Legal

Acceptable Use Policy

Effective 27 April 2026 — Nettorii Ltd, 66 Paul Street, London EC2A 4NA, United Kingdom

This Acceptable Use Policy ("AUP") governs your use of ONINET and all associated tools, satellites, and services provided by Nettorii Ltd. This policy supplements our Terms of Use and applies to all licensees, team members, and operators.

ONINET is built for professionals who test with permission. Every feature in this platform assumes you have written authorisation from the system owner before you begin. If you do not have authorisation, do not proceed.

1. Authorised Testing Only

You must hold explicit, written authorisation from the legal owner, a director or officer of the owning organisation, or a person with documented delegated authority to authorise security testing of every system, network, application, or service before conducting any security testing with ONINET. Where the authorising party is not the system owner, your authorisation should include evidence of the delegation chain. This authorisation must:

Be in writing (digital or physical) and clearly identify the scope of testing
Be dated and signed by someone with authority to grant permission
Specify the systems, IP ranges, domains, or applications in scope
Define the permitted testing window and any restrictions

Verbal permission alone is not sufficient. "I assumed I had permission" is not a defence. If your scope is ambiguous, stop and clarify before proceeding.

You must take reasonable steps to verify that the person granting authorisation has the legal authority to do so. If you doubt the signatory's authority, do not proceed.

2. Scope Management

You must confine all testing activities to systems explicitly within your authorised scope.

Stay in scope — do not test systems, networks, or services beyond those listed in your authorisation document
Verify targets — confirm that IP addresses, domains, and services resolve to in-scope assets before testing
Shared infrastructure — take extra care with cloud-hosted targets where neighbouring tenants may share infrastructure; do not impact systems outside your scope
Pivot boundaries — if you discover access to out-of-scope systems during testing, stop, document, and report to the system owner before proceeding
Scope amendments — any changes to scope during an engagement must be documented in writing and approved by the original authorising party before testing proceeds against new targets
Testing windows and intensity — observe any time-of-day restrictions, rate limits, or thresholds specified in your authorisation

3. Prohibited Activities

The following activities are strictly prohibited when using ONINET:

Unauthorised access — accessing any system without explicit written permission from the owner
Denial of service — launching DDoS attacks or intentionally degrading the availability of any system, whether in or out of scope, unless explicitly authorised in writing
Data exfiltration beyond scope — extracting, copying, or transmitting data outside the boundaries defined in your authorisation; proof-of-access should use the minimum data necessary
Malware distribution — deploying persistent malware, ransomware, wipers, or backdoors that survive the engagement, unless explicitly within scope and with a documented remediation plan
Critical infrastructure without explicit authorisation — testing healthcare, energy, transportation, financial, or other critical-infrastructure systems without specific written authorisation addressing the risks
Reselling or sublicensing — redistributing ONINET, sharing license keys, or providing access to unlicensed third parties
Credential abuse — using credentials obtained during testing for any purpose outside the engagement scope, or retaining them after the engagement concludes
Interference with Nettorii infrastructure — attempting to bypass licensing, tamper with telemetry, reverse-engineer the platform beyond what is permitted by law, or attack Nettorii systems
Social engineering without specific authorisation — phishing, vishing, smishing, impersonation, or pretexting unless your authorisation explicitly includes social engineering in scope
Physical intrusion testing — physical security testing, tailgating, lock bypass, or hardware implant activities unless your authorisation explicitly covers physical access
Supply chain and third-party attacks — compromising third-party services or infrastructure not explicitly included in your authorisation scope
Resource abuse — using access gained during testing to mine cryptocurrency, host services, or consume resources beyond what is necessary to demonstrate vulnerabilities

4. Compliance with Law

You are responsible for ensuring that your activities comply with all applicable laws and regulations in every jurisdiction where you operate, including but not limited to:

Computer Misuse Act 1990 (United Kingdom)
Computer Fraud and Abuse Act (CFAA) (United States)
General Data Protection Regulation (GDPR) and UK DPA 2018 — where personal data may be encountered during testing, including restrictions on cross-border data transfers
NIS2 Directive — where testing involves operators of essential services in the EU
Equivalent computer crime and data protection legislation in your local jurisdiction

The CMA creates offences including (a) unauthorised access to computer material (s.1), (b) unauthorised access with intent to commit further offences (s.2), and (c) unauthorised acts with intent to impair the operation of a computer (s.3/s.3ZA). Your written authorisation must be sufficient in scope to cover all activities you intend to perform. Authorisation to access a system does not automatically authorise denial of service, data destruction, or modification.

ONINET and its component tools constitute 'articles' within the meaning of s.3A of the Computer Misuse Act 1990. Nettorii supplies ONINET solely for lawful, authorised security testing. You must not use ONINET, or make it available to any person, for the purpose of committing or facilitating any offence under ss.1, 2, 3, or 3ZA of the CMA. By accepting this AUP, you confirm that you will use ONINET only for purposes for which you hold lawful authorisation.

