Legal

Acceptable Use Policy for Managed Hosting and Hosted Applications

Introduction

This document sets forth the principles, guidelines and requirements of the Acceptable Use Policy (“Policy”) of HTTP Factory, Inc. and its subsidiaries. (“Company”) governing the use by the Customer (“Customer”) of the Company’s managed hosting and hosted application services and products (“Services and Products”). 

The Purpose of the Acceptable Use Policy, hereinafter referred to as the AUP, is to comply with all federal, state, and local laws coupled with protecting the network security, network availability, physical security, Customer privacy, and other factors affecting the services provided by the Company. Rules and regulations for hosted applications may vary based on the data classification and hosting environment.

Company reserves the right to impose reasonable rules and regulations regarding the use of its services provided to all Customers. We may modify this Policy at any time by posting a revised version on the HTTP Factory website. By using the Services or accessing the website, you agree to the latest version of this Policy. If you violate the Policy or authorize or help others to do so, we may suspend or terminate your use of the Services.  Any questions or comments regarding the AUP should be directed to aup@httpfactory.com.

Compliance with Law

Customer shall not post, transmit, re-transmit or store material on or through any of Company’s Services or Products which, in the sole judgment of the Company (i) is in violation of any local, state, federal or non-United States law or regulation, (ii) threatening, obscene, indecent, defamatory or that otherwise could adversely affect any individual, group or entity (collectively, “Persons”) or (iii) violates the rights of any person, including rights protected by copyright, trade secret, patent or other intellectual property or similar laws or regulations including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by Customer. Customer shall be responsible for determining what laws or regulations are applicable to its use of the Services and Products. 

Customer Security Obligation

Failure to use reasonable care to protect your account may result in a security compromise by outside sources. 

A compromised application creating network or data interference will result in immediate Customer notification and will be disconnected from the network immediately so as to not directly affect other Customers. 

No service credits will be issued for outages resulting from disconnection due to a breached server or application security. 

If a Customer intentionally creates a security breach, the cost to resolve any damage to Customer’s server or other servers will be charged directly to the Customer. 

The labor used to resolve such damage is categorized as Emergency Security Breach Recovery and is currently charged at $300 USD per hour. 

Definitions

Privacy Designations / Data Classification

  • Privacy Data
  • Patient Data
  • Customer Confidential Data
  • Company Confidential Data
  • Compliance or Regulatory Data 

Environment Designations

While your hosted applications or managed hosting may have one or more actual computing environments, each environment is designated with one or more of the following designations based on data classification, network security, and the related acceptable uses for those environments.

The difference between “secured” and “not fully secured” is based on specific details within the hosting agreements and defined production workload requirements — this may vary between Customers. “Not fully secured” means that, based on the information provided by the Customer regarding the production workload and agreed upon system requirements, the hosting environment is secured at a baseline level for its acceptable uses and data classification; but this “not fully secured” environment should not be used outside of the data classification or outside of the defined security requirements for that environment class.

  • Development Environment; a closed/non-public environment but is not fully secured
  • Staging Environment; an environment that may be made accessible publicly but is not fully secured 
  • Testing Environment; an environment that may be made accessible publicly but is not fully secured
  • Demonstration Environment; a minimalist environment that is publicly accessible but not fully secured 
  • Production Environment; the primary secured publically accessible environment 

Acceptable Uses

Environment Specific

  • Development
  • used for development and may be used to screen-share demonstrations of “in process” work.
  • Staging
    • used for systems integration, development testing of release candidates, and for staging current development work for review and validation.
  • Testing
    • duplicates the production release and environment configuration at a smaller level for the purposes of Customer testing and validation.
  • Demonstration
    • used for Customer training, demonstration, and/or validation of unreleased or released applications.
  • Production
    • Used for Customer’s hosted application/s and users of the system.

Unacceptable Uses

Neither Customer, nor those that access any Service through Customer, may use Services:

  • to engage in any activity prohibited by law, regulation, governmental order or decree;
  • to violate the rights of others;
  • for any invasive, infringing, defamatory or fraudulent purpose;
  • to promote or facilitating violence or terrorist activities
  • for infringing the intellectual property or other proprietary rights of others.
  • in any application or situation where failure of the Service could lead to the death or serious bodily injury of any person, or to severe physical or environmental damage, except in accordance with the High-Risk Use section below; or
  • to assist or encourage anyone to do any of the above.

High-Risk Use

Modern technologies, and especially platform technologies, may be used in new and innovative ways, and Customer must consider whether its specific use of these technologies is safe. The Services are not designed or intended to support any use in which a service interruption, defect, error, or other failure of an Service could result in the death or serious bodily injury of any person or in physical or environmental damage (collectively, “High-Risk Use”). Accordingly, Customer must design and implement every application such that, in the event of any interruption, defect, error, or other failure of the Service, the safety of people, property, and the environment are not reduced below a level that is reasonable, appropriate, and legal, whether in general or for a specific industry. Customer’s High-Risk Use of the Services is at its own risk. Customer agrees to defend, indemnify and hold the Company harmless from and against all damages, costs and attorneys’ fees in connection with any claims arising from a High-Risk Use associated with the Services, including any claims based in strict liability or that the Company was negligent in designing or providing the Service(s) to Customer. The foregoing indemnification obligation is in addition to any defense obligation set forth in Customer Service Agreement and is not subject to any limitation of, or exclusion from, liability contained in such agreements.

