OFAC · UN · EU · UK sanctions screenedZero-retention AIGDPR · CCPA program

Legal · AUP

Acceptable Use Policy

What's allowed, what's not, and what happens if you cross those lines. Applies to every OilFlow API and the Workflow Suite.

AUP v1.0 · Self-attested

This is OilFlow Network’s standard form. Counsel review is in progress; this document is published self-attested so procurement teams can begin their review without waiting on us. Custom redlines are accepted in pilot agreements. Negotiated changes for executed contracts override anything written here. For the executed paper, contact legal@oilflow.us.

Acceptable Use Policy (AUP) — OilFlow Network

OilFlow standard form. Self-attested, under counsel review. Custom redlines are accepted in pilot agreements.

This Acceptable Use Policy ("AUP") governs use of the OilFlow Network APIs and Workflow Suite (the "Services"). It is incorporated by reference into the Master Services Agreement ("MSA") and any Order Form executed with Customer.

1. Permitted Use

1.1 Customer may use the Services solely for lawful compliance, KYC, sanctions-screening, regulatory due diligence, and trade-compliance workflow purposes connected to Customer's own business operations.

1.2 Customer is responsible for all activity under its API keys, including activity by Customer's employees, contractors, and end users.

2. Prohibited Use

Customer will not, and will not permit any user to:

2.1 Sanctions evasion — use the Services to facilitate, conceal, or advance any transaction with a sanctioned party, sanctioned jurisdiction, or in violation of OFAC, UN, EU, UK HMT, Canadian SEMA, Australian DFAT, or Swiss SECO sanctions.

2.2 Illegal data collection — submit personal data Customer is not lawfully permitted to process, including data obtained in violation of GDPR, UK GDPR, CCPA, or any applicable data-protection law.

2.3 Reverse engineering — disassemble, decompile, or attempt to derive the source code, model weights, or underlying compliance rules of the Services, except to the limited extent applicable law expressly permits.

2.4 Competitive benchmarking for resale — use the Services to build a competing compliance API, sanctions database, or scam-cluster intelligence feed for resale to third parties.

2.5 Scraping or volume abuse — exceed published rate limits, share API keys outside Customer's organization, or use automated tooling to circumvent quota or billing controls.

2.6 Disinformation or harassment — publish OilFlow verdicts, cluster records, or KYC reports in a manner intended to defame, harass, or falsely accuse a third party of wrongdoing without independent verification.

2.7 Security testing without authorization — conduct penetration testing, vulnerability scanning, or denial-of-service testing against the Services without prior written authorization from security@oilflow.us.

3. Sandbox Restrictions

3.1 Sandbox API keys are scoped to read-only public endpoints (/api/v1/regulatory/*, /api/v1/clusters/check). They may not be used for production compliance decisions, regulatory reporting, or any purpose that materially affects a third party.

3.2 Sandbox keys carry a 100-request daily cap and 7-day TTL. Bypassing either cap via key rotation, IP rotation, or distributed issuance constitutes a breach of this AUP.

4. Data Subject Rights

4.1 Customer is the data controller for any personal data submitted to the KYC, UBO, adverse-media, or workflow endpoints. Customer is solely responsible for responding to data subject requests (access, rectification, erasure, portability) under applicable law.

4.2 OilFlow will assist Customer with data subject requests as required by the DPA. Customer may not deflect data subject requests to OilFlow or identify OilFlow as the controller.

5. Compliance with Output

5.1 OilFlow KYC verdicts, cluster matches, and sanctions screens are decision support, not decision substitution. Customer remains responsible for the final compliance decision and any regulatory filing.

5.2 Customer will independently verify any high-stakes verdict (rejection of a counterparty, filing of a SAR, freezing of an account) against the underlying sources cited in the evidence_links[] array before acting.

6. Public Documents Disclaimer

6.1 All OilFlow-generated documents (NCNDA, SPA drafts, regulator reports) ship as DRAFT — FOR REVIEW BY INDEPENDENT LEGAL COUNSEL. Customer will not present, file, or execute such documents without counsel review and customer-side modification.

7. Enforcement

7.1 OilFlow may suspend or terminate access for any material breach of this AUP, with notice where practicable and immediately where the breach risks sanctions exposure, security incident, or regulatory action against OilFlow or another customer.

7.2 OilFlow may report sanctions violations or other serious unlawful conduct to appropriate authorities and will cooperate with regulator investigations.

8. Changes to this Policy

8.1 OilFlow may update this AUP from time to time. Material changes will be announced via email to Customer's billing contact and posted at /legal/aup at least 30 days in advance of taking effect.

Last updated: 2026-06-02. Questions: legal@oilflow.us.

DPAMSASLAAUPSub-processorsSecurityPrivacyTerms