splitting, masking, merging, suppressing, or reclassifying usage activity to reduce charges;
• bypassing subscription logic, environment restrictions, or feature gates; and
• using unsupported methods to obtain features, throughput, or access beyond what the customer has purchased or been granted.

Customers and users must have all necessary rights, authority, permissions, and legal basis to submit, upload, process, transmit, store, or instruct Klarefi to handle any content, documents, personal data, or other materials through the Service.

Customers and users may not:

• submit content they are not authorized to process;
• upload or use documents obtained unlawfully or without proper authority; or
• instruct Klarefi to process material in violation of confidentiality, privacy, intellectual property, secrecy, employment, or contractual obligations.

Uploaded documents and data may be submitted only where the submitting party has the right or authority to submit and process them for the relevant intake workflow.

Klarefi may support evidence-backed intake, workflow automation, and operator review, but it may not be used to evade legally, materially, or operationally required human review, supervisory review, notice, consent, disclosure, adverse-action process, retention, preservation, or audit obligations.

Where law, regulation, contract, court order, or the customer's own policy requires human review or approval, the customer must ensure that review occurs. Customers remain responsible for downstream decisions, actions, and compliance obligations arising from their use of the Service.

Customers and users may not use AI-enabled features of the Service to:

• extract, reconstruct, or infer hidden prompts, system instructions, internal reasoning policies, or private workflow logic;
• bypass safeguards intended to enforce workflow boundaries, evidence requirements, or review controls;
• test for prompt injection susceptibility, model leakage, jailbreak behavior, or similar vulnerabilities without written authorization;
• generate deceptive intake interactions, unlawful qualification logic, or misleading decision support; or
• use outputs as a substitute for legally required human or controlled review where such review is required.

Customers and users also may not systematically harvest outputs, prompts, workflow behavior, or service patterns to replicate Service functionality or to build, train, benchmark, or improve competing services where contractually restricted.

Klarefi may investigate suspected violations of this AUP and take proportionate action to protect the Service, customers, users, and third parties. This may include requesting information or remediation, removing or disabling offending content, integrations, workflows, endpoints, credentials, or access, preserving logs or evidence, rate-limiting activity, or suspending or terminating access.

Where practicable, Klarefi will provide notice and an opportunity to address the issue. Klarefi may act immediately without prior notice if reasonably necessary to address security threats, legal risk, fraud, service integrity issues, risk of harm, or suspected unlawful conduct.

Suspected abuse, credential compromise, exploit attempts, unlawful use, or other violations of this AUP should be reported promptly to mike@klarefi.com. Reports should include enough detail to help Klarefi investigate, such as the affected organization, timestamps, endpoint or workflow involved, and any relevant logs, screenshots, or request identifiers.

Klarefi may update this AUP from time to time. Updates may be posted on this page, reflected by a revised effective date, or communicated through the Service or by email where appropriate.

Continued use of the Service after the effective date of an updated AUP constitutes acceptance of the revised policy to the extent permitted by applicable law and the governing customer agreement.