Acceptable Use Policy

Hive Bastion LLC · Version 1.0 · Effective 24 June 2026

0. About This Policy

This Acceptable Use Policy ("AUP" or "Policy") governs the use of all websites, applications, application programming interfaces (APIs), software, tools, agents, automations, and other products and services made available by Hive Bastion LLC, a Tennessee limited liability company and a disregarded entity for U.S. federal income-tax purposes ("Hive Bastion," "we," "us," or "our") (collectively, the "Services").

This AUP is incorporated by reference into, and forms a part of, the Hive Bastion Terms of Service. By accessing or using any of the Services, you ("you," "your," "User," or "Customer") agree to comply with this Policy. Capitalized terms used but not defined here have the meanings given to them in the Terms of Service. Where this AUP conflicts with the Terms of Service, the Terms of Service control, except that a separately signed written agreement between you and Hive Bastion (a "Signed Agreement") controls over both.

Published baseline; the contract controls. This AUP is a good-faith baseline that describes conduct we permit and prohibit on the Services. Any engagement with Hive Bastion is governed by a separate signed written agreement between the parties, which controls in the event of any conflict with this published Policy.

This Policy is written to align with the abuse-prevention and acceptable-use expectations of widely recognized control frameworks, including the SOC 2 Trust Services Criteria (notably CC1 control environment, CC2 communication, and CC6 logical access), the NIST Cybersecurity Framework 2.0 (Govern (GV), Protect (PR), and Detect (DE) functions), ISO/IEC 27001:2022 Annex A (A.5 Organizational and A.8 Technological controls), and CMMC Level 1 (FAR 52.204-21 basic safeguarding) where the Services touch in-scope information. Citing these frameworks describes the design intent of our abuse-prevention controls; it is not a claim of formal certification.

1. Scope and Applicability

1.1 Who This Applies To

This Policy applies to:

• every visitor to a Hive Bastion website or property;
• every Customer, account holder, and authorized user acting under a Customer account;
• every developer or integrator using a Hive Bastion API or developer tooling (also subject to); and
• any third party to whom a User grants or extends access to the Services.

You are responsible for the acts and omissions of anyone who uses the Services through your account, credentials, API keys, or with your permission, as if they were your own.

1.2 What This Applies To

This Policy applies to all use of the Services and to all content, data, prompts, inputs, configurations, and outputs that Users submit to, generate with, or transmit through the Services ("User Content"), regardless of the medium or interface used.

1.3 Relationship to Other Policies

This AUP works together with, and should be read alongside, the following published documents:

-

-

-

2. Policy Statement and Two-Layer Honesty

Hive Bastion is committed to operating Services that are not used as a vehicle for unlawful, abusive, deceptive, or harmful activity, and to enforcing this commitment in a manner that is honest about what a small, focused operation can and does enforce today. Consistent with our two-layer-honesty posture, each control area below is presented in three parts: (a) Standard / Commitment — the control we commit to; (b) Current Implementation Status — an honest description of what Hive Bastion actually has in place today; and (c) Roadmap — planned maturation of the control.

2.1 Abuse-Prevention Control — Two-Layer View

(a) Standard / Commitment. Hive Bastion maintains commercially reasonable, designed-to-be-effective measures to prohibit, detect, and respond to misuse of the Services as described in this Policy, including a published prohibited-conduct list, an abuse-reporting channel, and the contractual right to suspend or terminate accounts engaged in prohibited conduct.

(b) Current Implementation Status. Abuse review today is manual and human-driven: misuse is identified through provider-level alerting (for example, hosting-provider and edge-provider abuse signals), application logging, and reports submitted to our abuse channel. We do not today operate automated real-time content-abuse classifiers, a 24x7 staffed abuse desk, or a formal ticketed abuse-case-management system. Response is on a commercially reasonable best-effort basis during business hours.

(c) Roadmap. Planned maturation includes a documented abuse-triage runbook, defined acknowledgment and response targets for abuse reports, structured logging-and-monitoring aligned with, and — as the business scales — automated abuse-signal tooling and, longer term, SOC 2 Type I attestation covering the relevant criteria.

