Acceptable Use Policy

AUVY Cortex — Annex B to GTC

AUVY GmbH · Am Haag 8 · 82166 Gräfelfing · HRB 311039 (AG Munich) · VAT ID DE461400892

Contact: legal@auvy.ai · Security disclosures: security@auvy.ai

Effective: 18 May 2026

§ 1 Purpose and Scope

(1) This Acceptable Use Policy ("AUP") sets out the obligations of users in accordance with § 7 of the General Terms and Conditions – AUVY Cortex ("GTC") and constitutes binding Annex B to the GTC.

(2) This AUP applies to all persons who use AUVY Cortex ("Cortex") in any capacity — whether they are contracting parties ("Customer") or end users authorised by the Customer ("User"). The Customer is obliged to bind all end users to this AUP and to ensure compliance.

(3) In the event of a conflict between the GTC and this AUP, the GTC shall prevail. AUP-specific provisions supplement the GTC.

§ 2 General Conduct

Users undertake to use Cortex exclusively:

a) within the scope of contractually permitted purposes,

b) in compliance with applicable law (in particular German law, EU law, and applicable export control and sanctions regimes),

c) in compliance with the rights of third parties (in particular copyright, personality rights, data protection rights, and trademark rights),

d) in compliance with this AUP.

§ 3 Prohibited Content

In particular, the following are not permitted — the input, generation, storage, or distribution of content that:

a) is unlawful or contrary to public policy, including in particular criminal content (e.g. incitement to hatred, Holocaust denial, incitement to commit criminal offences, child pornography and other content prohibited under applicable criminal law);

b) glorifies violence, contains terrorist propaganda, or provides instructions for serious criminal offences;

c) infringes personality rights, copyright, trademarks, patents, or other rights of third parties;

d) constitutes targeted disinformation about identifiable persons or organisations likely to damage their reputation;

e) endangers children, minors, or other particularly vulnerable groups;

f) generates sexualised depictions without the demonstrable consent of the persons depicted, in particular so-called deepfakes without consent;

g) contains or generates malware, exploits, phishing content, or other security-harmful artefacts.

§ 4 Prohibited Technical Actions

The following are not permitted:

a) Reverse engineering, decompilation, disassembly, or attempts to reconstruct the source code or model weights of Cortex or its subcomponents, except to the extent mandatorily permitted by law (e.g. §§ 69d, 69e UrhG or equivalent provisions);

b) automated scraping, crawling, or bulk extraction of content or responses from Cortex beyond the officially documented interfaces;

c) circumvention or manipulation of security, authentication, or anti-abuse mechanisms (e.g. rate-limit spoofing, artificially inflating inference usage to circumvent the fair-use policy defined in § 6 GTC, IP rotation to circumvent blocks, multi-account manipulation);

d) overloading the platform through unlawfully high request frequencies, distributed denial-of-service attempts, or comparable attacks;

e) unauthorised access to foreign workspaces, accounts, or data within the platform;

f) introduction of malware, trojans, worms, logic bombs, or comparably harmful code;

g) attempts to view, extract, or manipulate other customers' or users' data without authorisation (breach of tenant isolation).

§ 5 Account and Licence Misuse

(1) Each licence is personal (§ 4(2) GTC). Account sharing — i.e. the shared use of a single licence by multiple natural persons — is not permitted.

(2) Login credentials must be kept confidential. Multi-factor authentication must be activated once offered by AUVY or made mandatory in the workspace.

(3) The sale, rental, sublicensing, or other commercial transfer of a licence to third parties is only permitted with the express written consent of AUVY.

(4) The use of multiple accounts to circumvent limits, blocks, paid features, or the fair-use policy defined in § 6 GTC is not permitted.

§ 6 AI-Specific Prohibitions (EU AI Act)

(1) Cortex must not be used for AI use cases that are prohibited under Article 5 of the EU AI Act (Regulation (EU) 2024/1689), including in particular:

a) subliminal manipulation techniques causing material behavioural change;

b) exploitation of the vulnerability of specific groups (age, disability, socio-economic situation);

c) social scoring by public authorities;

d) predictive policing based on profiling;

e) emotion recognition in the workplace or educational institutions (outside medical/safety exceptions);

f) untargeted scraping of facial images from the internet or surveillance cameras to build biometric databases;

g) real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (outside statutory exceptions).

(2) The use of Cortex for high-risk AI use cases under Annex III of the EU AI Act is only permissible if expressly agreed in advance between the Customer and AUVY and the Customer fulfils all its own provider/deployer obligations under the EU AI Act. This applies in particular to: biometric identification/classification systems; AI in critical infrastructure (energy, transport, water); AI in general and vocational education; AI in employment/HR with significant consequences; AI in access to essential private and public services; AI in law enforcement, migration/asylum/border control, administration of justice, and democratic processes.

(3) Transparency obligations under Art. 50 EU AI Act must be fulfilled by the Customer vis-à-vis its own end customers where Cortex outputs are passed directly to end customers (e.g. disclosure of AI interaction, labelling of AI-generated content/deepfakes).