Holding an ONINET license does not grant you legal authority to test any system. The license grants you the right to use the software; permission to test must come from the system owner.

If you test systems in a jurisdiction other than your own, you are responsible for compliance with laws in both jurisdictions. Authorisation valid in one jurisdiction may not provide a defence in another. Obtain legal advice for cross-border testing. Where personal data is encountered during cross-border testing, handle it in compliance with data protection laws including restrictions on cross-border transfers. Nettorii accepts no liability for failure to comply with foreign laws.

5. Evidence of Authorisation

You must maintain records of your authorisation for every engagement. These records should include:

A copy of the signed authorisation document (rules of engagement, scope statement, or equivalent)
Contact details for the authorising party
The defined scope (systems, IP ranges, domains, testing window)
Any restrictions or exclusions

You must be able to produce these records promptly if requested by Nettorii, law enforcement, or the system owner. Nettorii may request evidence of authorisation at any time as a condition of continued licensing.

You must retain authorisation records for a minimum of six (6) years after the conclusion of the engagement, or longer if required by applicable law.

6. Responsible Disclosure

If during authorised testing you discover vulnerabilities in systems or software, you must handle disclosure responsibly:

Report findings to the system owner or authorising party in accordance with your engagement terms
Do not publicly disclose vulnerabilities before the system owner has had reasonable time to remediate
Follow any disclosure timeline agreed in your engagement contract
Where applicable, follow coordinated vulnerability disclosure (CVD) practices

Where no timeline is agreed in your engagement contract, a minimum of 90 days from notification to the system owner must elapse before public disclosure, consistent with ISO 29147.

You must not sell, trade, or provide vulnerabilities discovered during an ONINET engagement to any vulnerability broker or exploit marketplace without the system owner's written consent.

7. Reporting Obligations

You must notify Nettorii at contact@nettorii.com if you become aware of:

Another ONINET user conducting unauthorised testing or violating this AUP
A compromise of your ONINET license key or credentials
Any legal process (subpoena, court order, law enforcement inquiry) related to your use of ONINET

8. Team and Organisation Responsibilities

If you hold a TEAM or ENTERPRISE license, the organisation owner and team leads are responsible for ensuring that all operators under their license comply with this AUP. This includes:

Briefing operators on scope and restrictions before each engagement
Reviewing engagement assignments and satellite access policies
Promptly revoking access for operators who violate this policy
Maintaining audit logs of operator activity (provided automatically by ONINET)

Each individual operator granted access under a TEAM or ENTERPRISE licence is personally bound by this AUP and individually responsible for compliance. Under the CMA 1990, criminal liability for unauthorised access is personal to the individual.

Organisation owners must ensure each operator acknowledges and accepts this AUP before being granted access.

9. Consequences of Violation

Violations of this AUP will be addressed at Nettorii's discretion, proportional to the severity and nature of the violation. Actions may include, individually or in combination:

Written warning — for first-time or minor violations
Temporary suspension — license suspended pending investigation or remediation
Permanent revocation — license revoked without refund for serious or repeated violations
Reporting to authorities — Nettorii reserves the right to report suspected criminal activity to relevant law enforcement agencies

Nettorii is not required to provide advance notice before taking enforcement action where there is an ongoing risk of harm. Where possible, we will notify you and provide an opportunity to respond.

Where a violation is alleged, Nettorii will investigate before imposing consequences beyond temporary suspension. The Licensee will be notified and given at least 14 days to respond before permanent revocation, except where immediate action is needed to prevent ongoing harm. Revocation may be appealed in writing to contact@nettorii.com within 30 days.

10. Indemnification

Your use of ONINET is subject to the indemnification obligations in the Terms of Service and EULA. You agree to indemnify Nettorii from claims arising from breach of this AUP, unauthorised testing, or third-party claims resulting from your testing activities.

11. Professional Insurance

Nettorii strongly recommends that all Licensees maintain professional indemnity insurance appropriate to their testing activities. For TEAM and ENTERPRISE licensees, Nettorii may request evidence of professional indemnity insurance as a condition of licensing.

12. Changes to This Policy

Nettorii reserves the right to update this AUP at any time. Material changes will be communicated via the customer portal at portal.nettorii.com. Continued use of ONINET after changes constitutes acceptance of the revised policy.

13. Governing Law

This Acceptable Use Policy is governed by and construed in accordance with the laws of England and Wales. Any disputes arising under this policy shall be subject to the exclusive jurisdiction of the courts of England and Wales.

14. Contact

For questions about this policy, to report a violation, or to discuss scope and compliance:

Nettorii Ltd
66 Paul Street
London EC2A 4NA
United Kingdom
Email: contact@nettorii.com
Website: nettorii.com