Acceptable Use Policy

1.Overview and Scope

This Acceptable Use Policy ("AUP" or "Policy") sets out the rules of conduct that govern access to and use of TIP Protocol, AI Trust ID, AI Trust Registry, the Global Seal of Trust certification platform, the AI Trust Council, theailab.org, and all related products, applications, infrastructure, and APIs operated by The AI Lab Intelligence Unobscured, Inc. ("Company," "we," "us," or "our"). The Policy is read together with, and supplements, the TIP Protocol Terms of Service, the TIP Protocol Privacy Policy, and the TIP Community License v1.0 (TIPCL-1.0).

This Policy binds every person and entity that interacts with the Services, including: (a) Users who hold or have applied for a TIP-ID; (b) Verification Providers accredited by the Company; (c) developers, businesses, governments, nonprofits, and other entities operating under TIPCL-1.0; (d) operators of TIP nodes and other Network infrastructure; (e) integrators displaying TIP Powered branding or signatures; and (f) any other person whose conduct affects the integrity of the Services.

Where this Policy uses defined terms (capitalised words such as User, Verification Provider, Service, TIP-ID, Origin Code, Content, Network, or Brand Marks), the meanings are set out in Section 2. Where conduct is described in this Policy without an exhaustive list, the Company will exercise reasonable judgement consistent with the principles of this Policy and applicable law.

2.Definitions

The following terms, capitalised throughout this Policy, carry the meanings set out below:

References to "you" or "your" in this Policy refer to the natural person or entity reading or accessing the Services, in whichever capacity the context indicates. References to a "TIPCL-1.0 Licensee" include both individual and organisational licensees of the Reference Implementation.

3.Permitted Uses

The Services are intended to support honest identity verification and honest content-provenance declarations. Permitted use includes any activity that is lawful, consistent with the technical purpose of the Services, and consistent with the principles of this Policy. The list below is illustrative; it is neither exhaustive nor a substitute for the Company's discretion in marginal cases.

3.1 Free-tier eligibility

Use of the Reference Implementation under the free tier of TIPCL-1.0 is permitted for individual persons, small businesses under USD $100,000 in annual revenue, nonprofits and NGOs, educational institutions, government entities for official functions, and journalism organisations for editorial use only. Free-tier eligibility does not authorise commercial sub-licensing. Use at or above USD $100,000 annual revenue, or otherwise beyond the scope of the free tier, requires a Commercial License under one of the tiered schedules published at theailab.org/tip-license.

3.2 Research and testing

Internal research and testing under the R&D allowance described in TIPCL-1.0 is permitted within the published limits. Such use must rely on synthetic or properly anonymised test data, must not process real biometric data from real persons, and must not exceed the published per-organisation user and duration ceilings. Permission for live testing on the public DAG must be obtained in writing.

3.3 Interoperability

Building independent clients, mobile applications, browser extensions, and node implementations that interoperate with the published TIP Protocol specification (CC-BY 4.0) is encouraged. Independent implementations must accurately represent themselves as such, must not impersonate official clients, and must not display Brand Marks except as expressly permitted in Section 9.

4.Prohibited Conduct

Without limiting Sections 5 through 10, you agree that you will not, and will not authorise or assist any other person to, use the Services in any of the following ways:

• Engage in any activity that violates applicable law, including criminal law, identity fraud law, biometric privacy law, intellectual property law, sanctions law, export-control law, AI-disclosure law, election law, or telecommunications law.
• Distribute malware, ransomware, spyware, surveillance tools, key-loggers, or other code designed to harm a User, a node operator, or the Network.
• Engage in fraud, including identity fraud, financial fraud, payment fraud, false invoicing, or any scheme that uses TIP-IDs or signatures to lend false credibility.
• Harass, threaten, intimidate, defame, or stalk any person, including by misusing TIP-IDs, content signatures, or Trust Score information to identify or pressure individuals.
• Infringe or misappropriate the intellectual property rights of any person, including patents, trademarks, copyrights, trade secrets, and rights of publicity.
• Bypass, disable, attempt to disable, or interfere with security, authentication, dedup, or rate-limiting features of the Services.
• Reverse-engineer, decompile, or disassemble any closed-source component of the Services other than as permitted by applicable law that cannot be contractually waived.
• Use any automated system to access the Services in a manner that imposes a disproportionate load, including high-volume scraping of the AI Trust Registry, the public DAG, or badge endpoints, beyond the rate limits and conditions published by the Company.
• Misrepresent your affiliation with the Company, the AI Trust Council, an accredited Verification Provider, or any government, civil-society, or technical-community participant in TIP governance.

