Saluca LLC — Acceptable Use Policy
Effective date: July 8, 2026 · Last updated: July 8, 2026
1. Purpose & Scope
This Acceptable Use Policy (the "AUP" or "Policy") governs the access to
and use of all products and services offered by Saluca LLC ("Saluca," "we,"
"us," or "our"), including without limitation:
- Asphodel — Saluca's hosted "mindset-as-a-service" platform, which returns
grounding passages across a range of knowledge domains, including
cybersecurity and threat-intelligence "mindsets" (for example, MITRE
ATT&CK adversary tactics, techniques, and procedures (TTPs); CISO/CISSP/CCSP
material; NIST frameworks; and compliance-law references); and
- Tiresias-ZT — Saluca's self-hosted, zero-trust proxy that governs AI
agents (a defensive/security control), provided as licensed software subject
to tier gates and a signed license.
Asphodel and Tiresias-ZT are referred to individually and collectively as the
"Services." This AUP is incorporated by reference into, and forms part of,
the Saluca Terms of Service ("ToS"). It applies to every user of the
Services, including account holders, authorized users, administrators,
employees, contractors, agents, and any person or system accessing the Services
through a customer's account or credentials (each, a "User" or "you").
Capitalized terms not defined here have the meaning given in the ToS. In the
event of a conflict between this AUP and the ToS, the ToS controls, except that
this AUP controls with respect to use restrictions and prohibited conduct. For
the licensed Tiresias-ZT software specifically, this AUP is supplemented by the
Saluca End-User License Agreement ("EULA"); where the EULA addresses a
software-license matter more specifically, the EULA controls as to that matter.
By accessing or using the Services, you agree to comply with this Policy. If you
do not agree, you must not access or use the Services.
2. General Prohibited Conduct
You must not use the Services, or permit anyone using your account or
credentials to use the Services, to:
- Engage in illegal activity. Violate any applicable law, regulation, court
order, sanctions or export-control regime, or governmental request, or promote,
facilitate, or assist any unlawful act.
- Infringe intellectual property. Infringe, misappropriate, or violate the
patent, copyright, trademark, trade-secret, or other intellectual-property or
proprietary rights of Saluca or any third party.
- Violate the rights or privacy of others. Collect, process, disclose, or
use personal data, confidential information, or other protected information
without a lawful basis or the necessary rights and consents; or infringe
privacy, publicity, contractual, or other legal rights of any person.
- Deceive or defraud. Engage in fraud, phishing, social engineering,
impersonation, spoofing, deceptive practices, or any misrepresentation of your
identity, affiliation, or the origin of content or communications.
- Interfere with the Services. Disrupt, degrade, overload, or impair the
Services or the servers, networks, or infrastructure used to provide them; or
interfere with any other User's authorized use and enjoyment of the Services.
3. Prohibited Content
You must not use the Services to create, upload, store, transmit, distribute, or
make available any content that:
- Is unlawful or that promotes, facilitates, or provides instructions for
unlawful activity.
- Is malicious code intended to harm third parties — including viruses,
worms, ransomware, spyware, or other malware — where the intent or reasonably
foreseeable use is to damage, disrupt, gain unauthorized access to, or exfiltrate
data from systems the User does not own or is not authorized to test. (See
Section 4 for the narrow, authorized defensive-security exceptions.)
- Constitutes child sexual abuse material (CSAM) or any other content whose
possession, creation, or distribution is illegal. Saluca has zero tolerance
for CSAM. Saluca will remove and report any CSAM to the National Center for
Missing & Exploited Children (NCMEC) and will cooperate with law enforcement as
required by law.
- Harasses, threatens, defames, or incites violence against any person or
group, or that facilitates targeted harassment, stalking, doxxing, or abuse.
- Constitutes adult sexual content, hate speech, or content promoting
self-harm, or that is unlawful, exploitative, or otherwise inconsistent with
the professional, business-to-business nature of the Services.
