Acceptable Use Policy

Aurora Command Acceptable Use Policy
Public-facing use restrictions for the website, self-service plan, reviewer portals, and related services
Effective date: March 15, 2026
This Acceptable Use Policy (“AUP”) forms part of the Aurora Command Self-Service Subscription Terms, the Aurora Command Website Terms of Use, and any other Borealis agreement that incorporates it. Capitalized terms not defined here have the meanings given in the applicable governing agreement.
1. Purpose
Aurora Command is a business software service intended to help customers organize, manage, and share governance, compliance, evidence, readiness, and related information. This AUP protects the service, Borealis, customers, reviewers, and third parties from abuse, legal exposure, and security risk.
2. You Must Not Use the Service or Website To
    • Violate any law, regulation, court order, sanctions program, export restriction, contractual obligation, or third-party right.
    • Upload, transmit, store, process, publish, or share content that is unlawful, fraudulent, deceptive, misleading, defamatory, invasive of privacy, harassing, threatening, hateful, obscene, or otherwise objectionable.
    • Infringe, misappropriate, dilute, or violate intellectual property, privacy, publicity, confidentiality, employment, or other rights of another person or entity.
    • Submit false identities, false affiliations, forged approvals, fabricated evidence, falsified questionnaire responses, misleading trust materials, or other inaccurate or deceptive content.
    • Impersonate another person or entity or falsely represent a relationship with Borealis, a customer, a reviewer, or a regulator.
3. Security and Platform Abuse Prohibitions
    • Reverse engineer, decompile, disassemble, decode, or attempt to derive source code, underlying ideas, models, taxonomies, mappings, prompts, or system architecture except to the extent non-waivable law expressly permits it.
    • Probe, scan, scrape, spider, benchmark, monitor availability by bot, stress test, vulnerability test, or penetration test the service or website without Borealis’s prior written authorization and mutually agreed scope.
    • Bypass, disable, defeat, or interfere with authentication, encryption, MFA, rate limits, usage caps, robots controls, link expiration, watermarking, audit logging, metering, or any security or access control feature.
    • Use malware, ransomware, spyware, exploit code, credential stuffing, phishing, denial-of-service methods, or any other malicious or disruptive technique.
    • Attempt unauthorized access to accounts, data, systems, networks, or environments, including through shared credentials, token replay, session hijacking, prompt injection designed to circumvent policy or security controls, or misuse of reviewer links.
    • Interfere with or disrupt other users, the integrity of the service, or Borealis infrastructure, including by excessive automation, abusive traffic, abusive message volume, or storage misuse.
4. Data Restrictions
Unless Borealis expressly agrees otherwise in a separate Borealis-signed writing, you must not upload, input, transmit, or otherwise make available through Aurora Command any Restricted Data or other data that would require Borealis to assume obligations beyond those expressly stated in the applicable agreement.
    • Protected health information regulated by HIPAA or similar health privacy laws.
    • Payment card data subject to PCI DSS, including full card numbers, magnetic stripe data, CVV/CVC values, PINs, or equivalent payment authentication data.
    • Social Security numbers, driver’s license numbers, passport numbers, national ID numbers, taxpayer ID numbers, or similar government-issued identifiers except in masked or truncated form where strictly necessary and lawful.
    • Biometric identifiers, biometric templates, faceprints, voiceprints, or comparable uniquely identifying biometric data.
    • Children’s data subject to COPPA or similar laws, or data relating to anyone under 16 unless Borealis expressly states support in writing.
    • Classified information, ITAR-controlled data, export-controlled technical data, CUI, or other data subject to national-security restrictions.
    • Data subject to GDPR, UK GDPR, Swiss FADP, or similar foreign-law regimes that would require materially different processor, transfer, localization, or audit commitments, unless Borealis expressly agrees in writing.
5. AI and Automation Restrictions
    • Use AI-assisted features as a substitute for legal advice, compliance certification, audit opinion, underwriting decision, or any binding representation to a reviewer without appropriate human review.
    • Use Aurora Command or its outputs to train, fine-tune, evaluate, or improve a competing product, model, or data corpus except as Borealis expressly permits in writing.
    • Use prompts, uploads, retrieval techniques, or adversarial content to extract non-public information about Borealis, other customers, or third parties.
    • Use a Customer-Supplied API Key unless you have authority to use that key, the associated provider account, and the associated models for the relevant workload.
    • Use AI features to generate spam, phishing, malware, credential attacks, social engineering content, or unlawful surveillance or employment-evaluation materials.
6. Reviewer, Sharing, and Trust Materials Restrictions
    • Share reviewer links, reviewer materials, trust documents, or customer content with unauthorized parties.
    • Republish, resell, scrape, or benchmark restricted documents or reviewer portals.
    • Access a reviewer portal except for the evaluation purpose for which the customer or Borealis authorized access.
    • Circumvent approval gates, expiration dates, download restrictions, or logging built into sharing features.
7. No Resale, Service Bureau, or Competitive Use
    • Resell, sublicense, lease, rent, timeshare, white-label, or provide the service to third parties as a service bureau without Borealis’s prior written consent.
    • Use the service or website to create or improve a competing product, trust center, evidence library, framework-mapping database, questionnaire automation engine, or AI retrieval platform.
    • Publish or disclose performance, capacity, or competitive benchmark information without Borealis’s prior written consent.
8. Enforcement
Borealis may investigate suspected violations of this AUP and may suspend, restrict, remove, quarantine, or terminate access, content, integrations, reviewer links, AI features, or accounts if Borealis reasonably believes a violation occurred or a security, legal, or operational risk exists.
Borealis may preserve evidence, cooperate with customers, service providers, regulators, or law enforcement, and disclose relevant information where Borealis reasonably believes disclosure is necessary to investigate, stop, remediate, or respond to a violation or security risk.
Borealis is not required to provide advance notice before taking protective action where Borealis reasonably believes immediate action is appropriate.
9. Updates
Borealis may update this AUP prospectively. The most current version may be posted online or otherwise made available through the service. Continued use after an updated version becomes effective constitutes acceptance of the updated AUP to the maximum extent permitted by law.