Acceptable Use Policy

1. Purpose

This Acceptable Use Policy ("AUP") defines the acceptable and prohibited uses of services provided by Pantoja Digital, LLC. This policy applies to all clients and users of NullShield, Tarvix, and AI Assistant Setup services.

2. NullShield Security Testing — Authorization Requirements

NullShield performs active security testing, including automated vulnerability scanning, penetration testing, and AI-specific attack simulations. By engaging NullShield services, you represent and warrant that:

• Ownership or Authorization: You are the owner of the systems, applications, and infrastructure submitted for testing, OR you have obtained explicit written authorization from the owner to conduct security testing.
• Scope Agreement: Testing will only be performed against targets explicitly defined in the engagement scope document. Any out-of-scope systems are excluded from testing.
• Production Awareness: You understand that security testing against production systems may cause temporary disruption. We recommend testing against staging environments when possible. You accept responsibility for choosing to test production systems.
• Third-Party Systems: If the target includes third-party hosted services (e.g., cloud platforms, SaaS tools), you are responsible for ensuring testing is permitted under those services' terms of use and obtaining any necessary authorization.
• Data Handling: You acknowledge that security testing may involve the discovery of sensitive data (customer PII, credentials, business information). All such discoveries will be documented in your security report and handled according to our confidentiality obligations.

3. Prohibited Uses

You may not use our Services to:

• Test, scan, or attack any system you do not own or have written authorization to test
• Engage in any illegal activity or violate any applicable laws or regulations
• Distribute malware, ransomware, or any malicious software
• Engage in unauthorized data collection, surveillance, or privacy violations
• Use AI agents built by Tarvix to impersonate real individuals or organizations
• Deploy AI agents that provide medical, legal, or financial advice without appropriate disclaimers and professional oversight
• Use our Services to harass, threaten, or harm any person or entity
• Attempt to gain unauthorized access to Pantoja Digital's own systems or infrastructure
• Resell, sublicense, or redistribute our Services without written permission
• Use NullShield findings to exploit vulnerabilities in systems you do not own

4. Tarvix AI Agent Usage

AI agents built and deployed through Tarvix must:

• Clearly identify themselves as AI when interacting with users (not impersonate humans)
• Comply with all applicable industry regulations (HIPAA for healthcare, PCI DSS for payments, etc.)
• Include appropriate disclaimers when operating in regulated industries
• Maintain NeMo Guardrails or equivalent security measures at all times
• Not be used to generate spam, phishing content, or misleading communications

5. AI Assistant Usage

AI assistants configured through our setup service must:

• Operate within the business context and rules configured during setup
• Maintain data privacy controls as configured (NeMo Guardrails)
• Not be used to send unsolicited communications or spam
• Comply with the terms of service of all connected channels and platforms

6. Rate Limiting & Fair Use

• Client Portal access is for authorized users only. Sharing credentials is prohibited.
• API endpoints are rate-limited. Automated scraping or excessive requests may result in temporary access suspension.
• NullShield scans are scheduled and managed by Pantoja Digital. Clients may not initiate scans outside the agreed scope.

7. Data Handling Post-Scan

• NullShield scan results and vulnerability data are encrypted at rest and in transit.
• Scan data is retained for 12 months after engagement completion (configurable per client).
• Clients may request early deletion of scan data by contacting team@pantojadigital.com.
• Anonymized, aggregated vulnerability patterns may be used to improve NullShield's detection capabilities. No client-identifiable information is included in aggregated data.

8. Enforcement

Violations of this Acceptable Use Policy may result in:

• Immediate suspension or termination of Services
• Reporting to appropriate law enforcement authorities
• Legal action to recover damages

We reserve the right to refuse service to anyone and to terminate engagements that violate this policy.

9. Reporting Violations

If you become aware of any violation of this policy, please contact us immediately at team@pantojadigital.com.

10. Changes to This Policy

We may update this Acceptable Use Policy as our Services evolve. Material changes will be communicated to active clients via email at least 30 days before taking effect.