Acceptable Use Policy

Risk3y is designed for legitimate enterprise risk management activities including creating, managing, and reviewing risk registers; recording controls and evidence; and using AI assistants via the MCP integration to assist with risk management tasks.

Use of the Service must be consistent with this purpose. Using the Service for unrelated business activities or personal use outside an organisational context is not permitted under commercial subscriptions.

You must not use the Service to:

• Violate laws or regulations — including privacy laws, export control laws, anti-bribery legislation, or any applicable national, state, or local laws.
• Store unlawful content — including content that infringes intellectual property rights, contains defamatory material, or constitutes illegal discrimination.
• Process prohibited personal data — including special categories of personal data (health, biometric, racial origin, etc.) without a lawful basis under applicable data protection law, or data belonging to children under 16.
• Conduct security attacks — including attempting to probe, scan, or test the vulnerability of the Service or its infrastructure; launching denial-of-service attacks; or injecting malicious code.
• Abuse the MCP / AI integration — including using the MCP API to automate bulk destructive operations (mass deletion, mass archiving) without human oversight, or to exfiltrate data at a rate that circumvents rate limiting.
• Circumvent access controls — including attempting to access other tenants' data, escalate privileges beyond your assigned role, or bypass authentication mechanisms.
• Resell or sub-license the Service — without express written permission from Risk3y. You may not offer access to the Service as a standalone product to third parties.
• Mine or scrape data — including using automated tools to extract, copy, or aggregate content from the Service beyond what is permitted by the API rate limits and your subscription.
• Generate false or misleading risk data — including deliberately misrepresenting risk scores, controls, or evidence to deceive auditors, regulators, or other stakeholders.
• Interfere with other users — including spamming invitations, abusing shared resources, or deliberately corrupting shared registers.

All content you upload, submit, or transmit through the Service — including risk descriptions, control notes, evidence labels, and comments — must:

• Be accurate and not intentionally misleading
• Not contain hate speech, harassment, or discriminatory content
• Not contain malware, viruses, or malicious links
• Not infringe the intellectual property rights of any third party
• Comply with all applicable laws in the jurisdiction where you operate

The Service is designed for business risk management data. You are responsible for classifying data before entering it into Risk3y and ensuring the classification is consistent with your organisation's data governance policies.

Do not enter the following into the Service without first consulting your data protection officer:

• Personally identifiable information (PII) about individuals beyond what is necessary for risk ownership attribution
• Financial account numbers, payment card data, or banking credentials
• Government-issued identity numbers (passport, tax file number, social security number)
• Protected health information (PHI) regulated under HIPAA or equivalent
• Classified government or defence information

You are responsible for:

• Keeping your credentials (passwords, MCP API keys) confidential and not sharing them with unauthorised parties
• Enabling MFA on privileged accounts (Tenant Owner, Tenant Admin) — required in production environments
• Promptly revoking API keys and access for former team members
• Reporting suspected security vulnerabilities or unauthorised access to security@risk3y.com immediately
• Ensuring devices used to access the Service have current security patches and endpoint protection

The MCP API is subject to rate limiting as described in the API documentation. You must not attempt to circumvent rate limits through IP rotation, credential sharing, or other technical means.

AI-assisted operations via MCP must remain subject to appropriate human oversight. Fully automated pipelines that create, modify, or delete risks without any human review are discouraged and may be rate-limited or suspended.

Risk3y reserves the right to monitor usage of the Service for compliance with this AUP, including reviewing audit logs and API usage patterns. We will not access your risk data content except as required to investigate a suspected AUP violation, respond to a legal obligation, or provide technical support at your request.

Violations of this AUP may result in, at our discretion: a warning, temporary suspension of your account, termination of your subscription, or referral to law enforcement where required by law.

If you become aware of any use of the Service that violates this AUP, please report it promptly to security@risk3y.com. Include as much detail as possible — the nature of the violation, affected accounts or data, and any supporting evidence.

We may update this AUP from time to time by posting a revised version with an updated effective date. Continued use of the Service after the effective date constitutes acceptance of the revised policy. Material changes will be notified to account owners by email at least 14 days in advance.

Questions about this Acceptable Use Policy should be directed to legal@risk3y.com.