3. Prohibited Conduct

You must not use the Services, and must not permit or enable any other person to use the Services, to engage in any of the conduct described in this Section 3. This list is illustrative, not exhaustive; conduct not specifically listed may still violate this Policy if it is unlawful, abusive, deceptive, or harmful, or if it is inconsistent with the purpose of the Services.

3.1 Unlawful Use

• Violating any applicable local, state, federal, or international law, regulation, rule, or order, or any third party's rights, through your use of the Services.
• Using the Services to plan, facilitate, promote, or carry out any illegal activity, or to evade lawful obligations.
• Exporting, re-exporting, or transferring the Services or any output in violation of applicable U.S. export-control or sanctions laws.

3.2 Infringing and Unauthorized Content

• Uploading, transmitting, generating, or distributing any content that infringes or misappropriates a third party's intellectual-property rights, including copyrights, trademarks, trade secrets, patents, or rights of publicity or privacy.
• Submitting content you do not have the lawful right to submit, or directing the Services to reproduce protected works in a manner that exceeds your rights or applicable law.

3.3 Malware and Malicious Code

• Uploading, transmitting, generating, hosting, or distributing any virus, worm, Trojan horse, ransomware, spyware, logic bomb, or other malicious or harmful code.
• Using the Services to develop, test, stage, command-and-control, or deliver malicious code or exploits against any system.

3.4 Unauthorized Scraping and Bulk Extraction

• Using any robot, spider, scraper, crawler, headless browser, or other automated means to access, index, harvest, or extract data or content from the Services other than through interfaces and rate limits we expressly authorize (see also).
• Performing bulk download, systematic extraction, or aggregation of data from the Services beyond what is reasonably necessary for your authorized use, or in a manner that imposes an unreasonable load on the Services.

3.5 Reverse Engineering and Tampering

• Reverse engineering, decompiling, disassembling, or otherwise attempting to derive the source code, underlying models, model weights, prompts, system instructions, or trade secrets of the Services, except to the limited extent applicable law expressly permits despite this prohibition.
• Modifying, creating derivative works of, framing, mirroring, or republishing any part of the Services except as expressly authorized.

3.6 Circumventing Security Controls

• Circumventing, disabling, defeating, or attempting to defeat any authentication, authorization, encryption, access control, rate limit, usage quota, watermarking, attribution, or other security or protective measure of the Services.
• Accessing or attempting to access any account, data, system, or network without authorization, or probing, scanning, or testing the vulnerability of any Hive Bastion system without our prior written permission.
• Using credentials, API keys, or tokens that are not issued to you, or sharing your credentials in violation of the Terms of Service.

3.7 Denial-of-Service and Resource Abuse

• Conducting or facilitating any denial-of-service (DoS) or distributed denial-of-service (DDoS) attack, flood, or other action that degrades, disrupts, overloads, or impairs the Services or any associated infrastructure, network, or other user's use of the Services.
• Consuming an unreasonable or disproportionate share of shared resources, or intentionally evading or manipulating rate limits, quotas, or billing.

3.8 Spam and Unsolicited Bulk Messaging

• Using the Services to send, generate, or facilitate spam, unsolicited bulk or commercial messages, chain communications, or any messaging in violation of the CAN-SPAM Act, the Telephone Consumer Protection Act ("TCPA"), or other applicable anti-spam or communications laws.
• Harvesting, generating, or using email addresses, phone numbers, or other contact information for the purpose of sending unsolicited communications.

3.9 Contacting Consumers Without Documented Consent (TCPA)

• Using lead data, contact data, or any output of the Services to call, text, fax, or otherwise contact consumers without the documented prior consent required by applicable law, including the TCPA, the Telemarketing Sales Rule, and applicable state telemarketing and Do-Not-Call statutes.
• You are solely responsible for maintaining records of consent, honoring opt-outs and Do-Not-Call requests, and ensuring that any outreach you conduct using data obtained through or processed by the Services complies with all applicable communications laws. Hive Bastion does not provide consent, and the existence of a contact record in any output is not evidence of consent.