Medical Device Disclaimer

Customer acknowledges that the Services (1) are not designed, intended or made available as a medical device(s), and (2) are not designed or intended to be a substitute for professional medical advice, diagnosis, treatment, or judgment and should not be used to replace or as a substitute for professional medical advice, diagnosis, treatment, or judgment. Customer is solely responsible for displaying and/or obtaining appropriate consents, warnings, disclaimers, and acknowledgements to end users of Customer’s implementation of the Services.

System and Network Security

Examples of system or network security violations include, without limitation, the following:

  1. Introduction of malicious programs into the network or server (example: viruses, worms, Trojan Horses and other executables intended to inflict harm).
  2. Effecting security breaches or disruptions of Internet communication and/or connectivity. Security breaches include, but are not limited to, accessing data of which the Customer is not an intended recipient or logging into a server or account that the Customer is not expressly authorized to access. For purposes of this section, “disruption” includes, but is not limited to port scans, flood pings, email-bombing, packet spoofing, IP spoofing and forged routing information.
  3. Executing any form of network activity that will intercept data not intended for the Customer’s server.
  4. Circumventing user authentication or security of any host, network or account.
  5. Interfering with or denying service to any user other than the Customer’s host (example: denial of service attack or distributed denial of service attack).
  6. Using any program script/command, or sending messages of any kind, designed to interfere with or to disable, a user’s terminal session, via any means, locally or via the Internet.
  7. Failing to comply with the Company’s procedure relating to the activities of Customers on the Company’s premises. Violators of the policy are responsible, without limitations, for the cost of labor to correct all damage done to the operation of the network and business operations supported by the network. Such labor is categorized as Emergency Security Breach Recovery and is currently charged at $300 USD per hour required. Network interference by any Customers that may cause or is currently causing network interference with another Customer will be disconnected immediately. No service credits will be issued to Customers disconnected for network violations.
  8. Transmission, distribution or storage of any material in violation of any applicable law or regulation is prohibited. This includes, without limitation, material protected by copyright, trademark, trade secret or other intellectual property right used without proper authorization, and material that is obscene, defamatory, constitutes an illegal threat, or violates export control laws.
  9. Sending Unsolicited Bulk Email (“UBE”, “spam”). The sending of any form of Unsolicited Bulk Email through Company’s servers is prohibited. Likewise, the sending of UBE from another service provider advertising a web site, email address or utilizing any resource hosted on Company’s servers is prohibited. Company accounts or services may not be used to solicit customers from, or collect replies to, messages sent from another Internet Service Provider where those messages violate either this Policy or that of the other provider.
  10. Running Unconfirmed Mailing Lists. Subscribing email addresses to any application or mailing list without the express and verifiable permission of the email address owner is prohibited. All mailing lists run by Customers must be Closed-loop (“Confirmed Opt-in”). The subscription confirmation message received from each address owner must be kept on file for the duration of the existence of the mailing list. Purchasing lists of email addresses from 3rd parties for mailing to from any Company-hosted domain, or referencing any Company account, is prohibited.
  11. Advertising, transmitting, or otherwise making available any software, program, product, or service that is designed to violate this AUP or the AUP of any other Internet Service Provider, which includes, but is not limited to, the facilitation of the means to send Unsolicited Bulk Email, initiation of pinging, flooding, mail-bombing, denial of service attacks.
  12. Operating an account on behalf of, or in connection with, or reselling any service to, persons or firms listed in the Spamhaus Register of Known Spam Operations (ROKSO) database at www.spamhaus.org.
  13. Unauthorized attempts by a user to gain access to any account or computer resource not belonging to that user (e.g., “cracking”).
  14. Obtaining or attempting to obtain service by any means or device with intent to avoid payment.
  15. Accessing or attempting to access your account or other Company services after you (or Company) has canceled Customer’s account.
  16. Unauthorized access, alteration, destruction, or any attempt thereof, of any information of any Company customers or end-users by any means or device, including the use of ‘sudo’ or other privileged operating system commands.
  17. Knowingly engage in any activities designed to harass, or that will cause a denial-of-service (e.g., synchronized number sequence attacks) to any other user whether on the Company network or on another provider’s network.
  18. Using Company’s Services to interfere with the use of the Company network by other customers or authorized users. Examples may include crypto mining, denial of service, or other activities that may impact the Company network. These are prohibited and accounts may be terminated without warning.

Violations, Monitoring and Enforcement

We reserve the right, but do not assume the obligation, to investigate any violation of this Policy or misuse of the Services or Products. The Company will take any actions deemed appropriate, including but not limited to:

  • investigate violations of this Policy or misuse of the Services or Products; or
  • remove, disable access to, or modify any content or resource that violates this Policy or any other agreement we have with you for use of the Services or Products.
  • suspend or terminate your account, without credit or compensation for any interruption in service resulting from policy violations.

Violations of the Data Classification standards established for each Environment Designation are strictly prohibited, and may result in the impacted environment data being immediately backed-up to external media, then deleted from the environment. The back-up data will be secured and shipped at Customer’s expense.

We may report any activity that we suspect violates any law or regulation to appropriate law enforcement officials, regulators, or other appropriate third parties. Our reporting may include disclosing appropriate customer information. We also may cooperate with appropriate law enforcement agencies, regulators, or other appropriate third parties to help with the investigation and prosecution of illegal conduct by providing network and systems information related to alleged violations of this Policy.

Reporting of Violations of this Policy

If you become aware of any violation of this Policy, you will immediately notify us and provide us with assistance, as requested, to stop or remedy the violation.  Please email aup@httpfactory.com to report violations of this Policy.