Specter Acceptable Use Policy

The Services are intended to support Customer's internal accounting and finance operations, including workflows such as accounts payable, accounts receivable, reconciliations, close management, reporting, workflow automation, document processing, variance review, journal entry support, and related operational finance work, as described in the applicable agreement.

This Policy is not intended to prohibit ordinary, lawful, internal accounting and finance operations using the Services in accordance with the applicable agreement. However, Customer must use appropriate human review, approvals, controls, and professional judgment before relying on any Output, submitting information to third parties, posting to systems of record, finalizing reports, making regulated decisions, or taking actions that may materially affect a person, organization, financial statement, tax position, payment obligation, or legal right.

Customer must not use the Services, Input, Output, Customer Materials, Documentation, integrations, or any related Upgrade AI systems in a way that:

• violates applicable law, regulation, contractual obligation, or third-party right;
• violates the applicable agreement, this Policy, the Documentation, or any written instructions provided by Upgrade AI;
• violates the acceptable use, usage, safety, or other applicable policies of third-party services used in or connected to the Services;
• creates security, privacy, legal, regulatory, operational, or reputational risk to Upgrade AI, Customer, other customers, third-party providers, or any person;
• is outside the intended business purpose of the Services.

Customer may not use the Services for any of the following.

3.1 Illegal or harmful activity

Customer may not use the Services to:

• violate any applicable law or regulation;
• commit, facilitate, encourage, or provide instructions for committing a crime;
• acquire, sell, exchange, or facilitate access to illegal goods, illegal services, controlled substances, counterfeit goods, stolen goods, or unlawfully obtained data;
• facilitate human trafficking, exploitation, prostitution, or abuse;
• design, acquire, modify, distribute, or use weapons, explosives, dangerous materials, biological, chemical, radiological, nuclear, or other hazardous systems;
• violate export control, sanctions, anti-corruption, anti-money laundering, or anti-terrorism laws;
• use the Services in or for a comprehensively sanctioned jurisdiction or with a prohibited party, except as permitted by applicable law and the applicable agreement.

3.2 Security misuse

Customer may not use the Services to:

• compromise, disrupt, damage, overload, or interfere with any system, network, account, device, application, service, or data;
• gain or attempt to gain unauthorized access to any system, account, credential, API key, token, data, model, prompt, connected system, or non-public area of the Services;
• probe, scan, penetration test, load test, vulnerability test, or stress test the Services without Upgrade AI's prior written authorization;
• bypass, disable, manipulate, or circumvent authentication, authorization, rate limits, access controls, tenant controls, logging, safety filters, abuse protections, or security features;
• introduce malware, ransomware, viruses, worms, logic bombs, spyware, malicious code, or similar harmful technology;
• conduct phishing, credential harvesting, spoofing, social engineering, spam, denial-of-service attacks, bot activity, or other abusive activity;
• exploit prompt injection, tool misuse, connected-system permissions, or agentic workflows to access data, perform actions, or trigger outputs that Customer is not authorized to access, perform, or generate;
• interfere with the integrity, availability, performance, or security of the Services or any data processed through the Services.

Good-faith security research is allowed only if expressly authorized in writing by Upgrade AI and conducted within the approved scope.

3.3 Fraud and deception

Customer may not use the Services to:

• generate, facilitate, or distribute fraudulent, deceptive, or misleading content, transactions, records, documents, statements, reviews, comments, invoices, payment requests, notices, or communications;
• operate scams, phishing campaigns, impersonation schemes, fake support workflows, fake billing schemes, or deceptive collections activity;
• misrepresent the source, provenance, authorship, approval status, review status, or accuracy of Output;
• represent Output as human-generated where doing so would be deceptive, unlawful, or inconsistent with the applicable agreement;
• create fake personas, fake accounts, misleading business identities, or coordinated inauthentic behavior;
• generate or disseminate disinformation, election interference, deceptive political content, or manipulated public-interest information;
• plagiarize or facilitate academic dishonesty.

3.4 Privacy and data rights

Customer may not use the Services to:

• access, submit, process, disclose, or use personal information, confidential information, proprietary information, Customer Materials, or third-party data without all required rights, notices, permissions, consents, and legal bases;
• violate privacy, publicity, intellectual property, confidentiality, contractual, or data protection rights;
• track, identify, profile, monitor, surveil, or infer sensitive information about a person without lawful authorization and any required consent;
• collect, solicit, expose, or disclose private or sensitive information without authorization;
• use biometric identification, facial recognition, emotion recognition, social scoring, or similar profiling in a way that violates law, infringes rights, or creates high-risk impacts on individuals;
• submit data to the Services that Customer is prohibited from providing under law, contract, or internal policy;
• submit protected health information, cardholder data requiring PCI DSS controls, consumer credit reports, children's data, biometric data, or other specially regulated data unless the applicable agreement, Documentation, and configuration expressly permit that use.

For clarity, this section does not prohibit Customer from submitting accounting and finance data, payroll information, financial account information, government identifiers, employment information, account credentials, or similar Customer Materials when Customer is authorized to submit that data and the data is within the scope of the applicable agreement, Documentation, and configuration.

3.5 High-impact decisions

Customer may not use the Services as the sole basis for making, recommending, approving, denying, or materially influencing decisions about an individual's:

• creditworthiness, lending eligibility, financial product eligibility, payment terms, debt collection treatment, or insurance eligibility;
• employment, hiring, termination, promotion, compensation, work assignment, or workplace discipline;
• housing, lease eligibility, rent, mortgage, or property access;
• education, admission, grading, accreditation, testing, or certification;
• healthcare, medical treatment, mental health, or other clinical matters;
• legal rights, legal obligations, government benefits, public assistance, immigration, criminal justice, law enforcement, or access to essential services.

