Acceptable Use Policy

Permitted and prohibited uses of the Aldric SaaS platform

Version 1.0 — As of: March 2026

This is a convenience translation. In the event of any discrepancies, the German version shall prevail.

This Acceptable Use Policy (hereinafter "AUP") defines which forms of use of the SaaS platform "Aldric" are permitted and which are prohibited. The AUP supplements the General Terms and Conditions (GTC) and forms part of the contractual relationship between the Customer and CONPORT Services GmbH.

§ 1 Scope

(1) This AUP applies to all users of the SaaS platform "Aldric" (hereinafter "Platform"), operated by CONPORT Services GmbH, Alte Benninghofer Str. 24, 44263 Dortmund, Germany (hereinafter "Provider"). This includes Customers, their employees, contractors, and — when using the Provider Edition — Sub-Tenants and their users.

(2) The AUP applies in addition to the Provider's GTC. In the event of a conflict, the GTC shall take precedence unless otherwise specified in this AUP.

(3) By using the Platform, users accept this AUP. Customers are responsible for ensuring that their employees, contractors, and Sub-Tenants also comply with this AUP.

§ 2 Permitted Use

(1) The Platform may only be used for the contractually agreed purposes of compliance management. Permitted uses include in particular:

  • Managing and documenting compliance processes and policies;
  • Conducting and documenting Data Protection Impact Assessments (DPIAs);
  • Processing personal data within the scope of the Data Processing Agreement concluded between the parties and in accordance with the GDPR;
  • Managing records of processing activities, risk registers, and action plans;
  • Training employees on compliance-related topics through the Platform;
  • Integrating the Platform into proprietary systems via the provided API interfaces within the scope of the documented usage limits;
  • Using the Provider Edition to offer the Platform as a service to own customers (Sub-Tenants), provided this is contractually agreed.

(2) Use must at all times comply with applicable legal requirements, in particular the GDPR, the German Federal Data Protection Act (BDSG), and any industry-specific regulations applicable to the respective Customer.

§ 3 Prohibited Use

(1) The following uses are expressly prohibited:

Unlawful Activities

  • Using the Platform for unlawful purposes or to support unlawful activities;
  • Processing or storing unlawful content, including in particular child sexual abuse material, hate speech content, or copyrighted content without an appropriate license;
  • Violations of export control regulations or sanctions rules.

Unauthorized Access and Security Violations

  • Unauthorized access to systems, accounts, or data of other users or tenants;
  • Circumventing authentication or security mechanisms of the Platform;
  • Using another person's credentials or sharing one's own credentials with third parties;
  • Attempting to exploit security vulnerabilities in the Platform (for responsible disclosure of security vulnerabilities, see § 5(3)).

Technical Disruption

  • Using bots, scripts, or automated tools that overload the Platform with requests or impair its normal operation (DoS/DDoS attacks);
  • Systematically or abusively exceeding documented API rate limits;
  • Uploading or distributing malware, viruses, trojans, or other malicious code via the Platform;
  • Manipulating metadata, HTTP headers, or other technical parameters to conceal the origin of use.

Reverse Engineering and Competitive Analysis

  • Decompiling, disassembling, or otherwise reverse-engineering the Platform, unless permitted by mandatory legal provisions (in particular Section 69e German Copyright Act);
  • Systematically extracting Platform content, structures, or databases through scraping or comparable methods;
  • Using the Platform for the purpose of analysis to develop competing products or services.

Unauthorized Redistribution

  • Reselling, sublicensing, or otherwise making Platform access available to third parties without a corresponding contractual agreement (Provider Edition);
  • Providing the Platform as a standalone service to third parties outside the contractually agreed Provider Edition use.

§ 4 Data Protection and Security

(1) The Customer is solely responsible for the lawfulness of the data it uploads to or processes via the Platform. This includes in particular ensuring an appropriate legal basis pursuant to Art. 6 GDPR for the processing of personal data, as well as fulfilling information obligations towards data subjects.

