Acceptable Use Policy (AUP)

Product: OSOS / Omega ("Software")

Provider: Osos AI GmbH, Cosimastraße 121, 81925 Munich, Germany

Effective Date: 30.04.2026

Version: 1.0

Relationship to other documents: This Acceptable Use Policy is an annex to the EULA and concretizes in particular its Section 4 (Use Restrictions). It applies to all deployment models and to all of the Licensee's Authorized Users, including trial and free-plan users.

1. Purpose

This Acceptable Use Policy ("AUP") sets out, on a binding basis, how OSOS / Omega may be used and which conduct is prohibited. It protects the security, availability, integrity, and reputation of the platform as well as the interests of all Licensees and Authorized Users. Violations may lead to measures up to and including extraordinary termination (Section 8).

2. Addressees and Responsibility

This AUP applies to:

the Licensee (the organization),
all Authorized Users designated by the Licensee (including employees, external consultants, business partners),
machine identities (service accounts, API tokens, bots) acting on behalf of the Licensee.

The Licensee is responsible for compliance with this AUP by all users and identities attributable to it (cf. EULA Section 5).

3. Generally Prohibited Uses

In particular, any use is prohibited that:

violates applicable law (in particular criminal law, data protection, copyright, trademark, patent, competition, export control, and sanctions law);
infringes the rights of third parties (personality rights, trade secrets, intellectual property, privacy);
has defamatory, harassing, discriminatory, hate-promoting, or violence-glorifying content as its subject;
serves the creation, distribution, or control of malicious software (viruses, worms, Trojans, ransomware, spyware);
serves the unauthorized acquisition, alteration, or destruction of third-party data or systems (hacking, penetration testing without express permission of the Licensor, phishing, credential harvesting);
violates EU, United Nations, or US sanctions or is performed by sanctioned persons / entities;
serves the preparation or execution of weapons development, weapons of mass destruction, or comparable regulated end uses, unless expressly agreed in the Order Form and secured under export control law.

4. Platform and Infrastructure Protection

Prohibited is:

excessive or disproportionate loading of the platform infrastructure, in particular by (denial-of-service-like) request spikes, infinite loops, unthrottled parallel API calls, or recursive workflows that do not correspond to the documented scope of functions;
automated crawling, scraping, indexing, or mass extraction of platform content outside the official API endpoints provided for this purpose and within the documented quotas;
any form of security probing, vulnerability scanning, fuzzing, or penetration testing without prior written permission of the Licensor (approval procedure via [security@provider.com]);
circumvention, deactivation, or manipulation of rate limits, quotas, authentication, authorization, or billing mechanisms;
attempting to gain access to data, accounts, tenants, or functions for which no authorization exists;
using the platform as a relay, proxy, or tunnel for data flows not directly related to the Software.

5. AI-Specific Prohibitions

With regard to the AI components of the Software, the following are in particular prohibited:

5.1 Misuse of AI Tokens and API Quotas

targeted exhaustion of the agreed AI token allowances (e.g. through creation of multiple free-plan accounts of the same organization, automated query loops, resale of API calls to third parties);
transfer or resale of API access outside the limits of Authorized Users;
using AI endpoints as a generic AI backend service for applications not integrated with OSOS / Omega outside the documented use case.

5.2 Model and Output Misuse

reverse engineering, fine-tuning, distillation, or reproduction of the models used;
using AI Outputs of the Software for training, fine-tuning, or benchmarking competing AI models (cf. EULA Section 4 and AI Data Policy);
creating or distributing deepfakes, identity fakes, or other deceptive content using AI functions;
generating content for the automated manipulation of persons (social engineering, mass phishing, election interference).

5.3 Circumvention of Protective Mechanisms

any form of prompt injection, jailbreaking, or targeted circumvention of implemented safety, compliance, or filter mechanisms;
attempting to make the AI undermine platform requirements, the AI Data Policy, or legal requirements;
introducing prepared content intended to specifically harm other Authorized Users of the Licensee or other tenants (e.g. indirect prompt injection in shared documents).

5.4 Prohibited Content in the AI Context

Without prejudice to Section 6, AI functions in particular must not be used to generate or process content that:

serves the creation of instructions for the manufacture of weapons, explosives, or malware;
represents material that sexualizes or endangers children (CSAM);
aims at the persecution, stigmatization, or discrimination of persons on the basis of protected characteristics.

