Briefcase AI Scan

Legal

Acceptable Use Policy

Effective May 16, 2026

This Acceptable Use Policy (the “AUP”) governs the conduct of any person or organization that accesses or uses the Briefcase AI Scan service (the “Service”) operated by Briefcase AI. This AUP is incorporated into the Terms of Service, and any violation is a material breach of those Terms. Capitalized terms not defined here have the meaning set forth in the Terms.

1. Authority Requirement

Briefcase AI Scan is intended to be used against systems Customer owns or is authorized in writing to scan. Customer must not configure, schedule, or initiate a scan unless Customer can produce written authorization from the system’s operator within five (5) business days of Briefcase AI’s request. Acceptable forms of authorization include (a) ownership of the domain registration; (b) a signed engagement letter, statement of work, or master services agreement with the system’s operator authorizing security or privacy testing; (c) a documented bug-bounty scope that includes the target host with a written, time-bounded permission; or (d) other written consent from a person authorized to bind the operator. Customer is solely responsible for confirming the validity of its authorization.

2. Production-Host Attestation

Scans targeting well-known production AI surfaces require an on-screen attestation. By signing an attestation, Customer represents to Briefcase AI and to any affected third party that (i) Customer holds authority to scan the named host, (ii) Customer will not use the scan for any malicious purpose, and (iii) Customer accepts responsibility for any third-party terms-of-service implications, including indemnifying Briefcase AI under the Terms of Service. Attestations are bound to the signing user, IP address, and timestamp, and may be produced in response to lawful requests, subpoenas, or coordinated disclosures.

3. Prohibited Activities

Customer may not, and may not assist or permit any other party to:

  1. scan, probe, test, attack, or attempt to access any system, network, application, AI surface, or endpoint that Customer does not own or is not authorized in writing to test;
  2. conduct denial-of-service attacks, volumetric flooding, credential-stuffing, brute-force credential testing, slow-loris attacks, exploitation of known or unknown vulnerabilities, or any activity intended to cause harm, degradation, or service interruption;
  3. deliver, install, or facilitate the operation of malicious code, including viruses, worms, ransomware, command-and- control software, key loggers, or cryptocurrency miners;
  4. harass, intimidate, defame, dox, threaten, stalk, or otherwise harm any individual or group, or facilitate such conduct by others;
  5. collect, transmit, or store personal data, protected health information, financial-account data, biometric data, children’s data, geolocation data, or other sensitive data of any individual without lawful basis and required notices and consents;
  6. transmit protected health information to the Service outside a deployment governed by a fully executed Business Associate Agreement;
  7. violate any U.S., state, foreign, or international law or regulation, including the Computer Fraud and Abuse Act, the Stored Communications Act, the Wiretap Act, the GDPR, the UK GDPR, the CCPA/CPRA, the HIPAA Privacy and Security Rules, the EU Digital Services Act, the EU AI Act, applicable export-control and sanctions laws, and applicable anti-corruption laws;
  8. violate contractual obligations to a third party, including terms of service of scanned surfaces, partner agreements, confidentiality agreements, or trade-secret obligations;
  9. attempt to gain unauthorized access to non-public Briefcase AI systems, to another Customer’s account, scans, or findings, or to non-public Service functionality;
  10. test the Service itself for vulnerabilities, except under a written security-research agreement with Briefcase AI signed by an authorized representative;
  11. circumvent, disable, or interfere with any security, authentication, attestation, rate-limit, isolation, content- filter, abuse-detection, or technical-protection mechanism of the Service;
  12. reverse engineer, decompile, disassemble, copy, or otherwise attempt to derive the source code, detectors, rules, models, or underlying technology of the Service, except to the extent such restriction is prohibited by mandatory law;
  13. use the Service to develop, train, fine-tune, evaluate, or benchmark a competing product or service, or to facilitate benchmarking for competitive disclosure;
  14. resell, redistribute, sublicense, white-label, or otherwise commercially exploit the Service without Briefcase AI’s prior written consent;
  15. remove, obscure, alter, or falsify any proprietary, attribution, copyright, trademark, or watermark notice;
  16. impersonate any person, misrepresent identity or affiliation, or sign attestations on behalf of an organization for which Customer lacks authority;
  17. use the Service to generate, host, retrieve, or distribute content that depicts child sexual abuse material, that violates intellectual-property rights, that promotes terrorism or unlawful violence, or that is otherwise unlawful where Customer or affected individuals are located;
  18. use the Service in a manner that creates a meaningful risk of regulatory action against Briefcase AI, its Customers, or its partners; or
  19. assist, induce, or knowingly permit any third party to do any of the foregoing.

