Acceptable Use Policy

Status: ACTIVE Owner: Daan ([email protected]) Effective: 2026-04-20 Last reviewed: 2026-04-20 Next review: 2026-10-20

Purpose

Define expected behavior for all users of rotor.sh services — employees, contractors, and customers — to protect the platform's integrity, security, and other users' quality of service.

Scope

All Rotor employees, contractors, and end customers (including free-tier, Pro, Team, and Enterprise plans).

Policy

1. Authorized Use Only

Users may only interact with rotor.sh APIs, SDKs, MCP tools, and CLI using credentials they have legitimately obtained. Sharing API keys outside one's organization is prohibited.

2. Tenant Isolation Respect

Users must not attempt to circumvent BullMQ tenant isolation (the {ws_<id>} prefix boundary). Probing, enumerating, or accessing another workspace's queues, jobs, or audit events is prohibited regardless of technical feasibility.

3. PII and Sensitive Data Handling

Payloads must not contain unencrypted PII outside the supported PII-redaction path (Guardrail Engine). Users who need to process PII must enable PII redaction in their workspace's guardrail config before enqueuing jobs containing personal data.

4. Rate and Quota Compliance

Users must not attempt to circumvent per-plan job-execution quotas (Free: 10k/mo, Pro: 100k/mo, Team: 1M/mo). Artificially spreading load across multiple free-tier workspaces to exceed limits is prohibited and will result in account termination.

5. No Unauthorized Scraping or Reverse Engineering

Users must not attempt to reverse-engineer rotor.sh internal APIs, Redis key structures, or BullMQ Lua scripts beyond what is documented in the public API reference.

6. No Abuse of the Approval Flow

The approvals system is intended for genuine human-in-the-loop oversight. Automated scripts that auto-approve all jobs to bypass guardrail review violate the spirit of the approval system and may trigger account review.

7. No Malicious Payloads

Job payloads must not contain instructions intended to exploit Rotor's infrastructure, other customers' handlers, or downstream callback recipients. This includes code injection, prompt injection against the brand-tone LLM judge, and SSRF payloads targeting callback URLs.

8. Compliance with Laws

Users are responsible for ensuring their use of rotor.sh complies with applicable laws and regulations, including data protection laws (GDPR, CCPA) and export control regulations.

Enforcement

Violations may result in:

  • Immediate API key revocation
  • Workspace suspension (BIL-06 kill-switch)
  • Account termination without refund
  • Legal action where warranted

Suspected violations are logged as compliance.aup_violation audit events and reviewed by the security team.

Review Cadence

This policy is reviewed annually. Next review: 2026-10-20.