(4) No training on Customer data: AUVY does not train on Customer data. Conversely, the Customer must not use Cortex outputs as training data for its own models without examining the applicable licensing and copyright obligations.

(5) Prompt injection and jailbreaking: Attempts to systematically circumvent the safety, filter, or due-diligence mechanisms of Cortex or the underlying AI models through manipulative inputs are not permitted.

§ 7 Data Protection and Special Categories of Data

(1) The Customer is the controller within the meaning of Art. 4(7) GDPR for all personal data entered into Cortex and ensures that an appropriate legal basis exists (Art. 6 GDPR; Art. 9 GDPR where applicable for special categories).

(2) The input of special categories of personal data within the meaning of Art. 9 GDPR (health data, biometric data, racial or ethnic origin, religious beliefs, sexual life, trade union membership, etc.) is only permitted where the Customer has a valid legal basis for this and has notified AUVY in advance.

(3) Professionally privileged data (in particular data relating to clients, patients, or comparable persons entrusting information to lawyers, physicians, tax advisers, notaries, psychotherapists, and their professionally acting assistants) may be entered into Cortex only if the confidentiality clause in § 12 of the DPA between the Customer and AUVY has been bilaterally activated in text form. Activation requires cumulatively:

a) a text-form confirmation by the Customer that it is a holder of professional secrecy and that professionally privileged data will be processed via Cortex, and

b) a text-form counter-confirmation by AUVY that the commitments of employees and sub-processors required under § 12(3) of the DPA are in place at that time.

Until this bilateral activation has taken place, the entry of professionally privileged data into Cortex is prohibited. There is no technical unlock in the product; permissibility derives solely from the contractual activation. As the requirements for the counter-confirmation are organisationally demanding, activation is in practice reserved for Enterprise Customers.

(4) The export or deletion of personal data to fulfil data subject rights (Art. 15–22 GDPR) is carried out by the Customer using the functions provided in the product.

§ 8 Spam, Harassment, and Mass Communications

(1) Cortex must not be used to generate or send unsolicited commercial communications (spam) or to conduct harassment or stalking campaigns.

(2) Cortex must not be used to harass, intimidate, threaten, or unlawfully monitor other persons.

(3) For email marketing or comparable communications, the Customer must ensure compliance with applicable unfair commercial practices law and the GDPR (double opt-in, unsubscribe mechanism, sender identification).

§ 9 Security Obligations

(1) Users must report indications of security incidents, compromised accounts, unusual data leakage, or vulnerabilities to security@auvy.ai without undue delay.

(2) Security research conducted within the framework of a Vulnerability Disclosure Policy (see Trust Centre) is encouraged and benefits from a Safe Harbour: provided that no productive third-party data is modified or published, no service disruptions are caused, and the coordinated disclosure process is followed, AUVY will not take legal action against researchers.

(3) Penetration tests against Cortex production systems require prior written authorisation from AUVY.

§ 10 Sanctions for Violations

(1) Proportionality: Sanctions under this § 10 must be appropriate, necessary, and proportionate to terminate the specific violation or prevent its recurrence. AUVY will select the least restrictive effective measure first. When determining the appropriate sanction, AUVY will consider in particular: (a) severity and duration of the violation, (b) intent or negligence, (c) repeat offences, (d) damage caused, (e) possibilities for immediate remedy by the Customer.

(2) In the event of a violation of this AUP or the GTC, AUVY may — subject to para. (1) — respond in the following order:

1. Warning with notice of the specific violation, setting of a reasonable cure period (generally at least 7 days in text form, except in urgent cases) and request for remediation,

2. Suspension of individual licences in the affected workspace (initially only to the extent necessary to contain the violation),

3. Suspension of the entire workspace,

4. Extraordinary termination of the contract pursuant to § 9(5) GTC.

(3) In the case of serious violations (in particular unlawful acts under § 3 or § 6(1) of this AUP, active security attacks, imminent endangerment of third parties), AUVY may suspend or terminate immediately without prior warning. AUVY will inform the Customer without undue delay after taking the measure and give it an opportunity to comment.

(4) AUVY is entitled to block or delete affected content, or to report unlawful content to competent authorities to the extent required by law.

(5) Claims by AUVY for damages, reimbursement of expenses, or indemnification against the Customer for violations remain unaffected.

§ 11 Reporting Suspected Violations by Third Parties

(1) Reports of unlawful content, cases of misuse, or AUP violations may be submitted to legal@auvy.ai.

(2) AUVY will review reports within a reasonable period and, where reports are substantiated, take appropriate measures pursuant to § 10.

(3) Wilfully false reports may themselves constitute an AUP violation.

§ 12 Amendments to this AUP

(1) AUVY reserves the right to amend this AUP with future effect, in particular to adapt it to changes in law, new patterns of misuse, or new features of Cortex.

(2) Material amendments will be announced at least 30 days before taking effect in text form. Otherwise § 17 GTC applies mutatis mutandis (right to object, right to terminate).

§ 13 Miscellaneous

(1) This AUP is governed by the laws of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG).

(2) Otherwise, the miscellaneous provisions of the GTC (§ 19 GTC) apply mutatis mutandis.