3.10 Harassment, Abuse, and Unlawful Discrimination

• Using the Services to harass, threaten, defame, stalk, bully, intimidate, or harm any person, or to incite or promote violence or self-harm.
• Using the Services to engage in, facilitate, or promote unlawful discrimination against any individual or group on the basis of any characteristic protected under applicable law, including in connection with housing, lending, credit, employment, or other regulated activities.

3.11 Resale and Redistribution of Data

• Reselling, sublicensing, redistributing, or commercially exploiting the Services, any output, or any data obtained through the Services except as expressly permitted by your Signed Agreement or the Terms of Service.
• Repackaging or rebranding the Services or any output as your own product without authorization.

3.12 Misrepresentation and Trademark Abuse

• Misrepresenting your identity, affiliation, or authority, or impersonating any person or entity, including Hive Bastion or its personnel.
• Using the Hive Bastion name, logo, marks, or branding without authorization, or in any manner that implies endorsement, sponsorship, partnership, certification, or approval by Hive Bastion that does not exist.
• Falsely implying endorsement, certification, or approval by Hive Bastion or by any third-party platform, provider, or vendor (including any hosting, cloud, AI, payment, or communications provider) used by Hive Bastion.

3.13 Phishing and Social Engineering

• Using the Services to create, host, or distribute phishing pages, fraudulent communications, or other deceptive content designed to obtain credentials, financial information, or other sensitive data.
• Using the Services to conduct social-engineering, pretexting, or impersonation attacks against any person or organization, except for clearly authorized, scoped, and consented security testing under a written agreement.

4. AI-Specific Acceptable Use

The Services may incorporate or produce content generated, in whole or in part, by artificial-intelligence systems. The following limits apply specifically to AI-enabled use and are in addition to all other provisions of this Policy. These limits align with.

4.1 No Presentation of AI Output as an Authoritative Regulated Determination

You must not present, or cause to be presented, any AI-generated output of the Services as an authoritative or final determination in any regulated decision context, including:

• Underwriting, credit, or lending determinations (for example, treating an output as a credit decision, adverse-action basis, or rate quote);
• Legal determinations or the practice of law;
• Medical, clinical, or health determinations, diagnoses, or treatment decisions; or
• Investment, tax, or insurance determinations.

AI outputs are estimates and drafts intended for the recipient's independent professional review and verification. You are responsible for applying appropriate human review, for complying with all laws governing automated or AI-assisted decision-making (including fair-lending, fair-housing, equal-credit, and adverse-action requirements where applicable), and for any decision you make.

You acknowledge and agree that (a) AI outputs are probabilistic estimates that may be inaccurate, incomplete, or biased; (b) you, and not Hive Bastion, are the decision-maker for any determination informed by an output; and (c) you assume all risk arising from any use of an output in an underwriting, credit, lending, legal, medical, insurance, tax, housing, or employment context, and will indemnify Hive Bastion for any claim arising from such use, as provided in Section 8.6.

4.2 No Deceptive, Harmful, or Prohibited AI Use

• Do not use the Services to generate content intended to deceive, defraud, or manipulate, including deepfakes, synthetic identities, or impersonations used for deception.
• Do not use the Services to generate malware, exploit code, phishing content, unlawful discriminatory content, or content that violates Section 3.
• Do not attempt to manipulate, jailbreak, or circumvent the safety, content, or usage controls of any AI component of the Services.

4.3 AI Output Disclosure

This document, like all Hive Bastion materials that contain or govern AI output, includes the following disclosure:

This document contains content generated, in whole or in part, by AI systems operated by Hive Bastion LLC. AI can make mistakes. Every result herein is an estimate produced for the named recipient's professional review - not a regulated determination, not an underwriting decision, not a rate quote, not legal advice, not medical advice, not investment advice. The named recipient is responsible for the final decision and for verifying any factual claim before acting on it.

