This Acceptable Use Policy applies to all TrustCheck users, organizations, API clients, integrations, monitoring schedules, scans, brand protection workflows, and professional service requests.
1. Permitted Use
You may use TrustCheck to assess assets you own or are authorized to test, manage security evidence, monitor verified assets, detect brand impersonation, evaluate vendor risk, run approved attack simulations, request analyst vetting, and share valid TrustCheck badges or public profiles.
2. Prohibited Use
- Unauthorized scanning, exploitation, intrusion, account takeover, or access attempts.
- Credential theft, phishing, social engineering, malware, botnets, or malicious payload delivery.
- Denial-of-service activity, destructive testing, load testing, or disruption without explicit written approval.
- Scraping private data, evading access controls, bypassing rate limits, or probing undocumented endpoints.
- Submitting assets, brands, social accounts, repositories, IPs, or domains you do not own or lack authority to test.
- Harassment, impersonation, spam, fraud, privacy violations, data exfiltration, or illegal activity.
- Misrepresenting badge status, altering TrustCheck badge code, or displaying revoked/expired badges as active.
3. Third-Party Targets
You may not submit third-party domains, APIs, repositories, infrastructure, social accounts, or brand assets unless you have explicit authorization or are using a feature intended for passive vendor risk lookup. TrustCheck may request proof of authorization at any time.
4. API And Automation
API keys must be kept secret and used only for legitimate automation. You must not bypass rate limits, overload queues, automate abusive scans, or use connected apps to send spam or unauthorized messages.
5. Integrations And Notifications
You are responsible for ensuring that connected apps, webhooks, chat channels, and notification recipients are authorized to receive the security data sent to them.
6. Enforcement
TrustCheck may throttle, cancel scans, suspend monitoring, revoke API keys, disable integrations, remove content, require re-verification, or terminate access if this policy is violated or platform safety is at risk.