5.TIP-ID Integrity

A TIP-ID identifies a single verified person. The cryptographic and procedural protections that make a TIP-ID meaningful only work when each TIP-ID corresponds to a distinct, real, and consenting human being. The following practices are prohibited:

• Registering a TIP-ID using another person's identity documents, biometrics, or device, including a deceased person's, a child's, or a person who has not consented.
• Operating, controlling, or attempting to control more than one TIP-ID for yourself, whether by recruiting accomplices, using forged documents, exploiting jurisdiction differences, or attempting to defeat the Zero-Knowledge biometric deduplication system.
• Selling, renting, leasing, transferring, gifting, or otherwise making your TIP-ID, private signing key, recovery material, or device key available to any other person.
• Operating identity-laundering services that combine multiple persons' verifications into a single TIP-ID or that fragment a single person across multiple TIP-IDs.
• Using a TIP-ID belonging to another person to sign content, attestations, vouches, or any DAG transaction.
• Attempting to recover or reconstruct biometric data, identity documents, or other personal data from public DAG entries, badge images, or signature material.
• Coercing, deceiving, or paying another person to register a TIP-ID for the purpose of you using it.
• Creating or operating a sybil network in which multiple TIP-IDs are coordinated to game Trust Score, voucher graphs, jury panels, or governance votes.

6.Content Origin Integrity

Origin Codes (OH, AA, AG) are how a User tells the public how a piece of Content was made. The Codes are cryptographically bound to the Content and the TIP-ID of the signer. Honest declaration is the entire point of the system. The following practices are prohibited:

• Declaring AI-generated Content as Original Human (OH).
• Declaring substantially AI-assisted Content as Original Human (OH) by treating the human contribution as an editorial fig leaf.
• Declaring Content as AI-Assisted (AA) when the AI's role was de minimis, in order to avoid the Original Human (OH) classification for personal, legal, or competitive reasons.
• Removing, altering, defacing, or covering TIP badges, attribution rows, or Origin Code chips on platforms where the badge or chip is part of the visible content frame.
• Stripping TIP signatures from Content before redistribution in a manner that would obscure or misrepresent the Origin Code.
• Using software, services, or human pipelines that re-sign third-party Content under your TIP-ID to mask its true origin.
• Embedding signatures into Content that you did not create or that has had its core meaning changed since signing.
• Operating a service that issues TIP signatures on behalf of another person without that person's verified consent and active participation.

Mistakes happen. A User who realises an Origin Code on registered Content was incorrect should re-register the Content with the corrected Code as soon as practicable. Honest correction is not a violation. Persistent mis-declaration, refusal to correct after notice, or systematic mis-declaration is.

7.Network and Infrastructure

Anyone may run a TIP node. With that openness comes a responsibility not to use Network access to harm Users or the Network itself. The following practices are prohibited:

• Operating a node that secretly logs the linkage between TIP-ID URI and IP address, device fingerprint, or network metadata, beyond what is required to operate the node and disclosed in the node's public privacy notice.
• Operating a node that censors, delays, or deprioritises transactions on the basis of the User's identity, jurisdiction, or expressed views, except to the extent required by applicable law and clearly disclosed.
• Injecting forged transactions into the DAG, attempting to roll back finalised transactions, or signing on behalf of public keys that you do not control.
• Conducting denial-of-service, amplification, or resource-exhaustion attacks against nodes, the AI Trust Registry, badge endpoints, the dedup registry, or the Company's infrastructure.
• Scraping, harvesting, or large-scale ingestion of public DAG data outside the rate limits and access conditions published by the Company.
• Building or training facial-recognition models, gait-recognition models, voice-recognition models, or any biometric-surveillance product on data obtained directly or indirectly from the Services.
• Building or training general-purpose AI models on signed Content in a manner that violates the rights of the Content's creators or the licence terms expressed at registration.
• Reverse-correlating ZK dedup proofs, MERKLE_ROOT entries, or other privacy-preserving infrastructure to attempt re-identification of Users.
• Coordinating with other node operators to influence transaction ordering, jury selection, or governance outcomes in a manner inconsistent with published consensus rules.

8.Verification Provider Conduct

Verification Providers are accredited organisations whose role is to verify identity and issue TIP-IDs in accordance with the Company's standards. VP conduct is governed by the VP Accreditation Agreement, the Privacy Policy, applicable law, and this AUP. The following are prohibited:

