Acceptable Use Policy
Draft — not final policy
This page is a substantive outline for review, not a complete enforcement policy. NexoAI must add the effective date, legal contact, applicable provider restrictions, notice process, and appeal mechanism before publication as binding terms.
Purpose
NexoAI provides shared access to AI models through OpenAI- and Anthropic-compatible APIs. This policy is intended to protect users, third parties, upstream providers, payment rails, and the reliability of the gateway.
Prohibited activity
The final policy should prohibit use of NexoAI to:
- violate applicable law, court orders, sanctions, or the rights of another person;
- create, distribute, or facilitate malware, credential theft, unauthorized access, destructive payloads, or evasion of security controls;
- exploit or abuse children, create non-consensual intimate material, or facilitate sexual violence;
- threaten, harass, stalk, defraud, impersonate, or deceptively manipulate another person;
- expose personal, confidential, or regulated data without a lawful basis and appropriate safeguards;
- conduct spam, artificial traffic, denial-of-service activity, scraping that violates authorization, or attempts to bypass rate and budget controls;
- probe the gateway, other accounts, model providers, or payment systems for vulnerabilities without written authorization;
- resell, share, or transfer account access in a way the final Terms do not permit;
- conceal the origin or purpose of activity to evade enforcement by NexoAI or an upstream provider.
High-impact uses
The final policy should define restrictions and human-review requirements for decisions involving health, safety, employment, housing, education, credit, insurance, legal rights, essential services, or other high-impact domains. Model output should not be the sole basis for a consequential decision about a person.
Security responsibilities
Users must protect dashboard sessions and virtual keys, apply reasonable caps, rotate exposed credentials, and avoid embedding keys in public clients. Discovery of a vulnerability should be reported through the designated security channel rather than exploited or publicly disclosed before coordination.
Enforcement
NexoAI may rate-limit, block a request, revoke a key, suspend an account, or preserve relevant records when reasonably necessary to investigate abuse, maintain the service, comply with law, or honor upstream restrictions. The final policy must explain severity factors, notice, emergency action, account appeals, and treatment of wallet credit during enforcement.
Reporting abuse
Before launch, add dedicated abuse and security reporting contacts. A useful report includes the approximate time, affected resource, observed behavior, and evidence that can be shared lawfully. Reports must not include a live NexoAI API key.
