Acceptable Use Policy

1. Lawful Use

1. Client will use the Services only for lawful credit reporting purposes in compliance with all applicable federal, state, and local laws, including the FCRA, FACTA, ECOA, GLBA, and CCPA.
2. Client will not use the Services to report data that Client does not have the legal authority or required consumer authorization to furnish.
3. Client will not use the Services for any purpose unrelated to consumer credit reporting, including marketing, profiling, identity verification, or fraud detection (unless such use is a permissible purpose under the FCRA).

2. Data Integrity

1. Client is responsible for the accuracy, completeness, and timeliness of all data furnished through the Services.
2. Client will not intentionally furnish false, misleading, or fabricated consumer data.
3. Client will not circumvent, disable, or manipulate validation rules. If Client believes a validation rule is producing incorrect results, Client should report the issue through support channels.
4. Client will promptly correct errors identified through Bureau response files, validation warnings, or consumer disputes.

3. Account Security

1. Client will maintain the confidentiality of all account credentials, API Keys, and Authorized User access.
2. Client will not share API Keys between environments (Sandbox and production) or embed production API Keys in client-side code, mobile applications, or publicly accessible repositories.
3. Client will enable multi-factor authentication (MFA) for all Authorized Users who access the Dashboard.
4. Client will promptly revoke access for any Authorized User who no longer requires it (e.g., terminated employees, changed roles).
5. Client will immediately notify Service Provider of any known or suspected unauthorized access to Client’s account or API Keys.

4. API Usage

1. Client will comply with published rate limits and will not attempt to circumvent rate limiting through IP rotation, key cycling, or other techniques.
2. Client will implement exponential backoff for retries on failed API requests and will honor HTTP 429 (Too Many Requests) responses.
3. Client will verify Webhook signatures (HMAC-SHA256) before processing any Webhook payload and will process events idempotently.
4. Client will not use the API for automated scraping, data mining, or any purpose beyond the Services described in the Agreement.
5. Client will not perform load testing, penetration testing, or vulnerability scanning against the production Services without prior written authorization from Service Provider.

5. Sandbox Environment

1. Client will not submit real consumer personally identifiable information (PII), including real SSNs, in the Sandbox environment. Use synthetic or anonymized test data only.
2. The Sandbox is provided for integration testing and development purposes only. Client should not rely on Sandbox data for production reporting or compliance purposes.
3. Service Provider may periodically reset Sandbox environments without notice. Client should not store persistent business data in the Sandbox.

6. Prohibited Activities

Client will not, and will not permit any Authorized User or third party to:

1. Use the Services to threaten, harass, or intimidate consumers, or to coerce payment through inaccurate or retaliatory credit reporting.
2. Report data on consumers with whom Client has no legitimate business relationship or permissible purpose.
3. Attempt to access another client’s data, accounts, or records.
4. Introduce malware, viruses, or malicious code into the Services.
5. Use the Services to build a competing product or service, or to benchmark the Services against competitive offerings.
6. Resell, sublicense, or provide access to the Services to any third party without Service Provider’s prior written consent.
7. Misrepresent Client’s identity, Subscriber Code ownership, or authority to furnish data.
8. Interfere with or disrupt the Services, or impose an unreasonable or disproportionate load on Service Provider’s infrastructure.

7. Dispute Response Obligations

1. Client will respond to all consumer disputes within the timeframes required by the FCRA (generally 30 days, or 45 days when the consumer provides additional information).
2. Client will use the dispute management tools provided by the Services to document investigations, decisions, and corrective actions.
3. Client will not ignore, automatically reject, or fail to investigate disputes in good faith.

8. Enforcement

1. Monitoring. Service Provider may monitor usage patterns, API calls, and data quality metrics to detect violations of this AUP. Monitoring will be performed in accordance with the Data Processing Addendum.
2. Notice & Cure. If Service Provider identifies a potential AUP violation, it will notify Client and provide a reasonable opportunity to cure (generally 5 business days), except where immediate action is required to prevent harm.
3. Immediate Suspension. Service Provider may immediately suspend Client’s access without prior notice if (a) Client’s use poses a security risk to the Services or other clients; (b) Client is submitting demonstrably fraudulent data; (c) continued use would violate applicable law; or (d) suspension is required by a Bureau or regulatory authority.
4. Termination. Repeated or material violations of this AUP constitute a material breach of the Agreement and may result in termination pursuant to the Agreement’s termination provisions.

9. Reporting Violations

If you become aware of any violation of this AUP, please report it to compliance@switchlabs.dev.