- Is unsolicited bulk or commercial messaging (spam), or that facilitates the
development or dissemination of weapons or chemical, biological, radiological, or
nuclear (CBRN) materials in violation of applicable law.
Read this section carefully. Saluca's Services include dual-use security
tooling: Asphodel's cybersecurity and threat-intelligence mindsets return
grounding passages about adversary techniques and defensive practice, and
Tiresias-ZT is a defensive control that governs AI agents. Saluca supports and
permits legitimate, lawful, and authorized security work, and prohibits
malicious or unlawful use. Whether a given activity is permitted turns primarily
on authorization and lawfulness, not on the technique involved.
4.1 Permitted (Authorized) Uses
Provided you have all necessary rights and authorizations and act lawfully, you
may use the Services for legitimate security purposes, including:
- Defensive security operations — threat detection, monitoring, hardening,
vulnerability management, and protection of systems you own or are authorized
to defend.
- Incident response (IR) — investigating, containing, and remediating
security incidents on systems you own or are authorized to service.
- Governance, risk, and compliance — building, assessing, or evidencing
compliance with security frameworks and legal/regulatory obligations (e.g.,
NIST, ISO, SOC 2, PCI DSS).
- Education, training, and CTF — cybersecurity education, professional
certification study, capture-the-flag (CTF) events, and training exercises
conducted in lawful, controlled, or consented environments.
- Contracted, authorized testing — penetration testing, red-teaming, and
adversary emulation performed under a written contract or documented
authorization with the system owner and within the agreed scope and rules of
engagement.
- Security research — research on systems you own, or on systems you are
expressly authorized to test, or under a lawful, published vulnerability-
disclosure/safe-harbor program, conducted responsibly and in accordance with
applicable law.
4.2 Prohibited (Unauthorized or Malicious) Uses
You must not use the Services to:
- Gain unauthorized access or intrude into any system, network, account, or
data you do not own or are not expressly authorized to access.
- Deploy malware or offensive tooling against systems you do not own or are
not authorized to test — including delivering, installing, or operating
malicious code, exploits, or command-and-control against third-party systems.
- Conduct denial-of-service — DoS/DDoS attacks, resource-exhaustion, or
other availability attacks against any system.
- Steal or abuse credentials — phishing for, harvesting, cracking, stuffing,
or otherwise obtaining or using credentials, tokens, keys, or session data
without authorization.
- Evade or defeat security controls for unlawful purposes — develop or use
detection-evasion, anti-forensics, or obfuscation techniques to further
unauthorized access or other unlawful activity.
- Weaponize threat-intelligence content against third parties — use grounding
passages, TTP descriptions, or other Asphodel outputs to plan, develop, or
carry out an attack, intrusion, or other harm against systems you do not own or
are not authorized to test.
- Develop offensive capabilities for unlawful use — build, train, or refine
tools, exploits, or techniques intended for unauthorized or unlawful use
against third parties.
4.3 Authorization Requirement
For any offensive-style, intrusive, or adversary-emulation activity, you are
solely responsible for obtaining and maintaining valid, documented, lawful
authorization from the system owner before you begin, and for staying
within the authorized scope. You must retain your authorization documentation for
the duration of the activity and for at least twelve (12) months afterward, and
must produce it to Saluca promptly on request. Absence of authorization makes the
activity a violation of this Policy regardless of intent.
5. AI-Specific Use
The Services return AI-generated grounding passages and related outputs
("Outputs"). Outputs are informational grounding, not professional
advice. You must not:
- Rely on Outputs as professional advice. Outputs are not legal, medical,
financial, tax, security-assurance, or other professional advice, and are not a
substitute for professional judgment. You must independently verify Outputs and
consult a qualified professional before acting.
- Make consequential automated decisions without human review. Do not use
Outputs to make or materially inform automated legal, medical, financial,
employment, credit, insurance, eligibility, or other decisions that produce
legal or similarly significant effects on a person, without meaningful human
review.
- Extract, resell, or re-host the corpora. Do not scrape, bulk-download,
reconstruct, resell, sublicense, or re-host the mindset corpora, grounding
passages, or underlying datasets, in whole or in part.