4. Rate Limits and Fair Use

The Service enforces per-organization scan-rate limits, per-host live-scan caps (with daily ceilings configurable in HIPAA mode), per-user API limits, storage caps tied to subscription tier, and anti-abuse rate caps. Customer must not exceed posted limits or take steps designed to circumvent them, including the use of multiple accounts, rotating IP addresses, or coordinated Authorized Users to evade caps. Operating costs reasonably attributable to abusive or grossly disproportionate use may be invoiced to Customer at Briefcase AI’s then-current commercial rates upon thirty (30) days’ notice. Briefcase AI may adjust limits at any time to protect the Service, its infrastructure, or its Customers.

5. Targets of Scans

Customer represents and warrants that each target submitted to the Service:

  • is within the scope of Customer’s written authorization;
  • is not a system whose operator’s terms of service or robots policy prohibits automated access without permission, unless Customer has obtained that permission;
  • is not a system operated by, on behalf of, or for the benefit of a person or entity on a U.S. or applicable foreign sanctions or denied-persons list;
  • is not a critical-infrastructure system (e.g., energy, water, financial-clearing, emergency-services, healthcare-clinical systems) unless Customer is the operator and has documented internal change-management approval;
  • does not require Customer to violate any contract or law to access it.

Briefcase AI may refuse, block, or terminate any scan, with or without notice, where Briefcase AI reasonably believes that the target or the scan’s scope is inconsistent with this AUP.

6. Authentication Credentials

If Customer provides cookies, OAuth tokens, SAML assertions, or other credentials to the Service to authenticate a scan, Customer represents that (a) Customer is entitled to use those credentials for the contemplated scan; (b) the credential owner’s organization has authorized credentialed testing; and (c) Customer has rotated, scoped, or expired the credentials as appropriate. Credentials submitted to the Service are stored encrypted at rest with a per-organization data encryption key. Customer should rotate credentials promptly after a scan completes.

7. Reporting Findings to Third Parties

Findings produced by the Service describe network behavior of the scanned surface and may overlap with security vulnerabilities, privacy issues, regulatory non-compliance, or contractual breach. Customer is solely responsible for coordinated disclosure to affected third parties, for any regulator communications, and for compliance with applicable disclosure laws. Briefcase AI does not represent that any finding constitutes a legally cognizable violation, vulnerability, or claim. Briefcase AI is not party to any coordinated disclosure between Customer and a third party.

8. Investigation and Enforcement

Briefcase AI may, in its sole discretion and without prior notice:

  • investigate suspected violations of this AUP, including by inspecting scan inputs, scan artifacts, audit logs, telemetry, and account activity;
  • remove or disable any content, scan, or finding that Briefcase AI reasonably believes violates this AUP;
  • revoke or invalidate attestations and require re-attestation with additional acknowledgments;
  • suspend or terminate Authorized Users, administrators, or the entire Customer account;
  • report suspected violations to law enforcement, regulators, or affected third parties, and preserve and disclose information to those parties as permitted by law or by lawful process;
  • assert claims for indemnification under the Terms of Service and seek reimbursement of costs reasonably incurred to investigate, remediate, or defend against violations;
  • publish anonymized, post-incident summaries for industry or public education;
  • recover from Customer any abuse-driven costs (e.g., emergency rate-limiting, target operator notification, dispute handling, regulator coordination), invoiced at Briefcase AI’s then-current commercial rates.

9. Cooperation with Affected Third Parties

Briefcase AI cooperates in good faith with operators of scanned surfaces who report unauthorized scans, including by suspending the offending account, preserving relevant audit data, and providing a written incident report. Cooperation may include sharing the signing user’s identity, the attestation record, scan timing and target, and IP address, under lawful process or with the affected operator’s representation of a legitimate investigation.

10. Reporting Violations

To report a suspected violation of this AUP — for example, a scan targeting your systems without authorization — contact us at support@briefcaseai.org with the URL, host, finding identifier (if known), and a brief description. Briefcase AI investigates abuse reports in good faith and may request additional information from the reporter. Reports that appear to be made in bad faith or in coordination with the violator may be referred to law enforcement.

11. Changes

Briefcase AI may update this AUP from time to time to address new abuse patterns, new features, or evolving legal requirements. Material changes will be communicated in-product, by email to administrators, or by an updated effective date, with notice at least thirty (30) days in advance where commercially reasonable. Continued use of the Service after the effective date constitutes acceptance of the revised AUP.

Questions about whether a planned use is permitted under this AUP should be directed to support@briefcaseai.org before initiating scans. When in doubt, ask first.