6. Prohibited Content

Without an express, written individual agreement with the Licensor, the following content must not be introduced into the Software:

special categories of personal data within the meaning of Art. 9 GDPR (health, genetic, biometric data, data on ethnic origin, religious or political beliefs, sex life, trade union membership);
data on criminal convictions and offences within the meaning of Art. 10 GDPR;
payment data (credit card numbers, account data, PCI-DSS-relevant data);
Patient Health Information (PHI) within the meaning of HIPAA or EHDS;
classified information (nationally / militarily classified);
pornographic, violence-glorifying, or comparably manifestly unlawful content.

If such content is introduced without agreement, the Licensor may refuse acceptance, automatically suppress the relevant content, or suspend the account.

7.1 Shared Logins / Generic Accounts

Account sharing, generic group logins, shared passwords, as well as circumventing the agreed Authorized User limit (e.g. through round-robin use) are prohibited. One personalized account per Authorized User must be used.

7.2 Free-Plan and Trial Abuse

In particular, the following is prohibited:

creating multiple free or trial accounts by or on behalf of the same organization or natural person;
repeated trial activation with different email addresses, domain aliases, disposable mail services, or fake identities;
using trial / free accounts for productive purposes while deliberately circumventing paid plans;
commercial transfer of free-plan output ("white-labeling" via free tier).

The Licensor reserves the right to block free and trial accounts with detected abuse signals (e.g. disposable mail domains, identical IP clusters, unusual usage patterns) without prior notice or to request verification of payment or identity data.

7.3 Bots and Automated Activity

Automated activity (bots, crawlers, scripts) is permitted only via the official API endpoints and within the quotas provided for this purpose. Use of the web UI through headless browsers, browser automation (Selenium, Puppeteer, Playwright, etc.) for purposes that do not correspond to the documented use case is prohibited.

7.4 Security Obligations

Authorized Users are obligated to use multi-factor authentication, to keep their access credentials confidential, and to report compromised access without delay to [security@provider.com]. Suspicious activity or suspected security vulnerabilities are to be communicated in accordance with the responsible disclosure notes (see Trust Center).

8. Measures in the Event of Violations

8.1 Procedure

In the event of a suspected violation of this AUP, the Licensor will — to the extent the nature and severity of the violation allow — proceed in the following order:

1. Notice and request for remediation in text form to the Licensee's Organization Owner / Administrator, with a reasonable period for remediation;

2. in the case of continued or serious violation: temporary suspension of the affected account, tenant, or individual functions;

3. in the case of particularly serious or repeated violation: extraordinary termination pursuant to EULA Section 14.2.

8.2 Immediate Measures Without Prior Notice

In the case of acute security risks, imminent harm to other tenants, illegal content (in particular CSAM), active attacks on the platform, or by official order, the Licensor is entitled to suspend or remove content without prior notice and with immediate effect. The Licensee will be informed without delay thereafter.

8.3 No Refund Claim

Suspensions and blocks based on a violation of this AUP do not give rise to a refund or service credit claim. The obligation to pay the agreed remuneration remains during the suspension.

8.4 Damages and Indemnification

If the Licensee causes damage to the Licensor or third parties through an AUP violation, the damages and indemnification provisions of the EULA apply (Section 12, Section 13.2).

9. Reporting of Violations by Third Parties

Indications of violations of this AUP — in particular by third parties or unknown actors — can be reported to [abuse@provider.com]. Notice-and-Action requests pursuant to the Digital Services Act (DSA) are received via [notice@provider.com] and processed in accordance with the procedures described there.

10. Changes to this AUP

This AUP may be adapted in particular in the event of new abuse patterns or changed regulatory requirements. Material changes will be announced with a lead time of at least 30 days via the status page and by email to the Organization Owner / Administrator; otherwise, the change provisions of EULA Section 18 apply accordingly.

11. Contact

General / Support: [support@provider.com]
Security incidents / Vulnerability Disclosure: [security@provider.com]
Abuse reports: [abuse@provider.com]
DSA Notice-and-Action: [notice@provider.com]
Postal address: [Provider GmbH, Address]