- Use Outputs to train competing models. Do not use the Services or Outputs
to develop, train, fine-tune, or improve any machine-learning model, product,
or service, including any that competes with Saluca.
- Misrepresent Outputs. Do not present Outputs as human-authored professional
advice or as verified fact without appropriate verification and disclosure.
6. Software Use (Tiresias-ZT)
Tiresias-ZT is licensed software governed by the EULA and subject to tier gates
and a signed license. In addition to the EULA, you must not:
- Reverse engineer. Reverse engineer, decompile, disassemble, or otherwise
attempt to derive source code, underlying ideas, or algorithms, except to the
limited extent this restriction is prohibited by applicable law.
- Circumvent license or tier gates. Bypass, disable, tamper with, or
circumvent license enforcement, tier gates, feature flags, entitlement checks,
usage metering, or other technical protection measures.
- Redistribute or sublicense without authorization. Copy, distribute,
sublicense, rent, lease, sell, host for third parties, or otherwise make the
software available beyond the scope of your license.
These restrictions supplement, and do not replace, the EULA. See the Saluca
EULA for the complete license grant, restrictions, and remedies.
To protect the shared hosted platform (including Asphodel) and other Users, you
must not:
- Scrape or bulk-extract. Use automated means to scrape, crawl, harvest, or
bulk-extract content, Outputs, or corpora beyond the volume and manner your
plan authorizes.
- Exceed rate, quota, or fair-use limits. Circumvent, or attempt to
circumvent, rate limits, quotas, concurrency limits, or other fair-use controls
on the hosted API.
- Share or misuse credentials. Share, sell, or transfer API keys, tokens, or
login credentials; use another User's credentials; or use credentials outside
the licensed or subscribed scope.
- Probe Saluca's own systems without authorization. Scan, probe, penetration-
test, or attempt to test the security of Saluca's hosted systems or
infrastructure without Saluca's prior written authorization. Saluca supports
good-faith security research on Saluca's own systems where the researcher has
obtained prior authorization by contacting security@saluca.com. Saluca will
not pursue legal action against good-faith researchers who comply with this
Policy, act within the scope of their authorization, avoid privacy violations
and service disruption, and give Saluca a reasonable opportunity to remediate
before public disclosure.
8. Reporting Abuse
If you become aware of any actual or suspected violation of this Policy, or of
abuse, security incidents, or illegal content involving the Services, please
report it to security@saluca.com. To report a security vulnerability in Saluca's
own systems, contact security@saluca.com; Saluca supports good-faith security
research on its own systems with prior authorization and will not pursue
good-faith researchers who comply with this Policy (see Section 7). Please include
enough detail for Saluca to investigate.
9. Enforcement & Consequences
Saluca may, in its sole discretion and to the extent permitted by law:
- Investigate suspected violations, including reviewing account activity and
content as permitted by the ToS and applicable law and the Saluca Privacy
Policy.
- Take remedial action — including warning, throttling, removing or disabling
content, restricting features, and suspending or terminating access to some
or all of the Services, with or without notice, depending on severity.
- Cooperate with law enforcement and other authorities, and disclose
information as required or permitted by law or legal process.
- Withhold refunds. No refund or credit will be owed for any suspension or
termination resulting from a breach of this Policy.
Saluca's decision not to enforce any provision of this Policy in a particular
instance does not waive its right to enforce it later. Saluca's rights under this
Policy are cumulative and in addition to all other remedies available at law, in
equity, under the ToS, or under the EULA, all of which are expressly reserved.
10. Changes to This Policy
Saluca may update this Policy from time to time. When we do, we will revise the
"Last updated" date above and post the updated Policy. For material changes,
Saluca will provide reasonable advance notice by posting the updated Policy and,
where appropriate, by in-product notice or email to account administrators.
Changes are effective when posted, or on any later date stated in the notice, and
your continued use of the Services after the effective date constitutes
acceptance of the updated Policy.