Opscotch Acceptable Use and Safety Policy

This Acceptable Use and Safety Policy (“Policy”) applies to all access to and use of Opscotch software, preview releases, websites, and related services.

This Policy is incorporated into the Opscotch Software License Agreement and the Developer Preview Terms. Capitalized terms used but not defined here have the meanings given in the applicable governing agreement.

1. Core principle

Opscotch provides tooling that can automate or orchestrate actions inside customer-controlled environments. Because those actions may be sensitive, destructive, externally visible, or safety-relevant, you are responsible for using Opscotch carefully, lawfully, and only within the permissions and safeguards you intend.

2. Prohibited use

You must not use Opscotch to, or in a manner that would enable others to:

2.1 Break the law or violate rights

• violate any law, regulation, court order, sanctions regime, or binding industry rule;
• infringe, misappropriate, or violate any intellectual property, privacy, confidentiality, employment, security, or other rights of any person;
• access or process data, systems, accounts, devices, or services without authorization; or
• facilitate fraud, theft, deception, impersonation, harassment, abuse, or unlawful surveillance.

2.2 Cause unauthorized technical harm

• deploy, deliver, or facilitate malware, ransomware, spyware, botnets, credential theft, phishing, denial-of-service attacks, or other malicious code or activity;
• probe, scan, exploit, or test vulnerabilities without authorization;
• bypass, disable, or interfere with technical controls, access controls, monitoring, or security protections;
• exfiltrate or expose data without authorization;
• tamper with audit logs, evidence trails, or incident-response records; or
• use Opscotch to evade attribution, accountability, licensing controls, or security review.

2.3 Use unsafe or uncontrolled automation

• permit destructive or security-sensitive automations to run in production without appropriate review, approval, or safeguards;
• grant broader credentials, privileges, network access, or execution rights than are reasonably necessary for the intended workflow;
• route customer data, secrets, or regulated information to external destinations without authority and a lawful basis;
• allow automated changes to physical devices, critical systems, or operational technology without appropriate human oversight and emergency-stop capability; or
• ignore or override known risks, warnings, failed tests, or change-control requirements.

3. High-risk use prohibition

Unless Opscotch has expressly agreed otherwise in a separate signed agreement that specifically addresses the deployment and allocates the risk, you must not use Opscotch in connection with any activity where failure, delay, error, unauthorized operation, or unsafe output could reasonably be expected to cause death, personal injury, environmental damage, serious property damage, or major infrastructure disruption.

Prohibited examples include:

• life-support or life-sustaining systems;
• medical devices or patient-care systems;
• emergency response or public safety systems;
• utilities or critical infrastructure control;
• aviation, maritime, rail, or autonomous vehicle control;
• nuclear facilities;
• industrial safety, emergency shutdown, or hazardous process control systems; and
• weapons systems.

4. Required safeguards

At a minimum, you must implement safeguards appropriate to your environment and risk profile. Unless clearly inapplicable to your deployment, those safeguards should include:

4.1 Access and identity controls

• least-privilege credentials;
• separation of duties where appropriate;
• individual rather than shared administrative access where feasible;
• secure credential storage and rotation; and
• immediate revocation of access when no longer needed.

4.2 Change management and review

• testing in non-production environments before production rollout;
• review and approval for materially destructive or externally visible workflows;
• controlled release management for workflow changes;
• rollback or recovery plans; and
• logging of important changes.

4.3 Operational safeguards

• backups and recovery procedures;
• monitoring, alerting, and audit logs;
• network egress controls and destination allowlists where appropriate;
• rate limits, guardrails, and execution boundaries;
• human-in-the-loop review for high-impact actions; and
• manual override / emergency stop capability for automations that can materially affect systems or devices.

4.4 Data and privacy safeguards

• legal authority to collect, use, disclose, and transfer any data processed by your workflows;
• minimization of sensitive data and secrets;
• no unnecessary transmission of Customer Content to Opscotch or third parties; and
• notices, consents, and internal policies appropriate to your deployment.

5. Your accountability

You are responsible for:

• all workflows, commands, prompts, rules, policies, destinations, and integrations you configure or allow;
• all actions performed in your environment using your accounts, systems, credentials, or settings;
• evaluating the effect of any automation on third-party systems, devices, environments, or people; and
• verifying that your use of Opscotch is suitable for the specific systems and environments in which you deploy it.

Opscotch does not assume operational control over your environment merely by providing the software.

6. Enforcement

Opscotch may investigate suspected violations of this Policy and may suspend, restrict, or terminate access to the Software or related services if Opscotch reasonably believes:

• this Policy has been violated;
• continued use creates a security, safety, legal, or reputational risk; or
• suspension or termination is necessary to protect Opscotch, its customers, third parties, or the public.

Opscotch may also report unlawful conduct to relevant authorities where permitted or required by law.

7. Changes to this Policy

Opscotch may update this Policy from time to time. Material changes will take effect as described in the governing agreement.

8. Contact

Questions about this Policy should be sent to legal@opscotch.co.