• Verifying an identity without obtaining the lawful, informed, and freely given consent of the natural person whose identity is being verified.
• Issuing a TIP-ID for a person who has not, in fact, completed verification, or for a person whose verification did not satisfy the Company's published standards.
• Retaining raw biometric data, identity-document scans, or facial embeddings beyond the 72-hour maximum window described in the Privacy Policy.
• Storing biometric hashes outside the isolated VP registry, exporting them to third parties, or using them for any purpose other than dedup support and incident investigation.
• Misrepresenting jurisdictional tier (GREEN, AMBER, or RED), accreditation category (A, B, or C), or scope of accreditation in marketing, contracts, or government filings.
• Operating a verification pipeline whose human reviewers are not properly trained, supervised, or compensated, or who are subject to coercion or undisclosed conflicts of interest.
• Engaging in or failing to disclose conflicts of interest with the persons being verified, including financial relationships, political relationships, or family relationships.
• Falsifying audit logs, warrant-canary statements, jurisdictional declarations, or any record relied upon by the Company or by Users to assess VP integrity.
• Subcontracting any part of the verification process to an entity that is not itself accredited and bound by equivalent standards.
• Failing to honour a verified User's GDPR or comparable rights when raised through proper channels.

9.Trademark and Brand Mark Use

The Brand Marks identify products and services of the Company and its accredited partners. Their integrity matters because the public reads them as a signal of authentication. The following are prohibited unless expressly permitted in writing or by a published Brand Mark guideline:

• Using TIP Powered branding, the Global Seal of Trust badge, the AI Trust Council seal, or any other Brand Mark on a product, service, or document that is not properly integrated, certified, or accredited under the relevant programme.
• Combining a Brand Mark with another logo or wordmark in a way that suggests endorsement, joint venture, or partnership where none exists.
• Modifying, recolouring, distorting, or animating a Brand Mark in a way that misrepresents the identity of the Company or its programmes.
• Registering domain names, social-media handles, or app names that incorporate a Brand Mark in a manner likely to confuse the public about source or affiliation.
• Using TIP Brand Marks in a way that suggests the Company endorses a political party, candidate, ideology, religious organisation, or commercial product where no such endorsement has been given.
• Continuing to display Brand Marks after termination, revocation, or non-renewal of the underlying licence, accreditation, or certification.

Permitted descriptive use, such as accurately stating "compatible with TIP Protocol" in a product description, does not require a separate trademark licence, provided the use is honest, does not imply endorsement, and complies with the Brand Mark guideline published at theailab.org.

10.Specifically Prohibited Use Cases

Certain use cases are categorically prohibited under this AUP regardless of other contractual permissions. The Company will not knowingly support, and will affirmatively act against, the following:

• Synthetic-identity systems that issue or operate TIP-IDs for non-existent persons, AI agents, deceased persons, or composites assembled from multiple real persons.
• Deepfake-generation pipelines that use TIP-IDs, biometric hashes, or signed Content as training material, conditioning input, or attribution decoration.
• Biometric surveillance systems that ingest, correlate, or re-identify Users from public DAG metadata, badge artefacts, registry queries, or node-side network traffic.
• Child sexual abuse material (CSAM), grooming material, or any content that sexualises minors. Any use of the Services in connection with such material will be reported to the National Center for Missing & Exploited Children (NCMEC) and equivalent authorities in the relevant jurisdiction.
• Non-consensual intimate imagery (NCII), revenge-porn networks, or services that profit from the non-consensual sharing of sexual or intimate content.
• Election-disinformation operations, including AI-generated false statements attributed to candidates, election officials, or election processes; coordinated inauthentic behaviour designed to depress turnout; or any deepfake intended to influence an election where prohibited by applicable law.
• Terrorism or violent-extremism content covered by the Christchurch Call standards or designated as such by the relevant national authority.
• Targeting of human-rights defenders, journalists, dissidents, or whistleblowers using TIP-derived data, including identification, tracking, or compilation of dossiers.
• Circumvention of sanctions, export controls, or anti-money-laundering law using TIP-IDs as a layer of credibility for sanctioned transactions.

11.Reporting Violations

If you believe a violation of this Policy has occurred, please report it through the channel below that best matches the topic. Reports should include the relevant TIP-ID URIs, content references, transaction identifiers, links, screenshots, and any other context that will help the Company investigate. Reports submitted in good faith are welcome; knowingly false reports are themselves a violation under Section 4.

11.1 Confidentiality

The Company will treat the identity of a reporter as confidential to the extent permitted by applicable law and the requirements of a fair investigation. Where the report concerns a security vulnerability, the Company will follow a coordinated-disclosure timeline agreed with the reporter.

11.2 Anti-retaliation

The Company will not retaliate, and prohibits accredited Verification Providers, licensees, and other partners from retaliating, against a person who reports a suspected AUP violation in good faith.

12.Enforcement and Sanctions

The Company applies a graduated enforcement framework that is proportionate to the severity, recency, scope, and intent of the alleged conduct. Each step is summarised below; the Company may move directly to a later step where the conduct is severe, ongoing, or risks imminent harm.

