Acceptable Use Policy

1.Scope and definitions

This Acceptable Use Policy (AUP) sets out the rules for using the Vukorix platform operated by Osmicro Networks Pty Ltd (ACN 642 841 638 / ABN 70 642 841 638) (Vukorix, we, our, or us). It applies to every Account, every Customer, and every End User who interacts with the Service — whether they have signed in or are interacting through a Secure Send link, Secure Receive portal, Secure Exchange session, e-signature request, or Secure Rooms (Beta) session.

This AUP supplements, and should be read together with, our Terms of Service. Where this AUP and the Terms of Service conflict, the Terms of Service prevail. Capitalised terms used here without separate definition have the meanings given in the Terms of Service.

You agree to this AUP when you sign up for an Account. End Users agree to this AUP when they use a link or portal that has been issued by a Vukorix Customer.

2.Lawful use

You must use the Service only for lawful purposes and in compliance with all laws and regulations that apply to you, your business, your clients, and the country from which you are using the Service. This includes (without limitation):

• privacy and data protection laws — including the Australian Privacy Principles, the EU and UK GDPR, the California Consumer Privacy Act, and any equivalent law in your jurisdiction;
• professional conduct rules — including bar association rules for legal practitioners, accounting body rules, financial-services regulator rules, and equivalents in your country;
• records-retention and tax laws applicable to you and your clients;
• anti-money-laundering (AML), counter-terrorism financing (CTF), and sanctions laws;
• export controls and trade-sanction regimes — you must not use the Service to transfer documents that are export-controlled to a destination or person prohibited under applicable law;
• intellectual property and copyright laws.

You are responsible for determining what laws apply to you. If you are unsure, get advice — we cannot give you legal advice about your own use of the Service.

3.Prohibited content

You must not upload, transmit, store, request, exchange, or share any content that:

• Is illegal in Australia or in the country of the sender or recipient.
• Constitutes child sexual abuse material (CSAM) or any depiction or content involving the sexual exploitation of minors. We treat this with zero tolerance: any account that uploads or distributes such material will be immediately and permanently terminated, the material preserved as evidence in accordance with applicable law, and the matter reported to the relevant authorities (including the Australian Centre to Counter Child Exploitation, NCMEC in the United States, and equivalent national bodies).
• Promotes, plans, or facilitates terrorism, mass violence, or genocide.
• Is intended to defraud, deceive, or harm others — including but not limited to forged identity documents, forged signatures (other than your own legitimate e-signature), counterfeit financial instruments, or instructions for committing fraud.
• Is defamatory, threatening, harassing, or designed to intimidate a specific person or group.
• Promotes hatred, harassment, or discrimination against a person or group on the basis of race, ethnicity, religion, gender, sexual orientation, disability, or other protected characteristic.
• Infringes copyright, trademarks, trade secrets, patents, or other intellectual property rights of any third party.
• Contains, references, or links to malware — viruses, worms, trojans, ransomware, spyware, keyloggers, rootkits, cryptominers, exploit kits, or any other software or code intended to disrupt, damage, or gain unauthorised access to a computer system.
• Is sexual content involving real persons without their verifiable consent, including non-consensual intimate imagery (sometimes called "revenge porn") and synthetic / AI-generated imagery created without the depicted person's consent.

4.Prohibited activities

You must not, and must not permit anyone using your Account or your links to:

• send unsolicited bulk communications (spam), including using a Secure Send link as a vehicle for marketing to people who have not asked to hear from you;
• impersonate any person, business, government agency, or organisation;
• use the Service to commit, facilitate, or attempt fraud, including invoice fraud, business-email-compromise (BEC) attacks, and any social-engineering scheme;
• circumvent or attempt to circumvent the Warden virus scanner, recipient verification (None / PIN / SMS), expiry, view limits, audit logging, or any other security mechanism in the Service;
• reverse engineer, decompile, disassemble, or otherwise attempt to derive source code, secret keys, or trade secrets from the Service, except to the extent expressly permitted by applicable law;
• probe, scan, or test the vulnerability of the Service or any of our infrastructure without our prior written authorisation, except where you are reporting in good faith under section 10 below;
• conduct denial-of-service or distributed denial-of-service attacks, or otherwise interfere with the integrity, performance, or availability of the Service for other users;
• scrape, crawl, or otherwise extract data from the Service in a manner that is not part of the normal documented functionality;
• use the Service in a manner that places an unreasonable or disproportionate load on our infrastructure;
• resell, sublicense, lease, or otherwise commercially exploit the Service without our prior written consent;
• register multiple Free Trial accounts to extend trial usage beyond the period intended;
• share, sell, or transfer Account credentials to anyone outside your organisation;
• use the Service to build, train, or improve a competing secure-document-workflow product (whether by automated extraction, manual transcription, or otherwise);
• remove, obscure, or alter any proprietary notices contained within the Service.

