Overlook Acceptable Use Policy

This Acceptable Use Policy (this “Policy”) governs access to and use of the websites, hosted software services, applications, APIs, downloadable software, packaged software distributions, documentation, support channels, professional services, training materials, workshops, and related offerings made available by Overlook AI, Inc. (“Overlook,” “we,” “our,” or “us”) (collectively, the “Services”). This Policy is incorporated into and forms part of the agreement under which a customer, subscriber, licensee, organization, or authorized user accesses or uses the Services, including any applicable Terms of Service, Subscription and Software License Agreement, Order Form, Professional Services Addendum, Data Processing Addendum, Commercial Software License, Government Supplemental Terms, or other written agreement with Overlook (each, an “Agreement”). Capitalized terms used but not defined in this Policy have the meanings given to them in the applicable Agreement.

The purpose of this Policy is to preserve the security, integrity, lawful operation, and intended business use of the Services; protect Overlook, its customers, users, and third parties; and define conduct that constitutes misuse or abuse of the Services. This Policy is not intended to describe every prohibited activity. Conduct that is materially similar to, facilitates, attempts to accomplish, or is designed to evade a prohibited activity is also prohibited.

1. Business Use; Responsibility for Users and Activity

The Services are provided for lawful business use by customers and authorized users who are at least eighteen (18) years old and who access the Services on behalf of an organization or for legitimate business purposes. Customer is responsible for all activity occurring under Customer’s accounts, workspaces, environments, credentials, integrations, API keys, tokens, deployments, and systems, whether or not Customer authorized the activity, except to the extent caused by Overlook’s breach of the applicable Agreement.

Customer shall ensure that its employees, contractors, administrators, service providers, and other Authorized Users comply with this Policy and the applicable Agreement. Customer shall maintain reasonable administrative and technical controls to prevent unauthorized access to the Services, including appropriate account administration, credential protection, role assignment, access review, and prompt removal of access for users who no longer require it.

2. Compliance with Law and Third-Party Rights

Customer may use the Services only in compliance with all applicable laws, rules, regulations, orders, and contractual obligations, including those relating to privacy, data protection, cybersecurity, intellectual property, trade secrets, export controls, sanctions, anti-corruption, consumer protection, employment, procurement, public-sector contracting, artificial intelligence, and industry-specific requirements. Customer is solely responsible for determining whether its particular use of the Services is lawful, appropriate for its data and operating environment, and consistent with any obligations owed to third parties.

Customer shall not use the Services to violate, misappropriate, or infringe any intellectual property, privacy, publicity, confidentiality, contractual, trade secret, moral, database, or other proprietary right of Overlook or any third party. Customer shall not upload, submit, process, or direct Overlook to process content, data, files, prompts, materials, or information that Customer does not have the legal right to provide or use in connection with the Services.

3. Prohibited Unlawful, Harmful, or Abusive Conduct

Customer shall not use the Services to engage in, facilitate, encourage, conceal, or attempt unlawful, fraudulent, deceptive, defamatory, harassing, abusive, threatening, exploitative, or otherwise harmful activity. Customer shall not use the Services to create, distribute, promote, or support content or activity that is illegal, materially misleading, intentionally deceptive, or intended to harm individuals, organizations, systems, property, or public safety.

Customer shall not use the Services to impersonate any person or entity without authorization, misrepresent affiliation or authority, engage in phishing or social engineering, generate or distribute spam or unsolicited communications, conduct credential harvesting, facilitate account takeover, or evade identity, authentication, payment, rate-limiting, age, geographic, sanctions, or other eligibility controls.

Customer shall not use the Services to generate, manage, facilitate, or distribute content or activity involving exploitation or abuse of minors, non-consensual sexual content, targeted harassment, credible threats, extremist or terrorist activity, or other categories of activity that Overlook reasonably determines present material legal, safety, reputational, or operational risk to Overlook, other customers, users, or third parties.

4. Security, Integrity, and Abuse of the Services

Customer shall not access, attempt to access, test, probe, scan, interfere with, or disrupt the Services, Overlook systems, third-party systems, data, accounts, networks, infrastructure, authentication mechanisms, usage controls, entitlement controls, or security controls except as expressly permitted in writing by Overlook. Customer shall not introduce or transmit malware, ransomware, worms, logic bombs, malicious code, corrupted files, unauthorized scripts, denial-of-service traffic, vulnerability exploits, command-and-control infrastructure, cryptomining workloads, or other harmful mechanisms through or in connection with the Services.

