Skip to content

LEGAL

Acceptable Use Policy

Last updated: May 7, 2026

1. Scope

This Acceptable Use Policy (the “AUP”) applies to everyone who uses the Hashproof API, SDKs, CLI, browser extension, or dashboard (collectively, the “Service”). It supplements the Terms of Service. If your contract or MSA includes different acceptable-use provisions, those govern instead of this AUP for the conflicting terms.

2. Prohibited content

You may not submit, sign, store, or attest to content that:

  • Constitutes child sexual abuse material (CSAM) or sexualizes minors in any form. We report CSAM to NCMEC and to law enforcement.
  • Promotes or facilitates terrorism, mass violence, or violent extremism.
  • Constitutes non-consensual intimate imagery (NCII), including deepfake imagery of real people without their explicit consent.
  • Infringes copyright, trademark, trade secret, publicity, or privacy rights you do not hold or have not licensed.
  • Doxxes, harasses, or targets individuals for harm based on identity or membership in a protected class.
  • Contains malware, exploits, or active attack payloads.
  • Violates applicable export control or sanctions regimes (including OFAC, EU sanctions, and equivalent regimes in your jurisdiction).

3. Prohibited uses

You may not use the Service to:

  • Sign or attest to content you have no rights to. The signing key represents you; do not use it to assert provenance over work that is not yours.
  • Issue provenance claims that are deceptive on their face. This includes attributing AI-generated synthetic media to a human source, stripping a legitimate manifest and replacing it with a manifest under your name, or backdating a signature.
  • Resell, sublicense, or rebrand the Hashproof API as your own provenance service without a written reseller agreement.
  • Probe, scan, load-test, or attempt to exhaust the rate limits or infrastructure beyond your tier's quotas. Use the published quotas; if you need more, contact sales@hashproof.ai.
  • Circumvent metering, billing, or quota enforcement (e.g., by rotating accounts, using stolen API keys, or splitting workloads across free-tier accounts to avoid paid tiers).
  • Reverse-engineer, decompile, or extract the underlying model weights, signing keys, or proprietary algorithms.
  • Use the Service to train a competing C2PA implementation on data obtained from the Service.
  • Operate the Service on infrastructure subject to a sanctions regime that prohibits the export of US-origin software.

4. Acceptable manifest practices

Some practices are explicitly permitted because the C2PA spec supports them:

  • Signing AI-generated content as AI-generated. This is the intended use of the Service for AI platforms covered by the EU AI Act, the US Executive Order on AI, and similar disclosure regimes.
  • Issuing manifests on behalf of contributors (e.g., a stock library signing licensed work) when you have the contributor's consent and a contractual basis to do so.
  • Federating queries against external Hashproof registries you do not control. Federation is an explicit feature of the protocol.
  • Producing soft-binding (perceptual hash) records for content you expect to be re-encoded or re-uploaded.

5. Reporting violations

If you believe content signed or stored on Hashproof violates this AUP, send a report to security@hashproof.ai with the manifest ID, your relationship to the content (if any), and a brief description of the violation. CSAM reports take priority over all other queues. Copyright takedowns follow the process in our Terms.

6. Enforcement

For most violations, we will contact you with a description of the issue and a window to remediate. For severe violations (CSAM, active attack traffic, fraud), we will act without prior notice. Escalation paths:

  • Warning. Email describing the issue, with a remediation window (usually 7 days).
  • Suspension. API keys revoked, manifests preserved (read-only) for the retention window, dashboard access blocked.
  • Termination. Account closed, manifests preserved per the retention schedule in the Privacy Policy so existing verifications still resolve, then deleted.
  • Referral. For unlawful conduct, we may refer to law enforcement or the relevant regulator without prior notice to you.

7. Appeals

If you believe an enforcement action was made in error, reply to the enforcement email or contact engineering@hashproof.ai within 30 days. Appeals are reviewed by a human; a written decision follows within 10 business days.

8. Changes to this policy

We may update this AUP as the Service evolves. Material changes will be announced at least 30 days in advance via email to the account's primary contact and a dated entry on this page. Continued use after the effective date constitutes acceptance.

9. Contact

Questions about this AUP go to engineering@hashproof.ai. Reports of violations go to security@hashproof.ai.