Acceptable Use Policy

1. Scope

This Acceptable Use Policy (“AUP”) applies to all use of careos platform and related services provided by ITLOX LTD. It supplements the Terms of Service and is incorporated into every order form. Customers are responsible for ensuring that their Authorised Users, Affiliates and partners comply with this AUP.

2. General principles

• Use careos platform only for its intended clinical and operational purposes.
• Respect patient dignity, clinician autonomy and regulatory duties.
• Report misuse promptly so that harm can be prevented.

3. Prohibited activities

3.1 Security abuse

• No unauthorised access, probing, scanning or testing of the Service or its infrastructure without prior written authorisation from ITLOX security.
• No reverse engineering, decompilation or attempts to derive source code, model weights or prompts, except to the extent expressly permitted by law.
• No introduction of malicious code, backdoors, cryptocurrency miners, or any payload that could degrade or harm the Service or other customers.
• No denial-of-service, brute-force credential attacks, or attempts to exhaust infrastructure resources.
• No circumvention of rate limits, quotas, IP controls, device binding or authorisation boundaries.

3.2 Data misuse

• No storage of data outside the scope agreed in the order form — for example, no use of the Service as a general-purpose file store, no loading of data from domains not covered by a valid legal basis.
• No processing of non-health regulated data (for example, payment card data under PCI DSS, classified government data) unless expressly included in the order form and supported by the appropriate controls.
• No export, reidentification or onward transfer of de-identified datasets beyond what the customer’s contract and lawful basis permit.
• No use of the Service to build products that compete with careos platform, or to scrape or bulk-extract content from the Service.

3.3 Impersonation and social engineering

• No impersonation of patients, clinicians, regulators, ITLOX employees or other users within careos platform.
• No use of the Service to send unsolicited commercial communications (spam) to patients, clinicians or third parties.
• No deceptive framing of AI-generated content as if it were authored by a clinician without the required review and attribution.

3.4 AI and AgentOS boundaries

• No use of AgentOS workers for autonomous medical diagnosis, autonomous prescribing, or unsupervised alteration of the legal clinical record.
• No disabling or circumvention of the human-in-the-loop, provenance and Evidence Ledger controls required by the configured worker policy.
• No fine-tuning or extraction of models using customer PHI in a way that violates the Data Processing Agreement or vendor terms.
• No use of the Service to generate or distribute content that is unlawful, defamatory, harassing or otherwise harmful.

3.5 Legal and ethical

• No use that violates applicable law, including data protection, consumer protection, export control, sanctions, anti-bribery and healthcare regulation.
• No use for the purposes of discrimination prohibited by law or professional ethics.
• No uploading or processing of content that infringes the intellectual property or privacy rights of others.

4. Clinical boundary

careos platform is not a medical device under current UK or US classification. Customers must not rely on any output of careos platform — including outputs produced by AgentOS workers — as a substitute for the clinical judgment of a suitably qualified and regulated clinician. See the AI Disclaimer for the full boundary.

5. Reporting misuse

If you become aware of a suspected breach of this AUP, a security vulnerability or harmful content on careos platform, please report it immediately to abuse@careosp.com or security@careosp.com. For responsible disclosure of security issues, please include reproduction steps and refrain from publicly disclosing the issue until we have had a reasonable opportunity to remediate.

6. Enforcement

Where ITLOX reasonably suspects a breach of this AUP, it may:

• Issue a warning and request remediation within a defined period;
• Temporarily suspend the affected capability, user or tenant, with or without prior notice depending on severity;
• Throttle or rate-limit the offending traffic;
• Terminate the order form for cause in accordance with the Terms of Service where the breach is material and uncured, or where it presents an imminent risk to patients or to the Service;
• Cooperate with law enforcement and regulators as required by law.

Where operationally feasible, ITLOX will notify the Customer’s security contact before taking enforcement action and will document any action in the Evidence Ledger so that the Customer has an auditable record.

7. Investigations

ITLOX reserves the right to investigate suspected violations of this AUP. This may include inspection of relevant metadata, audit logs and, with appropriate authorisation and safeguards, narrowly scoped access to tenant content under break-glass procedures. Investigations are conducted under the privacy and security commitments of the Data Processing Agreement.

8. Updates

We may update this AUP from time to time. Material updates will be notified to customer administrators by email. Continued use of the Service after an update constitutes acceptance of the revised AUP.

9. Contact

Abuse and security reports: abuse@careosp.com
Legal: legal@careosp.com
General: hello@careosp.com