Customer shall not conduct load testing, penetration testing, vulnerability scanning, stress testing, scraping, automated account creation, bulk registration, service enumeration, or other security or performance testing against the Services without Overlook’s prior written authorization and compliance with Overlook’s testing requirements. Customer shall not use the Services to attack, scan, disrupt, or compromise third-party systems or to provide infrastructure, coordination, or automation for such activity.

Customer shall not bypass, disable, interfere with, or attempt to circumvent metering, logging, audit, monitoring, billing, usage limits, rate limits, license keys, feature gates, seat controls, AI Profile limits, Agent Message limits, deployment restrictions, geographic controls, access controls, or other technical or contractual restrictions applicable to the Services. Customer shall not use multiple accounts, organizations, environments, devices, integrations, or technical workarounds to avoid fees, restrictions, suspensions, entitlement limits, or other obligations.

5. Restrictions on Software, APIs, Integrations, and Customer-Managed Deployments

Customer shall not copy, modify, translate, adapt, create derivative works of, distribute, sublicense, rent, lease, lend, sell, resell, assign, timeshare, service bureau, outsource, provide, or otherwise make available the Services, Licensed Software, documentation, APIs, professional services materials, or Overlook Materials to any third party except as expressly permitted under a written Agreement. Except to the extent non-waivable law expressly prohibits restriction, Customer shall not reverse engineer, decompile, disassemble, derive, inspect, scrape, extract, or otherwise attempt to discover source code, object-code structure, algorithms, models, architecture, data structures, database schema, scoring logic, workflows, prompts, business rules, interfaces, trade secrets, or non-public underlying ideas in or related to the Services.

Customer shall use Overlook APIs, SDKs, connectors, import tools, export tools, and integrations only in accordance with the applicable documentation and Agreement. Customer shall not use automation, bots, scripts, agents, crawlers, or integrations in a manner that overloads, degrades, disrupts, or interferes with the Services or that exceeds authorized usage metrics. Customer is responsible for third-party integrations, data flows, permissions, security settings, and applications selected or configured by Customer.

For Licensed Software, packaged distributions, customer-cloud deployments, GovCloud deployments, on-premises deployments, air-gapped deployments, or other Customer-managed environments, Customer shall maintain the Software in accordance with Overlook documentation, license restrictions, security requirements, and applicable Order Forms. Customer shall not alter, disable, remove, or obscure license controls, proprietary notices, security controls, telemetry or usage-reporting mechanisms required by the Agreement, vulnerability notices, audit logs, or compliance mechanisms except as expressly authorized by Overlook in writing.

6. Restricted Data; Sensitive Data; Regulated Environments

The Services are designed for business operational information, AI management records, metadata, account information, collaboration records, assessment responses, Canvas entries, AI Profile content, and other business-management content appropriate for the applicable subscription and deployment environment. Unless expressly authorized in a written Agreement signed by Overlook, Customer shall not submit, store, process, transmit, or permit use of the Services with protected health information subject to HIPAA, payment card data subject to PCI DSS, classified information, controlled unclassified information requiring specialized government controls, export-controlled technical data, highly sensitive government data, biometric identifiers, precise geolocation data, children’s personal information, credentials or secrets not intended for such use, or other data requiring safeguards beyond those expressly described in the Agreement.

Customer remains solely responsible for determining whether the Services and the applicable deployment model are appropriate for the data Customer elects to submit. Customer shall not use the Services in a manner that causes Overlook to become subject to legal or regulatory obligations not expressly assumed by Overlook in a written Agreement, including obligations as a HIPAA business associate, PCI service provider, regulated financial institution, regulated healthcare provider, classified-information system operator, or other regulated role.

If Customer inadvertently submits prohibited or restricted data, Customer shall promptly notify Overlook and cooperate in removing or remediating the data. Overlook may suspend processing, quarantine, delete, or require removal of such data where Overlook reasonably determines that continued processing may create material legal, security, operational, or contractual risk.

7. Artificial Intelligence, Readiness, and High-Impact Use Restrictions

Overlook provides a business-led AI management platform and related services. Customer shall not use the Services, Overlook outputs, readiness insights, scorecard results, Canvas materials, AI Profile records, recommendations, alerts, analytics, or other outputs as the sole basis for decisions that have legal or similarly significant effects on individuals, including decisions relating to employment, housing, credit, education, healthcare, insurance, eligibility for benefits, law enforcement, or access to essential services, without legally sufficient human review and Customer’s own compliance assessment.