5. Data Handling and Privacy Obligations of Users

By design, Hive Bastion follows a data-minimization and transient-pass-through posture: we strive to store no customer or consumer personal data that we do not need, and where data can pass through to your own systems and accounts without retention by Hive Bastion, we design for that.

Hive Bastion does not itself use customer or consumer personal data, or client confidential data, to train, fine-tune, or otherwise improve any AI model. For third-party AI providers, Hive Bastion selects and configures each provider so that, under the provider's then-current terms, submitted content is not used by the provider to train its models by default, and Hive Bastion does not opt into any program that would change that posture. Hive Bastion does not warrant the conduct of third-party providers beyond their published terms; where an engagement requires a contractual no-training commitment stronger than a provider default, that term is captured in the governing Data Processing Addendum.

You remain responsible for your own compliance obligations when using the Services, including:

• ensuring you have a lawful basis and any required consents to submit User Content, especially personal data, sensitive data, or regulated data;
• not submitting data you are prohibited from disclosing or processing;
• honoring the rights of data subjects whose data you process; and
• complying with the data-handling terms of your Signed Agreement, the, and, where applicable, the.

6. Enforcement

6.1 Right to Investigate

Hive Bastion may, but is not obligated to, investigate suspected violations of this Policy. We may review logs, metadata, and, to the extent permitted by applicable law and any Signed Agreement, User Content reasonably necessary to investigate and respond to a suspected violation, abuse report, security incident, or legal request.

6.2 Enforcement Actions

Where Hive Bastion determines, in its reasonable discretion, that a violation has occurred or that action is necessary to protect the Services, other users, third parties, or Hive Bastion, we may take one or more of the following actions, with or without prior notice as the circumstances warrant:

• issue a warning or request remediation;
• throttle, rate-limit, or restrict access to part or all of the Services;
• remove, disable, or quarantine offending User Content or configurations;
• suspend the affected account, credentials, or API keys; and/or
• terminate the affected account or your access to the Services.

Suspension or termination for a violation of this Policy is at Hive Bastion's discretion, consistent with the Terms of Service and any Signed Agreement. We will endeavor to apply enforcement actions in a manner proportionate to the violation, but reserve the right to act immediately where there is a risk of imminent harm, ongoing abuse, legal exposure, or threat to the Services or other users.

6.3 Cooperation with Authorities

Hive Bastion may report suspected unlawful activity to, and cooperate with, law-enforcement and other authorities as required or permitted by applicable law.

6.4 No Waiver

Hive Bastion's failure to enforce any provision of this Policy in a particular instance is not a waiver of our right to enforce it in any other instance.

7. Reporting Abuse

If you become aware of any violation of this Policy, security vulnerability, or abusive use of the Services, please report it promptly to:

• Security and abuse reports: david@hivebastion.com

When reporting, please include enough detail to identify the issue (for example, the affected URL, account, or behavior, and the date and time observed). Do not include more sensitive personal data than necessary to describe the issue. Please do not test, exploit, or further probe any suspected vulnerability; report it and allow Hive Bastion a reasonable opportunity to respond.

8. Disclaimers and Limitations

8.1 No Guarantee of Monitoring

Hive Bastion does not undertake to monitor all User Content or all use of the Services, and is not responsible for User Content or for the conduct of any User. The Services are provided on a commercially reasonable basis; nothing in this Policy is a guarantee that the Services are free of misuse, abuse, or harmful content.

8.2 Limitation of Liability

To the maximum extent permitted by applicable law, Hive Bastion's aggregate liability arising out of or relating to these Terms or your access to or use of the Services is limited as set forth in your separate signed agreement (if any) and, where no fees have been paid by you, to one hundred U.S. dollars (US$100). Nothing in these Terms limits or expands either party's liability beyond what a separate signed agreement provides; in the event of any conflict, the signed agreement controls. To the extent permitted by law, Hive Bastion will not be liable for indirect, incidental, consequential, special, exemplary, or punitive damages.

