Acceptable Use & Responsible Security Disclosure

Last updated: 14 June 2026

Purpose

Cafiyn ("Cafiyn", "Company", "we", "our", or "us") is committed to providing secure, reliable, lawful, and trustworthy services for customers, partners, visitors, and users.

This Acceptable Use and Responsible Security Disclosure Policy ("Policy") establishes:

  • Permitted uses of the Services
  • Prohibited activities
  • Security expectations
  • Abuse prevention requirements
  • Vulnerability reporting procedures
  • Responsible disclosure requirements
  • Enforcement measures
  • This Policy applies to all users, customers, visitors, contractors, partners, and security researchers
  • interacting with Cafiyn systems and services.

Scope

This Policy applies to:

  • Websites
  • Customer portals
  • Web applications
  • Subscription services
  • Hosted services
  • Cloud infrastructure
  • Documentation
  • Support channels
  • Public-facing systems owned or operated by Cafiyn
  • This Policy supplements and does not replace the Terms of Service, Privacy Policy, Security Policy, or
  • other applicable agreements.

Acceptable use

Users may access and use the Services solely for lawful business and personal purposes consistent with:

  • Applicable laws
  • Applicable regulations
  • Contractual obligations
  • Industry standards
  • This Policy
  • Users must use the Services responsibly and in a manner that does not adversely affect:
  • Service availability
  • Security
  • Performance
  • Other users
  • Cafiyn operations

Prohibited activities

Users shall not engage in activities that are unlawful, harmful, deceptive, fraudulent, abusive, or disruptive.

Prohibited activities include but are not limited to:

  • Violating applicable laws
  • Fraudulent conduct
  • Identity misrepresentation
  • Harassment
  • Abuse of Services
  • Circumvention of controls
  • Unauthorized access attempts
  • Misuse of system resources
  • Interference with operations

Unauthorized access

Users shall not:

  • Access systems without authorization
  • Attempt to bypass authentication controls
  • Attempt privilege escalation
  • Access information not intended for them
  • Access restricted resources
  • Attempt account takeover activities
  • Any attempt to gain unauthorized access may result in immediate suspension and legal action where
  • appropriate.

Malicious software and harmful

Activities

Users shall not introduce, distribute, transmit, deploy, or facilitate:

  • Malware
  • Viruses
  • Worms
  • Trojans
  • Ransomware
  • Spyware
  • Backdoors
  • Malicious scripts
  • Cryptojacking software

Users shall not attempt to compromise the security, integrity, or availability of the Services.

Network and service abuse

Users shall not:

  • Conduct denial-of-service attacks
  • Conduct distributed denial-of-service attacks
  • Exhaust system resources
  • Generate excessive traffic
  • Interfere with service operations
  • Disrupt service availability

Activities that negatively affect platform performance may be restricted or blocked.

Data protection and privacy

Users shall not:

  • Access personal information without authorization
  • Harvest user information
  • Scrape protected data
  • Collect information through automated means without authorization
  • Circumvent privacy controls

Users are responsible for ensuring their activities comply with applicable privacy laws.

Spam and unsolicited communications

Users shall not use the Services to:

  • Send spam
  • Distribute unsolicited messages
  • Conduct phishing campaigns
  • Distribute misleading communications
  • Conduct unauthorized marketing campaigns
  • Any use of the Services for abusive communications is prohibited.

Intellectual property violations

Users shall not:

  • Infringe copyrights
  • Infringe trademarks
  • Misappropriate trade secrets
  • Use proprietary content without authorization
  • Remove ownership notices

Users remain responsible for ensuring they possess rights to any materials they submit to Cafiyn.

Security expectations

Users are expected to:

  • Maintain secure credentials
  • Use strong passwords
  • Protect account access
  • Report suspected security issues promptly
  • Maintain secure devices and environments
  • Users are responsible for activity occurring under their accounts.

Monitoring and enforcement

To protect the Services and users, Cafiyn may monitor activity reasonably necessary to:

  • Maintain security
  • Prevent abuse
  • Detect fraud
  • Investigate incidents
  • Protect service availability

Monitoring shall be conducted in accordance with applicable law and our Privacy Policy.