Customer shall not use the Services to develop, operate, coordinate, or facilitate unlawful surveillance, unlawful biometric identification, discriminatory profiling, deceptive manipulation, unauthorized automated decision-making, illegal weapons activity, physical-harm systems, or any use prohibited by applicable artificial intelligence, privacy, employment, public-sector, consumer-protection, procurement, sector-specific, or safety laws. Customer is responsible for maintaining appropriate human oversight, domain expertise, validation, verification, impact assessment, escalation, recourse, and governance processes for Customer’s AI systems and business operations.

Overlook does not provide legal, compliance, certification, audit, financial, accounting, medical, human-resources, procurement, public-safety, or risk-certification advice through the Services unless expressly agreed in a separate signed professional services statement that clearly identifies such services. Customer shall not represent Overlook outputs, readiness states, scorecards, assessments, or service recommendations as legal determinations, regulatory approvals, audit certifications, safety certifications, or guarantees of business impact, AI performance, compliance, risk reduction, or return on investment.

8. Protection of Overlook Methodology, Assessment, Scorecard, Canvas, and Service Materials

Customer shall not use the Services, professional services, training sessions, workshops, assessments, scorecard results, readiness insights, Canvas materials, facilitation methods, templates, playbooks, documentation, non-public workflows, service notes, or other Overlook Materials to reverse engineer, infer, reconstruct, reproduce, commercialize, publish, distribute, train third-party consultants on, create derivative works from, or develop a competing or substantially similar product, service, assessment, scorecard, canvas, framework, methodology, scoring system, readiness model, training program, consulting offering, or operating model.

Overlook retains all right, title, and interest in and to the Business-led AI Management Assessment, Business-led AI Management Scorecard, scoring logic, weighting concepts, readiness methodology, Business-led AI Management Canvas design, internal Canvas concepts, facilitation methods, training content, workshop materials, templates, product workflows, internal playbooks, service-delivery methods, know-how, documentation, and all modifications, improvements, adaptations, and derivative works of any of the foregoing. Customer may use Overlook-provided materials only for Customer’s internal adoption and use of the Services during the applicable subscription or services term, and only as permitted by the applicable Agreement.

Customer owns Customer-provided business information, Customer-specific operational content, Customer-specific responses entered into the Assessment or Scorecard, completed Customer-specific Canvas entries, Customer-specific AI Profile content, and Customer Data entered into the Services, subject to the Agreement. Customer’s ownership of such content does not grant Customer any ownership of the underlying Overlook Assessment, Scorecard, Canvas design, platform, methodologies, templates, scoring systems, or non-public concepts used to generate, structure, interpret, facilitate, or display that content.

9. Professional Services, Training, Workshops, and Recordings

Professional services, training, onboarding, workshops, and related engagements are subject to the applicable Agreement, Professional Services Addendum, Order Form, and Service Schedule. Customer shall use any materials, recommendations, instructions, workshop outputs, training content, and engagement artifacts solely for Customer’s internal use in connection with the Services and shall not distribute them outside Customer’s organization or to third-party consultants, advisors, vendors, contractors, or service providers except as expressly authorized in writing by Overlook.

Customer shall not record, transcribe, broadcast, reproduce, publish, distribute, or train any artificial intelligence system or knowledge base on Overlook training sessions, workshops, professional services meetings, service materials, demonstrations, facilitator commentary, or non-public Overlook content without Overlook’s prior written consent. Where recording is expressly authorized, Customer shall remain responsible for providing required notices, obtaining required consents, protecting confidential information, and complying with applicable law.

10. Communications, Invites, and Customer Outreach

To the extent the Services enable Customer to send invitations, notifications, collaboration messages, email communications, links, exports, reports, or other communications, Customer shall use those features only for legitimate business purposes and in compliance with applicable anti-spam, marketing, privacy, employment, and communications laws. Customer shall not use the Services to send unsolicited, deceptive, misleading, harassing, excessive, or unlawful communications, or to impersonate Overlook, another customer, or any third party.

Customer is responsible for the content, recipients, permissions, and consequences of communications initiated by Customer or Customer’s Authorized Users through the Services. Overlook may impose limits, suspend communication features, or require remediation if Overlook reasonably determines that Customer’s use may impair deliverability, security, service reputation, user trust, or compliance with law.

