Acceptable Use Policy

Effective Date: April 2, 2026
Last Updated: April 2, 2026

This Acceptable Use Policy (the "AUP") applies to the website, hosted services, software, APIs, tunnel relay infrastructure, dashboard, documentation, self-hosted software, and related products and services (collectively, the "Services") provided by PJ3 Labs Inc. dba NullBore ("NullBore," "we," "us," or "our").

This AUP is intended to protect NullBore, our customers, the public, and the broader Internet ecosystem from illegal, abusive, harmful, insecure, or irresponsible use of the Services.

By using the Services, you agree to comply with this AUP. This AUP supplements our Terms of Service and other applicable agreements. Capitalized terms not defined here have the meanings given in the Terms of Service.

We may investigate suspected violations of this AUP and may suspend, restrict, rate-limit, disable, block, or terminate access to the Services, accounts, tunnels, endpoints, domains, URLs, API access, or related resources at any time where we reasonably believe such action is necessary to protect the Services, other customers, third parties, or to comply with law.

1. General Principles

You may use the Services only for lawful, authorized, and responsible purposes. You must not use the Services in a way that:

• violates any applicable law, regulation, court order, sanction, or binding legal obligation;
• infringes or misappropriates the rights of others;
• threatens the security, integrity, availability, reputation, or performance of the Services;
• exposes systems, services, data, or people to unreasonable risk, harm, abuse, fraud, or deception; or
• is inconsistent with the intended purpose of the Services as secure, time-limited tooling for legitimate development, operational, administrative, support, and related uses.

2. Customer Responsibility

You are responsible for all use of the Services associated with your account, organization, credentials, API keys, users, team members, contractors, devices, or systems, including unauthorized use resulting from your failure to maintain reasonable security controls.

You are also responsible for the systems, applications, devices, destinations, content, and services you expose, connect, relay, proxy, or otherwise make reachable through the Services.

You must ensure that:

• you own or control, or are otherwise authorized to access and expose, the systems and services you use with NullBore;
• you have obtained all required permissions and consents from affected users, customers, employees, contractors, and third parties;
• your use of the Services complies with your own contractual, regulatory, employment, confidentiality, and policy obligations; and
• your origin services are configured securely, including with appropriate authentication, authorization, patching, rate limiting, logging, encryption, and access controls.

3. Prohibited Uses

Without limiting other restrictions in our Terms of Service, you must not use the Services for any of the following:

3.1 Unauthorized Access, Intrusion, or Abuse

You must not use the Services to:

• access, attempt to access, monitor, probe, scan, exploit, or interfere with any system, application, account, network, data, or service that you do not own or are not authorized to access;
• bypass, evade, disable, interfere with, or defeat authentication, authorization, payment, usage, geographic, security, anti-abuse, or monitoring controls;
• establish tunnels, relays, proxies, or access paths for the purpose of breaking into systems, maintaining unauthorized persistence, hiding malicious activity, or assisting others in doing so;
• perform credential stuffing, brute-force attacks, password spraying, exploitation of known vulnerabilities, unauthorized vulnerability scanning, or red-team activity without the express permission of the target owner; or
• use the Services to evade network policy, organizational controls, or access restrictions imposed by an employer, customer, platform, service provider, or lawful authority.

3.2 Malware, Botnets, and Malicious Code

You must not use the Services to:

• deliver, host, proxy, relay, operate, maintain, or facilitate malware, ransomware, spyware, trojans, worms, malicious scripts, or other malicious code;
• operate botnets, command-and-control infrastructure, remote access tooling for unauthorized purposes, or malware staging or distribution infrastructure;
• conduct phishing, pharming, credential theft, social engineering, or deceptive impersonation; or
• intentionally introduce malicious code, corrupted traffic, or destructive payloads into the Services or third-party systems.

3.3 Proxying Abusive or Harmful Traffic

You must not use the Services as an anonymous or semi-anonymous proxy, relay, redirector, or traffic laundering mechanism for abusive, fraudulent, or harmful activity, including to:

• conceal the origin of attacks or abuse;
• relay spam, phishing, exploit traffic, or scraping traffic in violation of law or third-party rights;
• circumvent IP-based restrictions imposed for safety, compliance, contractual, anti-fraud, anti-abuse, or security reasons; or
• provide resale, open relay, or shared anonymous access to unknown or unvetted third parties without our prior written permission.

3.4 Denial of Service and Network Abuse

You must not use the Services to generate, amplify, coordinate, or facilitate denial-of-service attacks, distributed denial-of-service attacks, flooding, mail-bombing, packet spoofing, network sniffing, traffic amplification, excessive scanning, or other abusive traffic patterns that disrupt or degrade the Services or any third-party system.

3.5 Spam and Unauthorized Messaging

You must not use the Services for spam or unauthorized message activity, including:

• sending unsolicited bulk or commercial messages in violation of applicable law;
• operating unconfirmed mailing lists or messaging lists;
• harvesting or purchasing contact data for spam purposes;
• relaying traffic that promotes spam infrastructure or services; or
• using the Services to host, direct, or support landing pages, APIs, or other resources primarily used for spam campaigns.

