The short list of things not to do.

Harm to people

• Child sexual abuse material (CSAM). Zero tolerance. Violations are reported to NCMEC.
• Content that sexualizes minors or depicts non-consensual sexual situations.
• Material designed to harass, stalk, dox, or intimidate specific individuals.
• Impersonation of real people without their verifiable consent, including deepfaked voice or face.
• Incitement to violence, self-harm, or terrorism.

Illegal activity

• Generating instructions to manufacture weapons, explosives, chemical / biological / nuclear agents, or illegal drugs.
• Money laundering, tax evasion, sanctions evasion, or circumventing export controls.
• Human trafficking, forced labor, or child labor.
• Creating fraudulent identification documents, forged signatures, or counterfeit currency.
• Copyright infringement, trademark infringement, or trade-secret theft.

Abuse of the service

• Spamming — sending bulk unsolicited messages using our autonomous agents.
• Attacking our infrastructure, including DDoS, injection, or trying to extract other users' data.
• Bypassing our rate limits, credit controls, or safety systems.
• Reverse-engineering our prompts to train competing models.
• Reselling, sublicensing, exposing, or marketing the automatebusinessnow API as raw access to third-party models, model providers, or provider APIs. Customers may embed automatebusinessnow capabilities (employees, workflows, agents) in their own products; they may not turn the automatebusinessnow API into a model gateway, AI marketplace, provider proxy, or credit-resale service. Violations result in immediate key revocation.
• Using stolen payment cards or chargeback fraud.

Deceptive or high-risk use

• Publishing AI-generated content as human-written in contexts that require a human (journalism, academic assignments, legal filings).
• Providing unlicensed professional advice (legal, medical, financial) to third parties without appropriate human review.
• Running political campaign operations (paid ads, microtargeting) without disclosure.
• Making automated decisions about people (credit, employment, housing) without meaningful human oversight.

Platform-specific

• Using autonomous agents to access third-party services in violation of those services' terms.
• Connecting integrations you don't own or have explicit permission to access.
• Generating content that violates any third-party provider's usage policies that automatebusinessnow incorporates by reference. These policies apply transitively to your use of automatebusinessnow workflows that route to those providers internally.

API keys + client tokens (browser/mobile distribution)

• Embedding a root abn_* key in browser, mobile, or any other client-side binary. Root keys are backend-only. Customers shipping apps to end users mint short-lived abnct_* client tokens from their backend (POST /api/v1/tokens/mint) and ship those instead. Root keys discovered in client-side code result in immediate revocation.
• Spoofing or omitting the end_user_id when minting client tokens. The end_user_id is the customer's stable opaque id for THEIR end user and is required for spend attribution + abuse suspension. Submitting the same end_user_id for distinct end users, rotating it to evade rate limits, or replacing it with a constant defeats the safety model and is a violation.
• Routing client-token traffic past the declared allowed_origins (e.g. via server-side proxies that strip the Origin header). Client tokens are origin-bound by contract; if your app is calling from a new origin, mint a new token with that origin in the allowlist.
• Sharing a single client token across multiple end users. Each end user must get their own token tied to their end_user_id so suspension + abuse handling are per-end-user, not all-or-nothing.

Treat API keys as production secrets

• Keep ABN API keys confidential. Do not expose keys in client-side code, public Git repositories, mobile binaries, application logs, screenshots, support tickets, or any other publicly accessible location. Treat every key like a production database password.
• Promptly notify ABN of any suspected compromise — email security@automatebusinessnow.com or revoke the key at /app/api-keys. We will rotate it, scrub the compromised key from active sessions, and review your audit log for spend incurred before discovery.
• Rotate keys on a regular cadence (we recommend at least quarterly), and immediately rotate any key held by a departing employee or contractor. Generate one key per environment (dev / staging / prod) and per integration so rotation is scoped, not all-or-nothing.
• Use environment variables, a managed secrets manager (1Password, AWS Secrets Manager, HashiCorp Vault, Doppler, GCP Secret Manager, etc.), or your hosting provider's secrets surface — never check keys into source control, even in private repos. Use the per-key daily and monthly credit caps + allowed_origins as a blast-radius cap so a single leaked key cannot drain the account or be used from unexpected places.

Reporting abuse

If you see content that violates this policy, email abuse@automatebusinessnow.com. Include the URL or job id and a brief description. We acknowledge all reports within 48 hours and action confirmed violations within 7 days.

Enforcement

Depending on severity we may: warn, rate-limit, pause your autonomous agents, suspend your account, terminate your account, report to law enforcement, and / or cooperate with civil actions brought by affected parties. We reserve the right to act without notice on severe violations.