Acceptable Use Policy & SLA
Version 2026-07-11 · Effective July 11, 2026
Rillis — Acceptable Use Policy (AUP) and Service Level Agreement (SLA)
Version: 2026-07-11 · Effective as of: July 11, 2026 These documents are incorporated by reference into the Master Terms. Capitalized terms refer to the glossary therein.
Courtesy translation. This English version is provided for convenience. The Spanish version is the legally binding text and prevails in case of any discrepancy.
Part A — Acceptable Use Policy (AUP)
A.1 Purpose
This AUP sets out the prohibited uses of the Rillis Platform. Its breach constitutes a material breach of the Master Terms and enables suspension or termination in accordance with Section 14 thereof.
A.2 General Legal Compliance
The Client will use the Services only for lawful purposes and in accordance with all applicable law, including data protection, anti-money laundering and counter-terrorist financing (AML/CFT), sanctions, export control, consumer protection, non-discrimination, and electronic signature laws.
A.3 Prohibited Uses — Regulated Purposes (FCRA and Analogues)
The Client will not use the Services or the Results as a factor in determining a person’s eligibility for credit, insurance, employment, housing, or another “permissible purpose” regulated by the U.S. Fair Credit Reporting Act (FCRA) or analogous credit-reporting laws, unless there is an express written integration and authorization from Rillis for that purpose and under the corresponding regulatory framework. Rillis is not a consumer reporting agency.
A.4 Prohibited Uses — Biometric Data
The Client will not capture, use, or retain biometric data through the Platform without: (a) having provided the notices and obtained the consent (in writing/express) required by applicable law, including, as applicable, Illinois’s BIPA (written notice, purpose and duration, and a “written release”), Texas’s CUBI, Washington’s law, the GDPR (Art. 9), the LGPD (Art. 11), and the laws of the Latin American jurisdictions in which it operates; (b) maintaining and (where the law requires) publishing a biometric retention and destruction policy; and (c) refraining from selling, leasing, or otherwise profiting from biometric identifiers. The Client will not use the Platform to re-identify persons outside the authorized purpose.
A.5 Prohibited Uses — Non-Discrimination
The Client will not use the Services to unlawfully discriminate against any person based on protected characteristics, or in a manner that causes undue harm or prejudice. The Client is responsible for monitoring the disparate impact of any AI-assisted decision and for maintaining human review.
A.6 Prohibited Uses — Data and Model Integrity
The Client will not: (a) use the Results or the Third-Party Data to train, calibrate, or validate third-party machine learning models or systems; (b) bulk-extract (“scrape”), copy, or resell the Third-Party Data or the Platform’s data; (c) combine the Third-Party Data with other datasets in breach of the sources’ licenses; or (d) reverse-engineer, decompile, or attempt to derive the Platform’s code or models.
A.7 Prohibited Uses — Security and Abuse
The Client will not: (a) breach or attempt to breach security controls, rate limits, or quotas; (b) use the Platform to distribute malware or unlawful content; (c) impersonate any person or misrepresent its authority; (d) access Verified Persons’ data for purposes other than those authorized; or (e) permit use by sanctioned persons or from prohibited jurisdictions.
A.8 Use of Rillis Sign and the Network
The Client will not use Rillis Sign for excluded acts (Terms Section 5.4) or claim, in marketing or to third parties, evidentiary or compliance value greater than what Rillis states. Within the Single Verification Network, the Client will not present reuse as “reliance” or as a substitute for its own due diligence (see the Network’s Product Annex and its copy guidance).
A.9 AI Agents
A Client that issues Rillis credentials to software agents is responsible for their conduct as if it were its own, must maintain meaningful human oversight, and will not use agents to circumvent this AUP.
A.10 Consequences
Rillis may investigate, suspend, or restrict access immediately upon a suspected or confirmed breach, and will notify the Client where lawful and practicable. Breaches involving legal, sanctions, or security risk enable suspension/termination without a cure period (Terms, Section 14.3).
Part B — Service Level Agreement (SLA)
Bracketed values are fixed per plan in the Order Form. This SLA applies to production modules; it does not apply to beta/pilot features.
B.1 Availability
Rillis will target monthly availability of 99.9% for the production API and dashboard (the “Availability Commitment”), measured as: Availability = (Minutes in the Month − Minutes of Downtime) / Minutes in the Month.
B.2 Exclusions
The following do not count as Downtime: (a) scheduled maintenance notified at least 48 hours in advance; (b) emergency maintenance; (c) third-party failures beyond Rillis’s reasonable control (including temporary unavailability of Third-Party Data sources or the attestation blockchain network); (d) force majeure; (e) Client use in breach of the Terms or the AUP; or (f) beta features.
B.3 Support
| Level | Channel | First-response target |
|---|---|---|
| Critical (production down) | 24×7 priority | 1 hour |
| High | Portal/email | 4 business hours |
| Normal | Portal/email | 1 business day |
Enterprise plans may include priority support, an account manager, and enhanced targets per the Order Form.
B.4 Service Credits
If monthly Availability falls below the Commitment, the Client may request, within 30 days, a credit according to the scale in the Order Form (e.g., 10% of the monthly fee below 99.9%; 25% below 99.0%). Credits are the sole and exclusive remedy for breach of the Availability Commitment and are not refundable in cash.
B.5 Operational and Data Resilience (Regulated Financial Clients)
For Clients subject to outsourcing/resilience rules (e.g., DORA in the EU, banking outsourcing guidelines, U.S. interagency guidance), Rillis will make available, per the Order Form or the DPA: (a) a description of functions and processing/storage locations, with prior notice of material changes; (b) assistance in the event of ICT incidents; (c) access, inspection, and audit rights for the Client and its competent authority; (d) continuity plans and an exit/transition strategy; and (e) current certifications (e.g., SOC 2 Type II, ISO/IEC 27001).
B.6 Security
Rillis maintains an information security program with encryption of personal data in transit and at rest, role-based access controls (RBAC), strong authentication (e.g., passkeys/WebAuthn), audit logging, and protection of biometric templates in accordance with recognized standards (e.g., ISO/IEC 24745 — irreversibility, unlinkability, and renewability; presentation-attack detection in accordance with ISO/IEC 30107-3 for facial biometrics). Details are set out in the DPA and in the security documentation.