3.6 Illegal, Fraudulent, or Deceptive Activity

You must not use the Services to facilitate or promote fraud, scams, deceptive schemes, impersonation, unlawful gambling, money laundering, sanctions evasion, export control violations, trafficking, terrorism, exploitation, or any other unlawful activity.

You must not misrepresent your identity, affiliation, authority, or purpose when using the Services.

3.7 Harmful Content and Abuse

You must not use the Services to transmit, publish, store, display, or make available content that:

• is unlawful;
• infringes intellectual property or privacy rights;
• contains child sexual abuse material or content that sexualizes minors;
• incites violence, terrorism, or serious physical harm;
• is used to harass, threaten, stalk, extort, or abuse others; or
• is used to facilitate hate-based violence or unlawful discrimination.

3.8 Privacy Violations and Unauthorized Surveillance

You must not use the Services to unlawfully intercept, monitor, collect, exfiltrate, store, or disclose another person's communications, data, credentials, images, recordings, or personal information.

This includes using the Services for keylogging, credential capture, unlawful packet interception, covert surveillance, unlawful tracking, or data exfiltration.

3.9 Security Evasion and Platform Abuse

You must not use the Services to:

• evade payment obligations, plan limits, quotas, fair use assumptions, anti-fraud controls, suspensions, or account restrictions;
• obtain Services using false information, stolen payment methods, fake identities, or deceptive billing practices;
• create multiple accounts, tunnels, or identities to avoid limits, blocks, investigations, or fees; or
• test, benchmark, overload, scrape, or reverse engineer the Services in a manner not expressly permitted by our Terms of Service or Documentation.

3.10 High-Risk and Safety-Critical Use

You must not use the Services in connection with life-support systems, emergency services, critical safety systems, weapons systems, or any activity where service interruption, exposure, or failure could reasonably result in death, bodily injury, or significant property or environmental damage.

4. Tunnel-Specific Rules

Because NullBore may enable time-limited exposure of local or private services, the following additional rules apply:

• You must not expose a service, device, endpoint, or administrative interface unless you are authorized to do so.
• You must not expose insecure default administrative panels, remote desktops, databases, storage consoles, industrial systems, or internal tools to the public Internet without appropriate security controls.
• You must not use the Services to create persistent backdoors, covert remote access, or hidden access paths into environments that are not yours or that you are not authorized to administer.
• You must not use the Services to relay or disguise traffic for malware implants, command-and-control beacons, exploit kits, phishing kits, or unauthorized remote administration.
• You must not advertise or represent a NullBore tunnel, domain, URL, or endpoint as belonging to another company, institution, or person in order to gain trust, credentials, payment, or access.

5. Fair Use, Capacity Protection, and Plan Limits

We operate the Services on the assumption that use will remain within the plan limits, quotas, technical assumptions, and ordinary usage patterns associated with your offering.

If your use is excessive, abusive, harmful, disproportionately resource-intensive, or materially inconsistent with your plan or the stability of the Services, we may take reasonable protective action, including:

• applying technical limits or rate limits;
• reducing capacity or throughput;
• restricting features, traffic classes, tunnel counts, destinations, or session duration;
• requiring you to upgrade plans or change usage patterns; or
• suspending or terminating affected Services.

Where applicable and disclosed, additional fees or overage charges may apply.

6. Investigations and Enforcement

We may investigate suspected violations of this AUP, security incidents, fraud, legal complaints, abuse reports, or conduct that threatens the Services or others.

To do so, we may review relevant account information, tunnel metadata, usage records, security signals, technical logs, customer communications, service configuration, and other information reasonably necessary to verify or address the issue, consistent with our Privacy Policy and applicable law.

You agree to cooperate reasonably with investigations relating to your use of the Services.

Without limiting any other rights, we may, with or without notice where permitted by law:

• suspend, block, filter, rate-limit, or terminate access to the Services;
• disable tunnels, domains, URLs, endpoints, API keys, tokens, or accounts;
• remove or restrict content or traffic;
• require remediation steps before restoring access;
• report relevant conduct to payment providers, hosting providers, registrars, network operators, law enforcement, regulators, or other appropriate third parties; and
• decline refunds or credits for interruptions resulting from violations of this AUP.

7. Reporting Abuse

If you believe someone is using the Services in violation of this AUP, please contact us at:

[email protected]

Please include as much detail as possible, such as affected URLs, tunnel endpoints, timestamps, logs, screenshots, and a description of the suspected abuse.

8. Changes to This Policy

We may update this AUP from time to time. If we make material changes, we will post the revised version and update the "Last Updated" date. Unless a different effective date is stated, changes will become effective on the earlier of:

• your next use of the Services after the updated AUP is posted; or
• thirty (30) days after the updated AUP is posted.

If you do not agree to the updated AUP, you must stop using the Services before the updated version takes effect.