Acceptable Use Policy

You may use Compass DaaS only in a lawful, safe, and commercially reasonable way. You are responsible for your users, your application, your API keys, your instructions to Compass, and your use of Compass outputs. You must not use Compass DaaS in a way that harms the Service, Compass, other customers, data subjects, restaurant operators, end users, or third parties.

You must not use Compass DaaS to:

1. Break the law, violate sanctions, evade export controls, infringe intellectual property rights, violate privacy rights, or breach contractual restrictions.
2. Mislead end users about dietary, allergy, medical, nutritional, religious, ethical, or food-safety suitability.
3. Tell users that a restaurant, dish, menu item, or score is certified safe when Compass output does not support that claim.
4. Advise users with allergies, medical conditions, strict dietary requirements, or religious requirements to rely on Compass output without independent verification.
5. Use output to harm users with dietary needs, including by labeling a restaurant as vegan, kosher, halal, gluten-free, nut-free, dairy-free, or otherwise safe when the Compass output is unknown, conflicting, stale, low-confidence, or points the other way.
6. Use Compass DaaS for emergency decisions, medical diagnosis, medical treatment, clinical nutrition, allergen clearance, food-safety certification, or legally binding compliance decisions.
7. Send Compass sensitive personal data, health data, children's data, payment card data, passwords, secrets, or data you are not permitted to process.
8. Upload malicious code, abusive traffic, unlawful content, or content that infringes third-party rights.

You must not use Compass DaaS to scrape, copy, extract, reconstruct, benchmark for replication, or create a substitute for Compass's dataset, source graph, scoring methodology, reason-code taxonomy, evidence model, API behavior, or outputs.

You must not sell, license, publish, or distribute raw Compass output as a standalone data product. You may use Compass output inside your own product or service delivered to your end users, but you may not provide bulk access to raw output, expose a raw output feed, build a competing DaaS, or let another business use your integration as a substitute for buying Compass DaaS.

You must not use Compass output to train, fine-tune, distill, evaluate, seed, or improve a general-purpose foundation model or broadly available model without a separate written license from Compass. You also must not use Compass output to train or operate a model, data service, or API that competes with Compass DaaS.

Enterprise order forms may grant broader redistribution, caching, data export, or white-label rights. Those rights apply only if they are written and signed by Compass.

You must protect API keys and credentials using reasonable security practices. You must not expose cmp_live_* keys in public repositories, public client-side code, browser-visible bundles, screenshots, shared notebooks, customer-visible logs, or unsecured support tickets.

You must rotate keys when personnel changes, when an integration is retired, when a vendor no longer needs access, or when there is any reasonable suspicion of compromise. You must revoke unused keys and limit key access to people and systems that need it.

If you discover or reasonably suspect unauthorized access, key exposure, compromise, misuse, or a security incident involving Compass DaaS, you must notify Compass at security@compassfoodtechnologies.com within 72 hours after discovery. Your notice should include the affected keys, time period, systems involved, likely scope, steps already taken, and a contact for follow-up.

You must not:

1. Attempt to bypass authentication, authorization, CORS, IP allowlists, rate limits, quota limits, billing limits, tier gates, or endpoint restrictions.
2. Probe, scan, fuzz, stress, load test, or penetration test Compass systems without written permission.
3. Reverse engineer, decompile, disassemble, or try to derive nonpublic source code, schemas, models, scoring methods, infrastructure details, or security controls.
4. Interfere with Compass monitoring, logging, billing, metering, or abuse detection.
5. Share accounts or keys in a way that prevents attribution, billing, quota enforcement, or abuse investigation.

Each plan includes defined monthly Compass credits and rate limits. You must keep use within your plan limits and any limits in your order form, documentation, or customer portal. You must not split traffic across accounts, keys, organizations, IPs, proxies, or regions to evade quotas or rate limits.

Sandbox is for prototype and evaluation use. It is not intended for production traffic, bulk scraping, resale, or load testing. Paid self-serve plans use hard quota caps unless an order form says otherwise. When your plan limit is reached, Compass may return rate-limit or quota-exceeded responses.

If you need higher volume, bulk rights, custom caching, a production SLA, or broader redistribution rights, you must upgrade or enter an Enterprise agreement before exceeding plan limits.

Compass maintains source-risk rules to keep API output inside permitted boundaries. You must not use the Service to reconstruct or extract blocked source material, vendor identifiers, raw reviews, raw menu text, raw HTML, restricted Google Places content, Yelp review content, HappyCow content, login-gated content, or other restricted source material.

You must preserve required attribution, provenance, and notices when documentation, an order form, or source terms require it. You must not remove disclaimers, source labels, evidence pointers, uncertainty indicators, confidence signals, unknown decisions, or user-verification guidance in a way that makes output misleading.

If you present Compass output to end users, you must provide appropriate disclaimers and verification guidance. You must make clear that Compass output is informational only and not medical, nutritional, dietary, allergy, religious, ethical, or food-safety advice.

You must not hide uncertainty. If Compass returns unknown, low confidence, stale evidence, conflict, cross-contact risk, or insufficient evidence, your product must not convert that output into a confident "safe" or "recommended" claim. You should encourage direct verification with the restaurant or a qualified professional where the user's dietary need is strict or safety-sensitive.

Report suspected abuse, compromised keys, unsafe uses, or policy violations to abuse@compassfoodtechnologies.com. Security incidents should be reported to security@compassfoodtechnologies.com.

Please include enough detail for Compass to investigate, such as API key prefix, request IDs, timestamps, account name, endpoint, suspected behavior, screenshots, logs, and contact information.

Compass may investigate suspected violations of this AUP. Compass may warn, rate-limit, throttle, suspend, revoke keys, block traffic, require remediation, terminate accounts, deny future access, or seek recovery of damages. Compass may act immediately and without advance notice where continued access could create security risk, legal risk, service instability, user harm, source-risk exposure, nonpayment risk, or harm to Compass or another customer.

Compass may preserve logs, account records, and related evidence during an investigation. Compass may cooperate with law enforcement, regulators, subprocessors, affected customers, and harmed third parties where appropriate and legally permitted.

Failure by Compass to enforce this AUP in one situation does not waive Compass's right to enforce it later.

Compass may update this AUP from time to time. Material changes will be handled under the notice process in the Terms of Service. Continued use of Compass DaaS after an updated AUP takes effect means you accept the updated AUP.