Acceptable Use Policy

SECTION 01

Purpose & Scope

This Acceptable Use Policy ("AUP") governs all use of the IntentGuard platform, including the web application at app.intentguard.dev, the API, and any integrations or tools provided by IntentGuard. It applies to all users: individuals, organisations, trial users, paid subscribers, and users of Single Audit purchases.

This AUP is incorporated by reference into the IntentGuard Terms of Service at intentguard.dev/terms. Capitalised terms not defined here have the meanings given in the Terms of Service. By using IntentGuard, you agree to this AUP in full.

IntentGuard exists to help developers, founders, and security teams understand the intent alignment of their own code — whether the code does what it was designed to do, safely and as documented. This purpose shapes every rule in this policy.

SECTION 02

The Core Rule: Authorisation

The Authorisation Requirement You may only submit repositories for auditing that you own outright, or for which you have received explicit, written authorisation from the repository owner. Auditing any repository without this authorisation is a material breach of this AUP and will result in immediate account termination. It may also constitute unauthorised access to computer systems under applicable law, including the Computer Misuse Act (UK), the Computer Fraud and Abuse Act (US), and equivalent legislation in other jurisdictions.

Authorisation must be:

Explicit — the repository owner must have specifically authorised the audit, not merely granted general access to the codebase;
Written — email, Slack, or other documented communication is sufficient; verbal permission alone is not; and
Current — authorisation granted for a previous audit does not automatically cover future audits if ownership or your relationship to the organisation has changed.

If you are an employee or contractor auditing your employer's codebase, your employment or contractual relationship is ordinarily sufficient authorisation, provided it covers the specific repositories you are auditing. If in doubt, obtain explicit written confirmation from your manager or security team before proceeding.

SECTION 03

Permitted Uses

The following uses are expressly permitted:

Permitted Use	Example
Auditing repositories you own as an individual or sole trader	Your personal open-source project, your freelance client's codebase (with their written consent)
Auditing your organisation's repositories as an employee or contractor with authorisation	Internal microservices, your startup's main product repo, a legacy codebase your team maintains
Auditing a target company's repository as a VC analyst or investor, with the company's consent	Pre-investment technical due diligence with a signed NDA and consent from the CTO
Auditing your own open-source project hosted on GitHub	Any public repo you created and maintain
Sharing your audit report with stakeholders (investors, auditors, customers)	Sharing your IntentGuard report in a board pack or data room
Using audit findings to prioritise internal remediation work	Filing tickets based on IntentGuard findings in your own issue tracker
Using IntentGuard via CI/CD to monitor your own repositories for drift	Automated audits triggered by pull requests on your own codebase

SECTION 04

Prohibited Uses

The following uses are strictly prohibited. This list is illustrative, not exhaustive. IntentGuard reserves the right to determine that additional uses not listed here are prohibited if they conflict with the purpose of the platform or cause harm.

4.1 Unauthorised Auditing

Auditing any repository you do not own and for which you do not have explicit written authorisation, regardless of whether the repository is public or private.
Auditing a competitor's codebase, even if their code is publicly accessible on GitHub or elsewhere.
Auditing government, critical infrastructure, or regulated-sector codebases without explicit written authorisation from an authorised officer of the owning organisation.
Auditing repositories belonging to organisations where your authorisation has lapsed, been revoked, or is unclear.
Creating multiple accounts or using Single Audit purchases to audit repositories that you are not authorised to audit under a subscription.

4.2 Offensive Security and Weaponisation

Strictly Prohibited IntentGuard findings must never be used to attack, exploit, or compromise systems that you do not own or are not explicitly authorised to test. IntentGuard is a defensive tool. Using its findings offensively — to identify and exploit vulnerabilities in systems you do not control — is a serious violation of this AUP and likely a criminal offence in your jurisdiction.

Using IntentGuard findings to identify and exploit vulnerabilities in systems you do not own or are not authorised to test.
Using findings to conduct penetration testing on third-party systems without explicit, written authorisation from the system owner.
Sharing findings from audits of third-party repositories with any party other than the repository owner, without the owner's consent.
Using findings to build, train, or augment attack tools, exploit databases, or vulnerability databases.
Reselling or commercially redistributing findings from audits of repositories you do not own.

4.3 Platform Abuse and Circumvention

Attempting to bypass, manipulate, or circumvent audit quotas, seat limits, or tier restrictions by any means, including creating multiple accounts, sharing account credentials, or exploiting API behaviour.
Attempting to reverse-engineer, decompile, or extract IntentGuard's proprietary algorithms, scoring methodology, prompt templates, or LLM configurations.
Injecting adversarial content into code submitted for auditing with the intent of manipulating the analysis output, gaming the Intent Alignment Score, or causing the platform to behave unexpectedly.
Submitting code that contains payloads, exploits, or malicious content designed to attack IntentGuard's infrastructure or the AI models used in analysis. Note: our ingestion pipeline includes pre-audit sanitisation for secrets and injection patterns — attempts will be detected and logged.
Using automated scripts, bots, or tools to interact with the platform in a manner not supported by the official API, including scraping audit results, report data, or platform content.
Attempting to exceed API rate limits through request flooding, distributed requests, or any other means.

4.4 Prohibited Content in Submitted Repositories

You must not submit repositories for auditing that contain:

Malware, ransomware, spyware, or other malicious code designed to harm systems or users;
Child sexual abuse material (CSAM) or any content that sexualises minors;
Code that implements or facilitates illegal surveillance, stalkerware, or non-consensual tracking;
Code that implements weapons of mass destruction, bioweapon synthesis, or similar prohibited content; or
Content that violates applicable export control laws or sanctions regimes.