5.Phishing and impersonation

Vukorix exists, in part, to make phishing harder. We take very seriously any attempt to use Vukorix to enable phishing or impersonation:

• You must not configure your Custom Branding to impersonate another organisation or to mimic a brand whose owner has not authorised you to do so.
• You must not use a Vukorix link as part of an email that fraudulently claims to be from a person, business, or institution that you are not.
• You must not use the verification system (the email verification code on the email footer and the public app.vukorix.com/verify lookup page) in any way that is intended to deceive a recipient about the true origin of an email.
• You must not register an organisation name or display name that is confusingly similar to a real third party with the intent of deceiving recipients.

Suspected phishing or impersonation may be reported under section 10. Where we identify abuse, we will act fast under section 13.

6.Right to share

You are responsible for ensuring you have the legal right to share, request, exchange, sign, or store every piece of Customer Content you put through the Service. In particular:

• If Customer Content includes the personal information of any individual, you must have a lawful basis to process it under the privacy laws applicable to that individual (for example, consent, contract, legal obligation, or legitimate interests under the GDPR).
• If Customer Content includes confidential or trade-secret information of a third party, you must have authority from that third party to share it.
• If Customer Content includes regulated documents (medical records, legal-privileged material, AML/KYC documents, classified information, export-controlled documents), you are responsible for complying with the regulations applicable to those documents.
• If you are sharing documents with someone who has not asked to receive them, you must comply with applicable anti-spam laws (including the Australian Spam Act, the US CAN-SPAM Act, the EU ePrivacy Directive, and equivalent laws in your country).

Vukorix does not validate the legality of your sharing relationships. We rely on you to do that work, and we may suspend or terminate your Account if we have reason to believe you are sharing without authority.

7.Account integrity

You must:

• provide accurate, current, and complete information at sign-up and keep it up to date;
• maintain the confidentiality of your Account credentials and not share them with anyone outside your organisation;
• have mandatory two-factor authentication enabled on every Vukorix Account user, as required by section 5.3 of the Terms of Service;
• notify us promptly at [email protected] if you suspect any unauthorised access to your Account or to a Vukorix link, portal, exchange, or signature request issued under your Account;
• not share Account seats — each team-member seat is intended for a single named user. Buying one seat and rotating multiple users through it is a breach of this AUP and the Terms.

8.Recipients and end users

People who interact with Vukorix through a Secure Send link, Secure Receive portal, Secure Exchange session, e-signature request, or Secure Rooms (Beta) session do so as End Users (or Recipients) of the Customer who issued the link.

End Users also agree to this AUP. Specifically, an End User must not:

• upload content that breaches section 3 (prohibited content);
• impersonate someone they are not;
• circumvent recipient verification, expiry, or view limits;
• upload content for which they do not have the legal right to share;
• attempt to gain unauthorised access to other recipients' content, the Customer's Account, or the Service.

If an End User abuses a link or portal, we may revoke that link, contact the Customer who issued it, and where appropriate take action under section 13.

9.Beta features

Some features are made available as Beta (currently including Secure Rooms). Beta features are intended for legitimate testing of in-development functionality. You must not:

• probe Beta features for vulnerabilities outside the responsible-disclosure path in section 10;
• publish, share, or document Beta features in a way that misrepresents Vukorix's general-availability product;
• use Beta features for production-critical workflows where downtime, errors, or data loss would cause material harm.

10.Reporting abuse

If you believe a Vukorix link, portal, exchange, signature request, or Secure Room is being used to violate this AUP, or you have received a Vukorix-branded email that you suspect is fraudulent, please report it to us so we can investigate.

10.1 General abuse

Email [email protected]. Please include:

• the URL of the Vukorix link, portal, exchange, or page;
• the email verification code (if you have one) so we can identify the email through app.vukorix.com/verify;
• a brief description of why you believe this violates the AUP;
• any supporting evidence (screenshots, message headers, etc.).

We aim to acknowledge abuse reports within one (1) business day and to act, where action is warranted, within five (5) business days.

10.2 Security vulnerabilities

If you have discovered what you believe to be a security vulnerability in the Service, please report it confidentially to [email protected]. Please do not exploit the vulnerability beyond what is needed to confirm it. Reporting in good faith under this section is not a breach of section 4 of this AUP.