As used in this Section, "these Terms" includes this Policy and the into which it is incorporated; the amounts-paid liability cap that may apply to a paying Customer lives only in the Terms of Service and any Signed Agreement, not in this published Policy.

8.3 Corporate Form

Hive Bastion LLC is a Tennessee limited liability company. All obligations described in this Policy are obligations of Hive Bastion LLC, satisfiable solely from the assets of the company. Consistent with applicable limited-liability law, this Policy does not create, and is not intended to create, any personal obligation of the sole member or of any personnel of Hive Bastion. Nothing in this provision limits any liability that applicable law does not permit to be limited.

8.4 Governing Law

These Terms (including this Policy) are governed by, and shall be construed in accordance with, the laws of the State of Tennessee, without regard to its conflict-of-laws provisions.

8.5 Dispute Resolution

Any dispute arising out of or relating to these Terms (including this Policy) shall be resolved by binding arbitration administered by the American Arbitration Association under its applicable rules, including the Consumer Arbitration Rules where they apply. The seat of arbitration shall be in or for Montgomery County, Tennessee.

Either party may bring an individual action in small-claims court, or seek injunctive or other equitable relief in a court of competent jurisdiction (located in or for Montgomery County, Tennessee) to prevent or stop actual or threatened infringement, misappropriation, unauthorized access, abuse of the Services, or breach of confidentiality or intellectual-property rights, without first resorting to arbitration and without the requirement of posting a bond. You may opt out of arbitration by sending written notice to david@hivebastion.com within thirty (30) days of first accepting these Terms.

The arbitration shall be conducted on an individual basis only; class, collective, consolidated, and representative actions are waived to the fullest extent permitted by law. The arbitrator may rule on the arbitrability of claims, except that the enforceability of the class-action waiver is for a court to decide; if the class-action waiver is held unenforceable as to any claim, that claim shall proceed in court and the remainder in arbitration. Allocation of arbitration fees is governed by the applicable AAA rules, including the Consumer Arbitration Rules where they apply.

8.6 Your Indemnification Obligations

You will defend, indemnify, and hold harmless Hive Bastion LLC, its sole member, contractors, and agents from and against any third-party claim, demand, loss, liability, damage, cost, or expense (including reasonable attorneys' fees) to the extent arising from or related to: (a) your use of or access to the Services; (b) any data or content you submit, route, or process, including any claim that you lacked the rights, consents, notices, or lawful basis to do so; (c) your violation of these Terms, this Acceptable Use Policy, or applicable law (including the TCPA, CAN-SPAM, and consumer-protection, privacy, and communications laws); (d) your infringement or misappropriation of any third party's intellectual-property or privacy rights; and (e) your User Content or your use of any output of the Services, including any communication you send or decision you make in reliance on such output. This obligation survives termination of your access to the Services. Where you and Hive Bastion have a Signed Agreement, the indemnification terms of that agreement control to the extent of any conflict.

8.7 General

Severability. If any provision of this Policy is held invalid or unenforceable, that provision will be modified to the minimum extent necessary to make it enforceable, or if it cannot be so modified, severed, and the remaining provisions will remain in full force and effect.

Survival. The provisions governing prohibited conduct accrued before termination, indemnification, limitation of liability, disclaimers, confidentiality, governing law, dispute resolution, and these general provisions survive any termination or expiration of your access to the Services.

9. Changes to This Policy

Hive Bastion may update this Policy from time to time to reflect changes in the Services, our practices, or applicable law. The version and date at the top of this document indicate when it was last revised. Material changes will be communicated through the Services or by other reasonable means. Your continued use of the Services after an update takes effect constitutes your acceptance of the revised Policy. This published Policy is a good-faith baseline; any engagement remains governed by your Signed Agreement, which controls in the event of any conflict.

10. Contact

Hive Bastion LLC

1556 Hankook Rd Suite A, PMB 1021

Clarksville, TN 37043

• Contact: david@hivebastion.com
• Website: https://hivebastion.com