12.1 Effect of revocation

When a TIP-ID is revoked under Step 4, the associated public key is added to the public revocation registry. Signatures produced by the revoked key after the revocation timestamp will fail verification. Content signed before revocation may continue to be displayed, with a revocation indicator, in accordance with the Content Origin Integrity rules in Section 6.

12.2 Effect of VP accreditation revocation

When a Verification Provider is revoked, the Company will publish a notice on the AI Trust Registry, will instruct integrators to refresh their accreditation lists, and will work with affected Users to re-verify under another accredited VP where appropriate. TIP-IDs issued by a revoked VP remain valid as a historical record but are subject to additional scrutiny on a case-by-case basis.

12.3 Public notice

The Company may publish a sanitised, fact-based public notice of revocation actions where doing so serves the public interest, complies with applicable law, and respects the privacy of natural persons not directly involved in the conduct.

13.Appeals

A User, Verification Provider, or licensee subject to enforcement under this Policy may appeal in two stages.

13.1 Stage one · written response

Within 30 days of receiving an enforcement notice, the affected party may submit a written response to the Company, addressing the alleged conduct, providing additional evidence, and proposing remediation. The Company will reconsider the enforcement action in light of the response and will issue a written decision within 30 days of receiving the response.

13.2 Stage two · jury review

Where the Stage One response is not accepted, the affected party may request review by a three-member panel drawn from the AI Trust Council's enforcement jury pool. The panel will be selected to exclude direct competitors and persons with conflicts of interest. Panel review is conducted on the record; the panel's decision is final as to the AUP question, without prejudice to the affected party's rights under Section 17.

14.Reservation of Rights

The Company reserves, in addition to all rights expressed in the Terms of Service, the Privacy Policy, and TIPCL-1.0, the following rights, which it may exercise singly or in combination:

• To investigate suspected violations of this Policy, including by reviewing public DAG data, server logs, accreditation records, and information voluntarily provided by reporters.
• To preserve evidence relevant to a suspected violation in a manner consistent with applicable law.
• To cooperate with law-enforcement, regulatory, and supervisory authorities, including by responding to lawful process and by reporting suspected criminal conduct on the Company's own initiative where lawful.
• To take protective action, including suspension under Step 2, where the Company believes in good faith that immediate action is necessary to prevent imminent harm.
• To decline to act in cases that fall outside the Services or that the Company assesses to be appropriately resolved through other channels, such as platform-level moderation or independent dispute resolution.
• To delegate investigation or enforcement of specific categories of violation to the AI Trust Council or to another body the Company designates by published policy.

15.Compliance with Applicable Law

This Policy is an additional, contractual standard of conduct. It does not limit, replace, or override any of your independent obligations under applicable law. Without limiting other applicable law, your conduct under the Services must comply with the following where it applies to you:

• GDPR (Regulation (EU) 2016/679) and analogous data-protection law in the EEA, the United Kingdom, and other jurisdictions.
• EU AI Act (Regulation (EU) 2024/1689), including the Article 50 transparency and disclosure obligations for AI-generated content.
• California Consumer Privacy Act (CCPA), as amended, and analogous US state-level privacy law.
• Biometric Information Privacy Act (BIPA, 740 ILCS 14/) and analogous state-level biometric law in Texas, Washington, and other jurisdictions.
• Children's Online Privacy Protection Act (COPPA, 15 U.S.C. §§ 6501-6506) where any User is under 13.
• Digital Millennium Copyright Act (DMCA, 17 U.S.C. § 512) and analogous law for copyright-takedown notices, with the Company's designated agent listed on theailab.org.
• Anti-money-laundering, sanctions, and export-control law, including OFAC sanctions and the Export Administration Regulations.
• Election law in jurisdictions where election-related conduct is regulated, including paid-political-content disclosure rules.

16.Modifications to This Policy

The Company may update this Policy from time to time. Material changes will be communicated by email to the registered address associated with each affected TIP-ID, VP, and licensee account, and by prominent notice on theailab.org for at least 30 days before the effective date. Prior versions are archived at theailab.org/tip-acceptable-use/archive. Continued use of the Services after the effective date constitutes acknowledgment of the updated Policy. Where applicable law requires affirmative consent for a change, the Company will obtain that consent before applying the change to you.

17.Governing Law and Arbitration

This Policy is governed by the laws of the State of Delaware, United States of America, except where mandatory provisions of applicable law in your jurisdiction provide greater protections.

For any dispute under this Policy that cannot be resolved through the appeal process in Section 13, the parties agree to binding arbitration administered by JAMS in Wilmington, Delaware, consistent with the governing terms of TIPCL-1.0 and the Terms of Service. Arbitration is the exclusive forum for monetary or contract disputes under this Policy. Arbitration does not limit your right to make a complaint to a supervisory authority under GDPR or to commence a regulatory proceeding under analogous law where that right is given by statute.