Acceptable Use Policy

CATAAM is a Governance, Risk, and Compliance (GRC) platform combined with Internal Attack Surface Management (iASM) and Breach and Attack Simulation (BAS) capabilities. It is designed to help security and compliance teams identify, document, and remediate risks — not to facilitate harm to systems, people, or organisations.

This AUP sets out what you may and may not do when using the Service, your connected integrations, and any data processed through the platform. By using CATAAM, you agree to this AUP. Violations may result in suspension or termination of your account as set out in Section 10.

This AUP is incorporated into and must be read alongside the Terms of Service and Privacy Policy.

You may use CATAAM for the following purposes, subject to the terms of your subscription:

• ✓Managing compliance programmes for frameworks you are licensed to use (SOC 2, ISO 27001, HIPAA, PCI-DSS, NIST CSF, etc.)
• ✓Collecting, uploading, and reviewing audit evidence for your own organisation or (for Partners) your client organisations
• ✓Running iASM scans against cloud environments and systems that you own, operate, or have explicit written authorisation to test
• ✓Running BAS attack simulations against systems you own, operate, or have explicit written authorisation to test
• ✓Connecting integrations (AWS, GitHub, Jira) to systems you control or are authorised to access
• ✓Generating executive reports, risk scores, and evidence packages for internal use or external auditors
• ✓Partners managing multiple client organisations through the Partner Dashboard, provided you have valid agreements with each client
• ✓Using exported data from CATAAM in your own compliance workflows, ISMS documentation, or audit submissions

You must not use CATAAM to:

• ✕Violate any applicable local, provincial, national, or international law or regulation
• ✕Infringe the intellectual property, privacy, or other legal rights of any third party
• ✕Upload, store, or transmit content that is defamatory, obscene, harassing, or otherwise unlawful
• ✕Impersonate any person or entity, or misrepresent your affiliation with any organisation
• ✕Engage in fraudulent activities, including providing false information during registration or billing
• ✕Resell, sublicense, or offer the Service as a white-label product to third parties without CATAAM's prior written consent
• ✕Use the Service to build a competing product, benchmark the Service for purposes of competitive intelligence, or scrape Service content or data
• ✕Share account credentials with unauthorised users or allow access to the Service beyond the number of licensed seats

CATAAM's iASM and BAS capabilities are powerful security tools. You must not use them, or any other part of the Service, to:

• ✕Scan, probe, or attack any system, network, or asset that you do not own or have explicit written authorisation to test
• ✕Launch denial-of-service (DoS or DDoS) attacks against any target, including CATAAM's own infrastructure
• ✕Attempt to gain unauthorised access to CATAAM's systems, other customers' data, or third-party systems
• ✕Introduce malware, ransomware, trojans, exploits, or any malicious code into the Service or connected integrations
• ✕Exploit vulnerabilities discovered through the Service to attack systems, rather than to remediate them through proper disclosure
• ✕Use CATAAM findings or data to support offensive cyber operations against third parties
• ✕Circumvent or disable any security control, rate limit, or access restriction implemented in the Service
• ✕Conduct automated scanning at a volume or frequency that degrades the Service for other users

Authorisation requirement: All iASM and BAS scans must target systems you own or systems for which you hold a current, written penetration testing authorisation. You are solely responsible for obtaining and maintaining that authorisation. CATAAM does not verify target ownership and is not liable for unauthorised scans conducted through the platform.

When using CATAAM to process personal data, you must:

• ✓Have a valid legal basis for every category of personal data you upload or generate within the Service
• ✓Comply with all applicable data protection laws (GDPR, UK GDPR, PIPEDA, CCPA, etc.) in your collection, use, and disclosure of personal data
• ✓Execute the Data Protection Addendum (DPA) where required by applicable law before uploading personal data subject to GDPR or equivalent regulation
• ✓Ensure that evidence and audit documents containing personal data are limited to what is necessary for the stated compliance purpose (data minimisation)

You must not:

• ✕Upload special categories of personal data (health data, biometrics, racial or ethnic origin, etc.) unless it is strictly necessary for a compliance evidence requirement and you have appropriate safeguards in place
• ✕Use the Service to build dossiers on individuals for purposes unrelated to your stated compliance programme
• ✕Share CATAAM account access with third parties in a manner that exposes personal data beyond what those parties are authorised to receive

You must not use CATAAM to:

• ✕Upload, store, or distribute content that infringes any copyright, patent, trademark, trade secret, or other intellectual property right of any party
• ✕Reverse engineer, decompile, disassemble, or derive source code from any part of the CATAAM platform
• ✕Remove, alter, or obscure any copyright, trademark, or proprietary notices in the Service
• ✕Use CATAAM's name, logo, or branding in any manner that implies endorsement without prior written consent

Open-source components of CATAAM are licensed under their respective licences (see the GitHub repository). Nothing in this AUP restricts your rights under those licences with respect to the open-source components.

CATAAM integrates with third-party platforms including AWS, GitHub, and Jira. When you connect these integrations:

• You must comply with the terms of service and acceptable use policies of those platforms.
• You must only grant CATAAM the minimum permissions necessary for the integration to function.
• You are responsible for revoking integration access if your authorisation to access those systems changes.
• You must not use CATAAM integrations to harvest data from third-party platforms beyond what is needed for your compliance programme.

CISO Reseller and CPA Partner accounts manage compliance environments on behalf of client organisations. Partners must:

• Obtain explicit written agreement from each client before onboarding them to the CATAAM platform.
• Ensure each client's data is kept strictly isolated — Partners must not access, share, or cross-reference data between client organisations without explicit consent from all affected parties.
• Ensure their clients' use of the Service, as facilitated by the Partner, complies with this AUP.
• Not onboard clients for the purpose of accessing the platform at a reduced per-seat cost when those clients are not genuine end-customers of the Partner's services.

CATAAM reserves the right to monitor usage of the Service for violations of this AUP, including anomalous scan volumes, unusual data access patterns, and patterns consistent with misuse of security tooling. Monitoring is carried out in accordance with our Privacy Policy and the Data Protection Addendum.

We do not routinely inspect the content of Customer Data stored in the Service. Automated monitoring operates at the metadata and behavioural level (e.g., API call volume, scan targets) rather than at the content level.

If we determine, in our reasonable judgment, that you have violated this AUP, we may take any of the following actions, with or without prior notice depending on severity:

• Warning — a written notice identifying the violation and required corrective action
• Feature restriction — temporary suspension of specific capabilities (e.g., iASM scanning) while the matter is investigated
• Account suspension — temporary suspension of all access pending investigation or correction
• Account termination — permanent termination of your subscription for serious, repeated, or unresolved violations
• Legal action — referral to law enforcement or commencement of civil proceedings where violations involve criminal activity or significant harm to third parties

We will aim to give notice and an opportunity to cure before taking action, except where the violation poses an immediate risk of harm to others, the integrity of the Service, or third-party systems.

If you become aware of a violation of this AUP — including potential misuse of CATAAM's security tooling, or a Security Incident — please report it promptly to:

Security: security@themarkups.com
General AUP concerns: legal@themarkups.com

Security researchers who discover vulnerabilities in CATAAM's own platform are encouraged to disclose them responsibly through the same security email address. We do not take action against good-faith security research conducted within scope.

We may update this AUP at any time. Material changes will be communicated by email or in-platform notice at least 14 days before taking effect. Continued use of the Service after changes take effect constitutes acceptance. The current version is always available at cataam.com/legal/aup.

For questions about this policy:

TheMarkups Canada Inc.
Kitchener, Ontario, Canada
Email: legal@themarkups.com