Overview
This Acceptable Use Policy ("AUP") applies to your use of Capy’s websites, applications, APIs, agents, virtual machines, review systems, automations, integrations, and related services (the "Services"). It is incorporated into the Terms of Service.
This AUP is not exhaustive. We may take action against content, conduct, or usage that is not listed here if we reasonably believe it threatens the Services, other customers, third-party providers, public infrastructure, or the public.
Your responsibilities
You are responsible for:
- all use of the Services by your users, accounts, credentials, API tokens, connected integrations, automations, and agents;
- configuring repository, branch, environment, network, billing, model, and integration permissions safely;
- ensuring you have authority to process all data you submit to the Services;
- reviewing and validating agent Output before use, merge, deployment, or publication; and
- complying with laws, third-party terms, model-provider policies, and your own organizational policies.
Prohibited content and data
You may not submit, upload, prompt with, or intentionally process content that:
- is unlawful, defamatory, deceptive, harassing, abusive, hateful, discriminatory, sexually exploitative, or graphically violent without a legitimate security, research, moderation, or legal purpose;
- infringes, misappropriates, or violates intellectual property, privacy, publicity, confidentiality, contractual, or other rights;
- contains malware, botnets, ransomware, credential stealers, spyware, destructive scripts, phishing kits, or similar harmful material except for clearly authorized defensive security research in a controlled environment;
- contains payment-card numbers, bank account numbers, government identifiers, biometric identifiers, protected health information, children’s personal information, or other highly regulated data unless your written agreement with us expressly permits that use case;
- contains production API keys, passwords, private keys, seed phrases, session cookies, access tokens, or similar credentials outside designated secret or environment-variable features intended for that purpose;
- you do not have the right to provide to the Services; or
- would cause us or our subprocessors to violate law, sanctions, export controls, or third-party terms.
Capy is designed for software development, not as a regulated-data vault. Please keep the weirdly sensitive stuff out of prompts.
Prohibited conduct
You may not use the Services to:
- violate applicable law or third-party rights;
- deceive, defraud, impersonate, phish, spam, harass, or abuse others;
- generate or distribute malware, credential theft tooling, phishing content, spam, bot activity, or evasion tooling;
- gain, attempt to gain, or facilitate unauthorized access to any system, account, network, repository, integration, model, dataset, or credential;
- scan, probe, exploit, stress test, or attack systems without authorization;
- run denial-of-service activity, botnets, vulnerability exploitation, credential stuffing, account enumeration, scraping at abusive scale, or other harmful automation;
- mine cryptocurrency or run workloads unrelated to software development and testing;
- use Capy VMs as a proxy, VPN, relay, crawler farm, file host, CDN, production server, production worker, spam sender, or persistent hosting platform;
- evade usage limits, billing controls, rate limits, safety systems, permission prompts, security controls, model access controls, or monitoring;
- create multiple accounts, organizations, projects, or automations to bypass limits, suspensions, promotions, credits, or eligibility rules;
- benchmark the Services for publication without enough context for fair replication or in violation of any separate agreement;
- extract, reverse engineer, decompile, model-steal, prompt-steal, scrape, copy, or derive Capy’s source code, system prompts, tools, model routing, non-public benchmarks, or proprietary datasets;
- use the Services or Output to build or train a substantially similar or competing AI software engineering platform, except to the extent this restriction is prohibited by law;
- use Output that you know or reasonably should know is unlawful, infringing, insecure, deceptive, or harmful; or
- encourage or assist others in doing any of the above.
Autonomous agents and commands
Capy agents may execute commands, install dependencies, interact with files, start services, use network access, create commits, open pull requests, and use connected integrations within the permissions you configure.
You may not use agent execution to:
- run destructive actions against systems or data you do not own or control;
- exfiltrate secrets, tokens, private code, private Slack messages, customer data, or third-party data without authorization;
- bypass approval, review, deployment, audit, or access-control processes;
- run production-changing operations without appropriate human approval and rollback plans;
- persist backdoors, credential harvesters, hidden scheduled jobs, or covert monitoring;
- generate or execute exploit code except in a lawful, authorized, defensive security context; or
- run long-lived, unrelated, or high-resource workloads that abuse VM, network, model, or storage resources.
You are responsible for reviewing commands, diffs, generated code, PRs, and integration actions before relying on them.
Connected services and third-party policies
When you connect GitHub, Slack, Linear, Sentry, Vercel, model providers, BYOK keys, external subscriptions, MCP servers, or other third-party services, you must comply with the terms, policies, and permissions for those services.
You may not use Capy to cause a third-party provider to violate its own acceptable use, API, model, data processing, or security policies. If a model provider, integration provider, or infrastructure provider restricts a use case, that restriction also applies to your use of Capy for that provider or integration.
Security research
We welcome good-faith vulnerability reports. You may not conduct security testing against Capy systems, Capy infrastructure, Capy employees, Capy customers, or third-party systems through Capy unless you have explicit authorization.
Good-faith reports should:
- be sent to security@capy.ai;
- avoid privacy violations, data destruction, service disruption, persistence, social engineering, or access to other customers’ data;
- include enough detail for us to reproduce the issue; and
- give us reasonable time to investigate before public disclosure.
Billing, credits, and promotions
You may not abuse pricing, credits, trials, open-source grants, referral programs, partner credits, auto-reload, or promotional offers. Prohibited conduct includes creating fake accounts, misrepresenting eligibility, reselling credits, pooling unrelated organizations to obtain discounts, or using open-source/free usage for private commercial workloads that do not qualify.
Enforcement
We may monitor usage for security, reliability, abuse prevention, billing integrity, and policy compliance. If we believe this AUP has been violated, we may take action, including:
- warning you or asking you to remediate;
- pausing, stopping, or deleting runs, VMs, automations, or content;
- limiting models, tools, integrations, APIs, network access, credits, or concurrency;
- suspending or terminating accounts, organizations, projects, or integrations;
- preserving information related to suspected violations;
- notifying affected third parties; or
- reporting unlawful activity to law enforcement, regulators, or other appropriate authorities.
We will try to tailor enforcement to the risk where practical, but urgent security, legal, abuse, or provider issues may require immediate action.
Changes
We may update this AUP at any time in our sole discretion. Unless a longer period is required by law, an agreement, or a notice we provide, changes are effective when posted. Your continued use of the Services after changes take effect means you accept the updated AUP.
Reporting violations
If you believe someone is violating this AUP, contact support@capy.ai. Security issues should go to security@capy.ai.