Legal / Policy

Acceptable Use Policy

This Acceptable Use Policy sets the rules for how you may use the KaizenFlow platform. It applies to every user, administrator, and API consumer on your tenant. Read it alongside our Terms of Service. The goal is simple: keep the platform safe, lawful, and reliable for everyone who depends on it.

What this policy covers

This policy governs access to and use of the KaizenFlow platform, including dashboards, the verified savings ledger, AI outputs, connectors, and any API. It applies whether you reach the platform through the web app, a supported integration, or a programmatic client.

KaizenFlow is manufacturing intelligence. It reads from the systems your plant already runs, MES, SCADA, ERP, and historians, then returns ranked, dollar-weighted opportunities. Because that data touches live production and finance records, the rules below are deliberately conservative. For how the platform fits on top of your existing systems, see the platform overview. This policy works together with our Terms of Service, and where the two overlap, the Terms govern.

Permitted use

You may use the platform for its intended purpose: connecting your operational and business systems, reviewing AI-ranked opportunities, and reconciling verified savings with your finance team. Within your own tenant, you and your authorized colleagues can:

  • Connect approved sources through supported connectors and review the resulting analysis.
  • Share dashboards, reports, and ledger entries with authorized users inside your organization.
  • Export your own data for internal reporting, audit, or archival.
  • Build integrations against the API within the rate limits and scopes assigned to your account.

Use that stays inside these boundaries needs no special approval. If you are unsure whether a specific use case fits, ask us before you build on it. A short question up front is cheaper than an interruption later.

Prohibited activities

The following activities are not permitted. This list is representative, not exhaustive: conduct that undermines the security, integrity, or lawful operation of the service is prohibited even when it is not named here.

No reverse engineering or circumvention.

  • Do not decompile, disassemble, or reverse-engineer the platform, its models, or its scoring logic.
  • Do not copy, resell, sublicense, or redistribute the service or its outputs outside your organization without written authorization.
  • Do not bypass, disable, or probe rate limits, usage metering, quotas, or licensing controls.

No unlawful use.

  • Do not use the platform to violate any applicable law, regulation, or export control.
  • Do not upload data you have no right to process, or use the platform to infringe intellectual property or privacy rights.
  • Do not rely on AI outputs to make a safety, quality, or compliance decision that a qualified person has not reviewed.

No interference or security violations.

  • Do not attempt to access another tenant's data, accounts, or environment. Multi-tenant isolation is enforced, and testing it is itself a violation.
  • Do not introduce malware, run denial-of-service traffic, port-scan, or otherwise degrade platform availability.
  • Do not scrape, harvest, or use automated means to pull data beyond your authorized scope and rate limits.

No misuse of data.

  • Do not use the platform to exfiltrate, sell, or expose production, financial, or personal data.
  • Do not feed the platform data you are contractually or legally barred from sharing with a processor.
  • Do not tamper with, falsify, or misrepresent entries in the verified savings ledger.

Your account, your responsibility

Access is tied to named user accounts. You are responsible for everything done under your credentials, including actions by anyone you grant access to within your tenant.

  • Keep credentials confidential, and use strong, unique passwords with any required multi-factor step.
  • Assign roles and permissions on a least-privilege basis, and remove access when someone changes role or leaves.
  • Report suspected compromise or unauthorized access promptly so we can help you contain it.

Administrators carry the added duty of managing users, connectors, and data scopes for their organization. For how we protect data in transit and at rest, see our security overview.

Data boundaries and tenant isolation

You retain ownership of the data you connect. We hold it under strict boundaries: encrypted in transit with TLS 1.3, encrypted at rest with AES-256, and separated by tenant so that one customer can never see another customer's data.

Our controls are aligned to SOC 2 and ISO 27001. Site analytics use Plausible, which is cookieless and sets no personal-data cookies. You agree not to take any action that would weaken these boundaries or the commitments set out in our privacy policy.

How we enforce this policy

We would rather resolve an issue by talking than by cutting off access. When circumstances allow, we will contact your administrator, describe the problem, and give a reasonable window to correct it.

Some conduct does not allow for that. Where use threatens security, breaks the law, or puts other tenants at risk, we may suspend or limit access immediately and without prior notice to contain the exposure. Depending on severity, we may:

  • Throttle or revoke API access or specific connectors.
  • Suspend individual accounts or an entire tenant.
  • Preserve relevant logs and cooperate with lawful requests from authorities.
  • Terminate the agreement in line with our Terms of Service.

Enforcement is about protecting the shared platform, not about policing normal operational work. A good-faith mistake handled quickly is treated very differently from deliberate abuse.

Reporting abuse and questions

If you believe an account has been misused, spot a security issue, or are unsure whether something is allowed, tell us before acting. Early questions prevent most violations.

Reach the team through our contact page. We review reports of abuse and security concerns as a priority and will confirm receipt so you know it is being handled.

Questions about acceptable use

Know the rules before you build

If a use case sits near the edge of this policy, ask first. We would rather scope it with you than untangle it later.