Get Started
Legal

Acceptable Use Policy

What you and your agents may not do on the Boxes platform. This policy is incorporated into our Terms of Service.

Last updated: 17 May 2026Effective: 17 May 2026
This template was prepared in good faith. Obtain attorney review before publication.

1. Scope

This Acceptable Use Policy ("AUP") applies to all use of the Boxes Services by you, your authorised users, your guests, and any AI agents acting under your account. Violations may result in suspension, termination, or legal action. We reserve the right to update this AUP from time to time.

2. Prohibited content and conduct

You may not, and may not permit any user or agent acting under your account to, use the Services to:

  • Violate law. Engage in any activity that is illegal under the laws of the United States, your home jurisdiction, or the jurisdiction of any recipient.
  • Infringe IP. Upload, transmit, or store content that infringes any third party's intellectual-property rights.
  • Harm minors. Process, transmit, or store child sexual abuse material (CSAM), or content that sexualises or exploits minors. We report all CSAM to NCMEC and equivalent authorities and permanently terminate offending accounts.
  • Harass or threaten. Send content that harasses, threatens, defames, or targets individuals or groups based on protected characteristics.
  • Spread malicious code. Distribute viruses, worms, trojans, ransomware, spyware, or any code designed to disrupt or compromise systems.
  • Deceive. Engage in fraud, identity theft, phishing, impersonation, or deceptive practices.
  • Violate privacy. Collect or process personal data without lawful basis or required notice and consent.
  • Sanctioned activity. Process transactions involving sanctioned individuals, entities, or jurisdictions under US, EU, UK, or UN sanctions regimes.
  • Glorify violence. Promote or incite violence, terrorism, self-harm, or the use of regulated weapons.

3. Security restrictions

  • Probe or scan Boxes systems, networks, or infrastructure for vulnerabilities without prior written authorisation through our Security team or HackerOne programme.
  • Bypass authentication, rate-limiting, access controls, or capability scopes, including those applied to your own account or agents.
  • Reverse engineer any part of the Services except as expressly permitted by law (e.g., for interoperability under EU Directive 2009/24/EC).
  • Disrupt the Services through denial-of-service attacks, resource exhaustion, or other malicious activity.
  • Use credentials issued to another person or organisation without authorisation.

4. Agent-specific rules

The use of AI agents on Boxes is subject to additional restrictions:

  • No scope evasion. You may not use agents to take actions outside the capability scope they were granted, nor may you use multiple agents to circumvent any single agent's restrictions.
  • No mass automation. You may not use agents to send unsolicited bulk communications (spam), scrape or harvest data from third-party services in violation of those services' terms, or generate fraudulent activity at scale.
  • Human oversight. Agents must operate with a documented human approver for actions that materially affect third parties (e.g., outbound messages to external recipients, financial transfers, contract signing). Boxes provides default approval gates; circumventing them is a violation.
  • No deception about agency. You may not represent that an agent's output came from a human when the recipient or counterparty would, in their reasonable interpretation, conclude otherwise. Industry-specific disclosure obligations (e.g., FTC guidance on AI-generated marketing) apply.
  • No banned use cases. Agents may not be deployed for: automated decisions producing legal effects on individuals without human review; social-scoring; behavioural manipulation of vulnerable groups; biometric identification in public spaces; or any use prohibited under the EU AI Act.

5. Communications and anti-spam

If you send email through Boxes, you must comply with CAN-SPAM (US), CASL (Canada), GDPR Art. 6 / ePrivacy (EU), PECR (UK), and any other applicable jurisdiction's marketing laws. You must obtain required consents, honour opt-out requests promptly, and ensure all marketing communications clearly identify the sender and offer an unsubscribe mechanism. Boxes operates SPF / DKIM / DMARC for sender authentication; circumventing these is a violation.

6. Enforcement

We investigate suspected AUP violations. Depending on severity, we may: issue a warning; suspend affected agents or features; suspend or terminate your account; preserve and disclose information to law enforcement when legally required; and seek injunctive relief or damages. For repeated or wilful violations we proceed directly to termination.

Where lawful and practicable, we will notify you before taking enforcement action and provide an opportunity to cure. Where immediate action is necessary to protect users, third parties, or the integrity of the Services, we may act without prior notice.

7. Reporting violations

To report a suspected violation of this AUP — including phishing, abuse, CSAM, copyright infringement, or security issues — please email abuse@boxes.sh. For DMCA notices, see our designated agent at dmca@boxes.sh. We respond within 48 hours on weekdays.