11. Export Controls, Sanctions, and Restricted End Uses

Customer shall not access, use, export, re-export, transfer, release, or permit access to or use of the Services in violation of United States export control, sanctions, anti-boycott, or trade laws, or other applicable trade restrictions. Customer represents that Customer and its Authorized Users are not located in, organized under the laws of, ordinarily resident in, or acting on behalf of any jurisdiction or person subject to comprehensive sanctions or trade restrictions applicable to the Services, and are not listed on any applicable prohibited, restricted, denied, blocked, or sanctioned party list.

Customer shall not use the Services for restricted end uses, restricted end users, or restricted destinations without all required governmental authorizations and Overlook’s prior written approval where required by the Agreement. Customer shall not provide access to the Services to any person or entity where doing so would cause Overlook, its affiliates, subcontractors, infrastructure providers, or licensors to violate applicable export controls, sanctions, or procurement restrictions.

12. Public Sector and Government Use

Public-sector, government, government-contractor, and government-subcontractor customers may use the Services only in accordance with the applicable Order Form, Government Supplemental Terms, security requirements, deployment environment, procurement restrictions, and applicable law. Unless expressly stated in an Order Form or government-specific schedule, Customer shall not submit classified information, controlled unclassified information requiring specialized handling, government secrets, defense technical data, export-controlled technical data, or other government-regulated information requiring controls not expressly assumed by Overlook in writing.

Customer is responsible for determining whether the Services, deployment model, support model, data categories, and security posture satisfy Customer’s public-sector obligations. Any references to AWS GovCloud, FedRAMP, NIST, agency requirements, or other frameworks describe potential deployment or procurement contexts only unless the applicable Order Form expressly states a specific contractual commitment.

13. Monitoring, Investigation, and Enforcement

Overlook may monitor use of the Services and investigate suspected violations of this Policy to the extent reasonably necessary to protect the Services, enforce the Agreement, comply with law, prevent abuse, preserve security and availability, protect Overlook’s rights, or protect customers, users, or third parties. Overlook may review relevant account, usage, security, billing, support, and operational information in connection with such investigation, subject to the applicable Agreement and law.

If Overlook reasonably believes that Customer or any Authorized User has violated this Policy, Overlook may remove or disable content, restrict functionality, suspend access, require remediation, reject or remove integrations, reduce or block traffic, disable accounts or environments, terminate Services, notify affected parties, or take other action permitted by the Agreement. Overlook may act without prior notice where Overlook reasonably determines that immediate action is necessary to prevent harm, preserve security, maintain availability, comply with law, or protect Overlook, customers, users, or third parties.

Overlook may cooperate with law enforcement, regulators, infrastructure providers, and affected third parties where required by law or where Overlook reasonably determines that cooperation is necessary to address misuse, security threats, unlawful activity, or harm. Enforcement under this Policy is without prejudice to any other rights or remedies available to Overlook under the Agreement, at law, or in equity.

14. Reporting Misuse, Abuse, and Security Issues

Customer shall promptly notify Overlook if Customer becomes aware of any suspected violation of this Policy, unauthorized access to the Services, credential compromise, security vulnerability, misuse, unlawful activity, or incident involving the Services or Customer’s use of the Services. Reports may be submitted to support@overlookai.com or legal@overlookai.com, and security-related reports should include sufficient detail for Overlook to investigate and respond. Customer shall reasonably cooperate with Overlook in investigating and remediating suspected misuse or security issues connected to Customer’s accounts, environments, integrations, data, or Authorized Users.

15. Changes to this Policy

Overlook may update this Policy from time to time to reflect changes in law, technology, service functionality, operational practices, misuse patterns, customer protections, security requirements, or business needs. Unless otherwise stated in an applicable Agreement, an updated version becomes effective when posted or otherwise communicated. Overlook will not apply a material change retroactively to penalize conduct that occurred before the change became effective, except where required by law or necessary to address ongoing harm, security risk, misuse, or unlawful activity.

Customer’s continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updated Policy to the extent permitted by law and the applicable Agreement. If Customer objects to a material update, Customer’s exclusive remedy is to stop using the Services or exercise any termination right expressly provided in the applicable Agreement.

16. Order of Precedence

This Policy supplements the applicable Agreement. If there is a direct conflict between this Policy and a separately executed written Agreement signed by Overlook, the signed Agreement controls solely to the extent of the conflict. If there is a conflict between this Policy and a more specific written security, data, government, professional services, or software-license requirement applicable to Customer’s particular Services, the more specific requirement controls solely for that subject matter. No failure or delay by Overlook in enforcing this Policy constitutes a waiver of any right to enforce this Policy later or to enforce similar restrictions in other circumstances.