Legal

Acceptable Use Policy

Last updated: March 7, 2026

This Acceptable Use Policy ("AUP") governs use of the ComplianceLayer API and related services. Because ComplianceLayer performs active network scanning, responsible use is essential — both legally and ethically. Violations may result in immediate account termination.

1. Authorization Requirement

The cardinal rule: only scan infrastructure you own or have explicit written authorization to scan.

This includes:

  • Domains registered to you or your organization
  • Client domains where you have a written MSP/security agreement that includes security assessment rights
  • Test environments you control

Scanning domains or IP ranges without authorization may violate the Computer Fraud and Abuse Act (CFAA), similar state laws, and international equivalents. ComplianceLayer is not liable for unauthorized scanning conducted via your account — you are solely responsible.

2. Prohibited Uses

You may not use ComplianceLayer to:

  • Scan domains or infrastructure without owner authorization
  • Conduct reconnaissance for offensive security operations against targets you do not own
  • Facilitate unauthorized access to computer systems
  • Perform competitive intelligence scanning on competitors' infrastructure without authorization
  • Enumerate targets for malicious purposes
  • Circumvent or test the defenses of systems without authorization
  • Violate any applicable law or regulation

3. Rate Limits and Quota

  • You may not attempt to circumvent scan quotas or rate limits through technical means
  • You may not share API keys across separate organizations to pool scan quotas
  • Automated bulk scanning must stay within your plan's monthly scan allocation
  • If you need higher volume, contact us for an Enterprise plan

4. MSP and Multi-Client Use

MSPs using ComplianceLayer to scan client infrastructure must:

  • Have a current service agreement with each client that explicitly grants rights to perform external security assessments
  • Maintain records of such authorization for at least 3 years
  • Use scan results only for the benefit of the client being scanned

5. Resale

You may build products and services on top of the ComplianceLayer API and charge your customers for access. You may not resell raw API access (i.e., give customers direct API key access to ComplianceLayer). Contact us for white-label and reseller arrangements.

6. Reporting Abuse

If you believe your infrastructure is being scanned via ComplianceLayer without authorization, contact us at [email protected] with details. We take abuse reports seriously and will investigate promptly.

7. Enforcement

We may at our discretion:

  • Suspend or terminate accounts violating this AUP immediately without notice
  • Report illegal activity to law enforcement
  • Cooperate with investigations of unauthorized scanning
  • Block specific domains from being scanned via our platform

Suspended accounts for AUP violations are not eligible for refunds.

8. Contact

Abuse reports: [email protected]
General legal: [email protected]