Reporting security vulnerabilities

Cafiyn welcomes reports of potential security vulnerabilities affecting systems owned or operated by Cafiyn.

Security vulnerabilities should be reported to:

  • Email: infosec@cafiyn.com
  • Subject line:
  • Security Vulnerability Report

Information to include in reports

Researchers are encouraged to provide:

  • Description of the vulnerability
  • Affected URL or system
  • Steps to reproduce
  • Impact assessment
  • Proof of concept
  • Supporting evidence
  • Providing detailed information helps expedite investigation.

Responsible disclosure

Researchers should:

  • Act in good faith
  • Avoid causing harm
  • Avoid service disruption
  • Avoid accessing customer data
  • Avoid modifying information
  • Report findings promptly
  • Testing should be limited to the minimum activity necessary to demonstrate the existence of a
  • vulnerability.

Authorized security research

Cafiyn supports good-faith security research conducted responsibly and within the limits of this Policy.

Researchers may identify and report vulnerabilities affecting systems owned and operated by Cafiyn.

Authorized research does not include activities that:

  • Harm customers
  • Access customer information
  • Disrupt operations
  • Create persistence
  • Escalate privileges beyond proof of concept

Prohibited security testing

Unless expressly authorized in writing by Cafiyn, researchers shall not:

  • Access Customer Data
  • Download data
  • Copy data
  • Export data
  • Retain data
  • Conduct Destructive Testing
  • Delete information
  • Modify information
  • Corrupt systems
  • Deploy malware
  • Perform Availability Attacks
  • DDoS testing
  • Load testing
  • Resource exhaustion attacks
  • Conduct Social Engineering
  • Phishing
  • Credential harvesting
  • Employee impersonation
  • Telephone-based attacks
  • Conduct Physical Security Testing
  • Facility access attempts
  • Hardware tampering
  • Physical intrusion testing

Customer data protection during

Research

If customer information is encountered accidentally:

  • Researchers must:
  • Stop testing immediately
  • Avoid copying information
  • Avoid sharing information
  • Report the issue promptly
  • Researchers must not retain customer data.

Safe harbor

Where individuals act in good faith and comply with this Policy, Cafiyn generally considers such activity to be legitimate security research.

This statement:

  • Does not authorize unlawful activity
  • Does not waive legal rights
  • Does not authorize access beyond permitted limits
  • Does not prevent action against malicious conduct

Cafiyn reserves all legal rights regarding harmful, reckless, fraudulent, abusive, or unlawful activities.

No bug bounty program

Unless expressly announced otherwise:

  • No bug bounty program exists.
  • No monetary rewards are guaranteed.
  • No compensation is promised.
  • No contractual relationship is created by submitting a report.

Cafiyn may, at its sole discretion, acknowledge contributions or provide recognition.

Violations of this policy

Violations may result in:

  • Warning notices
  • Access restrictions
  • Account suspension
  • Account termination
  • Removal of content
  • Legal action
  • Reporting to authorities where required
  • Cafiyn reserves sole discretion regarding enforcement actions.

Suspension and termination

Cafiyn may suspend or terminate access immediately where necessary to:

  • Protect security
  • Prevent abuse
  • Protect customers
  • Comply with law
  • Protect infrastructure

Suspension or termination does not limit any other remedies available to Cafiyn.

Changes to this policy

Cafiyn may modify this Policy periodically to reflect:

  • Operational requirements
  • Security developments
  • Technology changes
  • Legal requirements
  • Industry best practices
  • Updated versions will be published with a revised effective date.
  • Continued use of the Services following publication of an updated Policy constitutes acceptance of the
  • revised Policy.

Contact information

Security and Vulnerability Reports

Email: infosec@cafiyn.com

General Support

Email: infosec@cafiyn.com

Questions regarding this Policy, security concerns, abuse reports, or vulnerability disclosures should be directed to the appropriate contact above.

Questions about this policy? Email infosec@cafiyn.com.

← Back to Security