Purpose
Cafiyn ("Cafiyn", "Company", "we", "our", or "us") is committed to providing secure, reliable, lawful, and trustworthy services for customers, partners, visitors, and users.
This Acceptable Use and Responsible Security Disclosure Policy ("Policy") establishes:
- Permitted uses of the Services
- Prohibited activities
- Security expectations
- Abuse prevention requirements
- Vulnerability reporting procedures
- Responsible disclosure requirements
- Enforcement measures
- This Policy applies to all users, customers, visitors, contractors, partners, and security researchers
- interacting with Cafiyn systems and services.
Scope
This Policy applies to:
- Websites
- Customer portals
- Web applications
- Subscription services
- Hosted services
- Cloud infrastructure
- Documentation
- Support channels
- Public-facing systems owned or operated by Cafiyn
- This Policy supplements and does not replace the Terms of Service, Privacy Policy, Security Policy, or
- other applicable agreements.
Acceptable use
Users may access and use the Services solely for lawful business and personal purposes consistent with:
- Applicable laws
- Applicable regulations
- Contractual obligations
- Industry standards
- This Policy
- Users must use the Services responsibly and in a manner that does not adversely affect:
- Service availability
- Security
- Performance
- Other users
- Cafiyn operations
Prohibited activities
Users shall not engage in activities that are unlawful, harmful, deceptive, fraudulent, abusive, or disruptive.
Prohibited activities include but are not limited to:
- Violating applicable laws
- Fraudulent conduct
- Identity misrepresentation
- Harassment
- Abuse of Services
- Circumvention of controls
- Unauthorized access attempts
- Misuse of system resources
- Interference with operations
Unauthorized access
Users shall not:
- Access systems without authorization
- Attempt to bypass authentication controls
- Attempt privilege escalation
- Access information not intended for them
- Access restricted resources
- Attempt account takeover activities
- Any attempt to gain unauthorized access may result in immediate suspension and legal action where
- appropriate.
Malicious software and harmful
Activities
Users shall not introduce, distribute, transmit, deploy, or facilitate:
- Malware
- Viruses
- Worms
- Trojans
- Ransomware
- Spyware
- Backdoors
- Malicious scripts
- Cryptojacking software
Users shall not attempt to compromise the security, integrity, or availability of the Services.
Network and service abuse
Users shall not:
- Conduct denial-of-service attacks
- Conduct distributed denial-of-service attacks
- Exhaust system resources
- Generate excessive traffic
- Interfere with service operations
- Disrupt service availability
Activities that negatively affect platform performance may be restricted or blocked.
Data protection and privacy
Users shall not:
- Access personal information without authorization
- Harvest user information
- Scrape protected data
- Collect information through automated means without authorization
- Circumvent privacy controls
Users are responsible for ensuring their activities comply with applicable privacy laws.
Spam and unsolicited communications
Users shall not use the Services to:
- Send spam
- Distribute unsolicited messages
- Conduct phishing campaigns
- Distribute misleading communications
- Conduct unauthorized marketing campaigns
- Any use of the Services for abusive communications is prohibited.
Intellectual property violations
Users shall not:
- Infringe copyrights
- Infringe trademarks
- Misappropriate trade secrets
- Use proprietary content without authorization
- Remove ownership notices
Users remain responsible for ensuring they possess rights to any materials they submit to Cafiyn.
Security expectations
Users are expected to:
- Maintain secure credentials
- Use strong passwords
- Protect account access
- Report suspected security issues promptly
- Maintain secure devices and environments
- Users are responsible for activity occurring under their accounts.
Monitoring and enforcement
To protect the Services and users, Cafiyn may monitor activity reasonably necessary to:
- Maintain security
- Prevent abuse
- Detect fraud
- Investigate incidents
- Protect service availability
Monitoring shall be conducted in accordance with applicable law and our Privacy Policy.
Reporting security vulnerabilities
Cafiyn welcomes reports of potential security vulnerabilities affecting systems owned or operated by Cafiyn.
Security vulnerabilities should be reported to:
- Email: infosec@cafiyn.com
- Subject line:
- Security Vulnerability Report
Information to include in reports
Researchers are encouraged to provide:
- Description of the vulnerability
- Affected URL or system
- Steps to reproduce
- Impact assessment
- Proof of concept
- Supporting evidence
- Providing detailed information helps expedite investigation.
Responsible disclosure
Researchers should:
- Act in good faith
- Avoid causing harm
- Avoid service disruption
- Avoid accessing customer data
- Avoid modifying information
- Report findings promptly
- Testing should be limited to the minimum activity necessary to demonstrate the existence of a
- vulnerability.
Authorized security research
Cafiyn supports good-faith security research conducted responsibly and within the limits of this Policy.
Researchers may identify and report vulnerabilities affecting systems owned and operated by Cafiyn.
Authorized research does not include activities that:
- Harm customers
- Access customer information
- Disrupt operations
- Create persistence
- Escalate privileges beyond proof of concept
Prohibited security testing
Unless expressly authorized in writing by Cafiyn, researchers shall not:
- Access Customer Data
- Download data
- Copy data
- Export data
- Retain data
- Conduct Destructive Testing
- Delete information
- Modify information
- Corrupt systems
- Deploy malware
- Perform Availability Attacks
- DDoS testing
- Load testing
- Resource exhaustion attacks
- Conduct Social Engineering
- Phishing
- Credential harvesting
- Employee impersonation
- Telephone-based attacks
- Conduct Physical Security Testing
- Facility access attempts
- Hardware tampering
- Physical intrusion testing
Customer data protection during
Research
If customer information is encountered accidentally:
- Researchers must:
- Stop testing immediately
- Avoid copying information
- Avoid sharing information
- Report the issue promptly
- Researchers must not retain customer data.
Safe harbor
Where individuals act in good faith and comply with this Policy, Cafiyn generally considers such activity to be legitimate security research.
This statement:
- Does not authorize unlawful activity
- Does not waive legal rights
- Does not authorize access beyond permitted limits
- Does not prevent action against malicious conduct
Cafiyn reserves all legal rights regarding harmful, reckless, fraudulent, abusive, or unlawful activities.
No bug bounty program
Unless expressly announced otherwise:
- No bug bounty program exists.
- No monetary rewards are guaranteed.
- No compensation is promised.
- No contractual relationship is created by submitting a report.
Cafiyn may, at its sole discretion, acknowledge contributions or provide recognition.
Violations of this policy
Violations may result in:
- Warning notices
- Access restrictions
- Account suspension
- Account termination
- Removal of content
- Legal action
- Reporting to authorities where required
- Cafiyn reserves sole discretion regarding enforcement actions.
Suspension and termination
Cafiyn may suspend or terminate access immediately where necessary to:
- Protect security
- Prevent abuse
- Protect customers
- Comply with law
- Protect infrastructure
Suspension or termination does not limit any other remedies available to Cafiyn.
Changes to this policy
Cafiyn may modify this Policy periodically to reflect:
- Operational requirements
- Security developments
- Technology changes
- Legal requirements
- Industry best practices
- Updated versions will be published with a revised effective date.
- Continued use of the Services following publication of an updated Policy constitutes acceptance of the
- revised Policy.
Contact information
Security and Vulnerability Reports
Email: infosec@cafiyn.com
General Support
Email: infosec@cafiyn.com
Questions regarding this Policy, security concerns, abuse reports, or vulnerability disclosures should be directed to the appropriate contact above.