Submitting repositories containing such content will result in immediate account termination, reporting to relevant authorities where required by law, and potential referral for criminal prosecution.

4.5 Misrepresentation and Fraud

Representing IntentGuard-generated findings as the output of a human security audit, penetration test, or professional security assessment without clearly disclosing that the findings were AI-generated.
Altering, falsifying, or misrepresenting IntentGuard audit reports to any third party, including investors, auditors, regulators, or customers.
Using IntentGuard reports to make misleading claims about the security posture of a codebase in fundraising materials, investor communications, or public disclosures.
Providing false information to IntentGuard in connection with account creation, subscription purchase, or any communication with IntentGuard support.

4.6 Illegal and Harmful Uses

Using IntentGuard in any manner that violates applicable law, including data protection law, intellectual property law, computer crime law, export control law, or sanctions law.
Using the platform to facilitate, enable, or conceal illegal activity of any kind.
Using the platform to harass, threaten, or harm any individual or organisation.

SECTION 05

Report Sharing Rules

IntentGuard audit reports are powerful documents. The following rules govern how they may be shared:

Scenario	Permitted?
Sharing your own report with your investors, board, or internal team	✓ Always permitted
Sharing your own report in a data room for M&A or fundraising	✓ Always permitted
Sharing your own report with a customer as evidence of security posture	✓ Always permitted
A VC analyst sharing a report on a portfolio company's code with a co-investor	⚠ Only with the portfolio company's written consent
Sharing a report generated from a third party's code without their consent	✗ Prohibited
Publishing a report generated from a third party's code publicly (blog, social media, etc.)	✗ Prohibited
Reselling or commercially distributing a report generated from code you do not own	✗ Prohibited

Share tokens generated by IntentGuard are time-limited per your subscription tier. Sharing a report via a share token does not transfer ownership of the findings or grant the recipient any rights to reproduce or redistribute the report.

SECTION 06

AI Model Interaction Rules

IntentGuard uses multiple AI models (Anthropic Claude, Google Gemini, Mistral AI, and Microsoft Azure OpenAI) to perform analysis. The following rules apply to your interactions with the AI-powered platform:

Do not attempt to manipulate, jailbreak, or subvert the AI models used by IntentGuard through adversarial prompts, specially crafted code, or any other technique.
Do not attempt to extract the system prompts, configuration, or internal instructions used by IntentGuard's AI pipeline.
Do not use IntentGuard as a proxy to interact with the underlying AI models in ways not intended by the platform, including attempting to use the audit interface as a general-purpose AI chat interface.
Do not submit repositories specifically designed to elicit harmful, biased, or policy-violating outputs from the AI models.

Our AI pipeline includes pre-audit sanitisation that redacts secrets and API keys (31 regex patterns) and neutralises prompt injection attempts (13 patterns) before any code reaches the AI models. Attempts to circumvent this sanitisation are a violation of this AUP and will be logged.

SECTION 07

Consequences of Violation

IntentGuard takes violations of this AUP seriously. The severity of our response will be proportionate to the nature and gravity of the violation. We reserve the right to take any or all of the following actions:

Severity	Examples	Response
Minor	Unintentional quota circumvention, minor misuse of report sharing	Written warning. Opportunity to cure within 7 days.
Moderate	Repeated minor violations, sharing a report without consent, minor platform abuse	Immediate suspension of auditing capability. 14-day cure period. No refund if terminated.
Serious	Auditing unauthorised repositories, offensive security misuse, falsifying reports	Immediate account termination without notice. No refund. Permanent ban on new accounts.
Critical	CSAM, malicious code injection, criminal activity, large-scale unauthorised auditing	Immediate account termination. Reporting to relevant law enforcement and regulatory authorities. Civil and/or criminal referral.

IntentGuard is not obligated to provide notice or an opportunity to cure for serious or critical violations. Where we suspect criminal activity, we will cooperate fully with law enforcement.

Terminated accounts may not create new accounts or access the platform through any other means. Attempting to circumvent a ban is itself a violation of this AUP.

SECTION 08

Reporting Violations

If you become aware of any violation of this AUP — including unauthorised auditing of your own repositories, misuse of reports, or platform abuse — please report it immediately.

We will investigate all reports and respond within 48 hours. We take responsible disclosure seriously and will not penalise users who report violations in good faith.

Security researchers who discover vulnerabilities in the IntentGuard platform itself should follow responsible disclosure practices and contact us before public disclosure.

Report an AUP Violation

📧 Email: [email protected]

📋 Subject line: AUP Violation Report

ℹ️ Include: nature of the violation, relevant account information, timestamps, and any evidence.

SECTION 09

Changes to This Policy

IntentGuard may update this AUP from time to time to reflect changes in the platform, applicable law, or industry standards. Material changes will be communicated by email with at least 14 days' notice for existing subscribers. The "Last updated" date at the top of this document will be updated on any change.

Continued use of the platform after the effective date of any update constitutes acceptance of the revised AUP.

SECTION 10

Contact

Questions about this policy or requests for clarification on whether a specific use is permitted:

IntentGuard

Operated by Intouch Prepaid (Pty) Ltd · Registered in South Africa

📧 General: [email protected]

🔧 Support: [email protected]

🌐 intentguard.dev