(2) The Customer undertakes to comply with applicable data protection regulations, in particular the GDPR and the German Federal Data Protection Act (BDSG), when using the Platform. Details on data processing by the Provider are set out in the Privacy Policy and the Data Processing Agreement.

(3) Users are required to use strong, unique passwords and to renew them regularly. The activation of two-factor authentication (2FA) is expressly recommended and may be made mandatory by the Provider for certain editions.

(4) Security incidents affecting the Platform — in particular suspected compromise of credentials, unauthorized access to account data, or loss of authentication means — must be reported to the Provider without delay at security@conport.services. The Customer is obligated to support the Provider in investigating and remedying security incidents.

§ 5 System Integrity

(1) Any interference with the Platform that could impair its proper operation is prohibited. This includes in particular:

  • Injecting code or data that impairs the Platform's functionality;
  • Manipulating database queries or API parameters to circumvent access controls (e.g., SQL injection, path traversal);
  • Using techniques that measurably degrade Platform performance for other users.

(2) The systematic circumvention of rate limits — for example through IP address rotation, distributed requests, or exploiting technical gaps in the rate-limiting logic — is prohibited, even if individual requests remain within the limits.

(3) Anyone who discovers a security vulnerability in the Platform is asked to report it responsibly to security@conport.services (Responsible Disclosure) before any publication. The Provider undertakes to review reported vulnerabilities promptly and — if confirmed — to remediate them. Using discovered vulnerabilities beyond what is necessary for reproduction is prohibited.

§ 6 Consequences of Violations

(1) In the event of violations of this AUP, the Provider is entitled to take the following measures at its own discretion, subject to the principle of proportionality:

  • Warning: For first-time or minor violations, the Provider may issue a written warning to the Customer and request remediation;
  • Temporary suspension: For repeated or serious violations, the Provider may temporarily suspend access to the Platform in whole or in part until the violation has been remedied;
  • Immediate termination: For particularly serious violations — in particular unlawful activities, intentional security attacks, or serious data protection breaches — the Provider is entitled to terminate the contractual relationship for cause without notice.

(2) In the event of termination due to a violation of this AUP for which the Customer is responsible, there is no entitlement to a refund of fees already paid. Further claims for damages by the Provider remain unaffected.

(3) The Provider reserves the right to act without prior notice in the event of an immediate threat to the security or integrity of the Platform or other users. In such cases, the affected Customer will be informed as soon as possible.

§ 7 Reporting Violations

(1) Violations of this AUP by other users may be reported to the Provider at security@conport.services. The Provider treats incoming reports confidentially and reviews them promptly.

(2) For reporting security vulnerabilities and weaknesses, § 5(3) applies. General support requests should be submitted through the regular support channels.

§ 8 Changes to the Acceptable Use Policy

(1) The Provider is entitled to amend this AUP with 30 days' notice. Changes will be communicated to the Customer in text form, either by email or through a clearly visible notice within the Platform.

(2) Continued use of the Platform after the notice period has expired constitutes acceptance of the amended AUP. If the Customer does not agree to the changes, they have the right to extraordinary termination in accordance with the GTC.

(3) For changes that serve solely for clarification or do not impose any material new obligations on the Customer, the Provider may reduce the notice period to 14 days.

§ 9 Final Provisions

(1) The law of the Federal Republic of Germany shall apply, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).

(2) The exclusive place of jurisdiction for all disputes arising from or in connection with this AUP is Dortmund, Germany, insofar as the Customer is a merchant, legal entity under public law, or special fund under public law.

(3) Should individual provisions of this AUP be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced by one that most closely approximates the economic purpose of the invalid provision.

(4) This AUP is to be read in conjunction with the GTC, the Privacy Policy, and the Data Processing Agreement. In case of doubt, the content of the GTC shall take precedence.

As of: March 2026