Acceptable Use Policy

This Acceptable Use Policy ("AUP") defines the boundaries of permitted use for the Qpher PQC Security Cloud platform. It supplements the Terms of Service and applies to all users of the Service, including API consumers, portal users, and SDK users. The purpose of this policy is to ensure the security, availability, and integrity of the platform for all customers.

The following activities are prohibited when using the Qpher platform: **Security Violations**: (a) Attempting to bypass, disable, or circumvent authentication mechanisms, rate limiting, tenant isolation, or any other security control, (b) attempting to extract, export, or reconstruct private cryptographic key material through any means, (c) probing, scanning, or testing the vulnerability of the Service or its infrastructure without prior written authorization from Qpher, (d) using the Service to facilitate unauthorized access to any third-party system or network. **Illegal Use**: (a) Using the Service for any purpose that violates applicable local, state, national, or international law, (b) encrypting, signing, or storing content that is illegal under applicable law, (c) using the Service to facilitate money laundering, terrorist financing, sanctions evasion, or other financial crimes, (d) using the Service to process data in violation of data protection laws (GDPR, CCPA, etc.). **Abuse and Disruption**: (a) Conducting or facilitating denial-of-service (DoS) attacks against any system, including the Service, (b) distributing malware, ransomware, or other malicious software using the Service, (c) using the Service to send unsolicited communications (spam), (d) interfering with the Service's availability or performance for other customers, (e) excessive automated use that degrades performance for other tenants beyond documented rate limits. **Commercial Misuse**: (a) Reselling, sublicensing, or redistributing the Service without written authorization from Qpher, (b) using the Service to build a competing product or service, (c) reverse-engineering, decompiling, or disassembling any part of the Service beyond what is permitted by applicable law.

Each plan tier includes defined resource limits for API calls, API keys, and PQC keys as specified in the pricing plans. Operations exceeding plan limits are rejected with a 403 error (ERR_POLICY_001); there are no surprise overage charges. The following additional limits apply to all plans: - **Request Rate**: Per-tenant rate limiting is enforced at the API Gateway. Default limits are documented in the API reference. - **Payload Size**: Maximum request payload size is enforced per endpoint. Encrypt endpoints accept payloads up to the documented maximum. - **Concurrent Connections**: Reasonable concurrent connection limits are enforced to ensure fair resource allocation. - **Key Generation**: PQC key generation is limited by the plan-tier key quota. Key generation for testing purposes should use the stub mode in non-production environments. Enterprise customers may negotiate custom resource limits as part of their agreement.

Qpher reserves the right to take the following actions in response to violations of this Acceptable Use Policy: **Investigation**: Qpher may investigate suspected violations, including reviewing API usage logs, audit trails, and request patterns. Investigations are conducted in accordance with the Privacy Policy. **Graduated Response**: (a) First violation (non-critical): written warning via email with a description of the violation and required corrective action. (b) Repeated or unresolved violation: temporary suspension of API access for the affected tenant (data preserved, access disabled). (c) Severe or persistent violation: account termination with 30 days notice (or immediately for violations involving illegal activity or active security threats). **Immediate Action**: Qpher may immediately suspend access without prior notice if a violation: (a) poses an imminent threat to the security or availability of the Service, (b) exposes other customers' data, (c) involves illegal activity, or (d) is required by law or a court order. **Appeals**: Customers may appeal enforcement actions by contacting support@qpher.ai within 14 days of the action. Appeals are reviewed by a member of the Qpher leadership team.

If you become aware of any violation of this Acceptable Use Policy, please report it to: - **Security violations**: security@qpher.ai - **Abuse or illegal activity**: abuse@qpher.ai - **General policy questions**: support@qpher.ai Qpher will acknowledge reports within 48 hours and investigate in a timely manner. Reports may be submitted anonymously. Qpher will not retaliate against good-faith reporters. If you are a security researcher, please also review our Vulnerability Disclosure Policy on the Trust Center at /trust/security.

Qpher reserves the right to update this Acceptable Use Policy at any time. Material changes will be communicated via email and in-portal notification at least 30 days before taking effect. Continued use of the Service after the effective date constitutes acceptance of the updated policy. The current version of this policy is always available at qpher.ai/legal/acceptable-use. Qpher, Inc. Registered in the State of Delaware, United States. Effective Date: February 16, 2026