10.3 Phishing emails impersonating Vukorix

If you have received an email that looks like it is from Vukorix but you cannot verify it on app.vukorix.com/verify, do not click any links in it. Forward the email (with full headers) to [email protected]. We will investigate and, where appropriate, work with the relevant email provider to take the phishing campaign down.

11.Copyright and trademark

Vukorix respects intellectual-property rights and expects users to do the same. If you believe content shared through Vukorix infringes your copyright or trademark, send a written notice to [email protected] that includes:

• your full legal name and contact details;
• identification of the copyrighted or trademarked work you claim is being infringed;
• identification of the Vukorix link, portal, or content that you believe to be infringing, with enough detail for us to locate it;
• a statement made in good faith that the use is not authorised by the owner, its agent, or the law;
• a statement that the information in the notice is accurate, and (under penalty of perjury where applicable in your jurisdiction) that you are the rights owner or authorised to act on the rights owner's behalf;
• your physical or electronic signature.

Where the notice is valid we will, in line with applicable law (including the United States Digital Millennium Copyright Act for U.S.-related content), take down the infringing content and notify the user who uploaded it. Repeat infringers' Accounts may be terminated under section 13.

If you believe content was taken down in error, you can send a counter-notice under section 14.

12.Personal data takedown

If you are an individual whose personal information has been shared through Vukorix without a lawful basis, you may request that we take it down. Email [email protected] with:

• your name and a way to verify your identity;
• identification of the Vukorix link, portal, or content where your personal information appears;
• a brief explanation of why you believe the sharing is unlawful (for example, "I never consented", "this was supposed to be deleted", "the sender does not have authority to share my financial records").

We will assess the request and act in line with the privacy laws applicable to you. Note that Vukorix is, in most cases, a processor for the Customer who issued the link — we may need to refer your request to that Customer (the controller) under data-protection law. We will tell you if we do.

13.Enforcement

Where we identify a breach of this AUP, the action we take depends on the nature and severity of the breach. Possible actions include:

• Warning — a written notice to the Account owner identifying the breach and asking for it to be corrected within a specified period;
• Removal of content — we may remove or disable access to specific files, links, portals, exchanges, or signature requests;
• Suspension — we may temporarily disable access to the Account, in whole or in part, while we investigate or while you correct the breach (see section 9 of the Cancellation Policy);
• Termination — in serious cases, including breach of section 3 (prohibited content), section 5 (phishing / impersonation), or repeated violations after warning, we may terminate the Account immediately and without further notice;
• Reporting to authorities — for content described in section 3 (in particular CSAM, terrorism content, fraud, or evidence of crime), we will preserve evidence and report to the appropriate law-enforcement, regulatory, or industry body, and cooperate with subsequent investigations;
• Civil action — we reserve the right to pursue civil remedies (damages, injunctive relief) against any user whose breach causes loss to Vukorix or to other users.

Suspension or termination under this section does not by itself entitle you to a refund of paid Subscription fees; refund eligibility is governed by our Refund Policy and any non-excludable statutory rights you have.

14.Appeals

If you believe we have wrongly removed content or taken action against your Account under this AUP, you may appeal by emailing [email protected] within thirty (30) days. Please include:

• identification of the content or Account action you are appealing;
• the basis for the appeal (for example, "the content does not in fact infringe", "I have authority to share this", "the action was based on mistaken identity");
• any supporting evidence.

We will review the appeal in good faith and respond within fifteen (15) business days. If we agree the action was wrong, we will reverse it and restore your access where possible. If we disagree, we will explain our reasoning and you may pursue any remedies available to you under the Terms of Service or applicable law.

15.Cooperation with authorities

We cooperate with valid law-enforcement and regulatory requests in the jurisdictions where we operate. We require those requests to be supported by appropriate legal process (for example, a court order, search warrant, or compelled-production order), except where the request relates to content described in section 3 (prohibited content) and immediate cooperation is necessary to prevent harm.

Where we are not legally prohibited from doing so, and where doing so does not interfere with an investigation, we will notify the affected Account owner of any disclosure to authorities. We do not provide a "transparency report" at this stage of the company; we may publish one in the future and will note it here when we do.

16.Changes

We may update this AUP from time to time. When we make a material change we will update the "Last updated" date above and, if you have an Account with us, notify you by email or through a notice in the Service before the change takes effect. Continued use of the Service after the effective date of the updated AUP constitutes acceptance.

17.Contact

For abuse reports, security disclosures, copyright complaints, personal-data takedown requests, or appeals:

Osmicro Networks Pty Ltd
ABN 70 642 841 638
Abuse and AUP enforcement: [email protected]
Security disclosures: [email protected]
Copyright / IP complaints: [email protected]
Personal-data takedown: [email protected]
General support: [email protected]