Use in these areas requires qualified human review and must comply with all applicable laws, professional standards, and third-party provider requirements. Customer remains responsible for the final decision and for any legally required notices, explanations, audits, appeals, or human review processes.

3.6 Professional advice

Customer may not use the Services to provide accounting, audit, tax, legal, investment, insurance, lending, medical, or other licensed professional advice to third parties unless Customer ensures that the advice is reviewed and approved by appropriately qualified professionals and complies with applicable law.

Customer may not use the Services as the sole basis to file, certify, approve, or issue financial statements, audit opinions, tax returns, regulatory filings, legal opinions, investment recommendations, credit determinations, or similar regulated materials.

The Services are tools for Customer's use. Upgrade AI does not provide accounting, audit, tax, legal, investment, financial, or other professional advice.

3.7 Harmful content and conduct

Customer may not use the Services to create, facilitate, distribute, or encourage:

• violence, terrorism, violent extremism, threats, intimidation, or physical harm;
• hate speech or discriminatory practices based on protected attributes, including race, ethnicity, national origin, religion, sex, gender, gender identity, sexual orientation, age, disability, veteran status, caste, or other legally protected status;
• harassment, bullying, humiliation, shaming, stalking, doxxing, or targeted abuse;
• self-harm, suicide, disordered eating, or content that instructs, encourages, or glorifies self-harm;
• child sexual abuse material, sexual exploitation of minors, grooming, sextortion, or any content sexualizing minors;
• non-consensual intimate imagery or sexual content involving a person without valid consent;
• graphic violence, animal cruelty, or gratuitous gore in a way that is abusive, exploitative, or unlawful.

3.8 Model abuse and scraping

Customer may not:

• use the Services, Input, Output, Customer Materials, Documentation, prompts, workflows, APIs, agents, models, systems, or related materials to train, fine-tune, improve, benchmark, evaluate, distill, or develop any AI model, AI system, or competing product or service, except with Upgrade AI's prior written authorization;
• engage in model scraping, model distillation, prompt extraction, system prompt extraction, data extraction, automated harvesting, or bulk downloading;
• reverse engineer, decompile, decode, disassemble, or attempt to derive the source code, models, algorithms, prompts, systems, architecture, training data, non-public methods, or underlying ideas of the Services;
• copy, modify, create derivative works from, resell, sublicense, rent, lease, distribute, publish, or commercially exploit the Services, Documentation, or Output except as expressly permitted by the applicable agreement;
• use the Services or Output to build, improve, or support a competing accounting automation, finance automation, AI agent, or model-provider product or service.

3.9 Third-party systems

Customer may not use the Services or integrations to:

• access, transmit, modify, delete, export, or write back data in third-party systems unless Customer has all required rights, permissions, licenses, credentials, approvals, and consents;
• bypass the terms, controls, or security features of ERP, accounting, payroll, banking, payment, messaging, storage, identity, or other connected systems;
• send spam, unauthorized messages, deceptive notices, fraudulent payment instructions, or unlawful communications through email, Slack, Jira, agent email, AP mailboxes, or other connected systems;
• cause the Services to perform financial transactions, vendor changes, payment actions, journal entries, approvals, postings, exports, or system changes without required authorization, permissions, review, and controls;
• use excessive automation, API calls, scripts, workflows, or agent activity in a way that degrades the Services or any connected third-party system.

This section does not prohibit ordinary authorized use of integrations to read, write back, post, approve, export, notify, or update records where permitted by the applicable agreement, Customer configuration, connected-system permissions, and required approvals. Customer is responsible for configuring third-party systems, permissions, approvals, and access controls appropriately.

If Customer uses or deploys the Services in a way that allows Customer's customers, vendors, employees, contractors, or other end users to interact directly with an AI agent, chatbot, automated workflow, agent email, or similar AI-enabled interface, Customer must clearly disclose that the end user is interacting with an AI system rather than a human.

The disclosure must be reasonably visible and provided before or at the beginning of the interaction.

Customer must also:

• provide appropriate human review and escalation paths for high-impact, sensitive, disputed, or material matters;
• avoid misleading users about the AI system's identity, capabilities, limitations, or authority;
• comply with all applicable laws, regulations, platform rules, and third-party provider requirements;
• use commercially reasonable efforts to prevent end users from using the Services in violation of this Policy.

The Services may use third-party AI systems, large language models, embedding models, OCR models, or other AI providers, including providers such as OpenAI, Anthropic, Google/Gemini, and Mistral.

Customer must comply with all applicable acceptable use policies, usage policies, safety policies, prohibited-use policies, terms, guidelines, and restrictions of any third-party AI provider used in connection with the Services, as those policies may be updated from time to time.

Where a third-party provider policy is more restrictive than this Policy for a specific use case, Customer must comply with the more restrictive requirement for that use case.

Upgrade AI may take steps necessary to keep the Services compliant with third-party provider requirements, including limiting, suspending, modifying, or disabling particular use cases, features, prompts, integrations, workflows, or access where required or reasonably necessary.

Customer is responsible for:

• all Input, Customer Materials, instructions, configurations, permissions, credentials, approvals, and workflows submitted to or used with the Services;
• all use of the Services by Authorized Users and anyone accessing the Services through Customer's account, systems, integrations, credentials, or API keys;
• obtaining and maintaining all required rights, permissions, notices, consents, licenses, and legal bases for Customer Materials and connected systems;
• reviewing, validating, approving, and using Output appropriately;
• maintaining Customer's systems of record, internal controls, approval workflows, and business continuity plans;
• promptly notifying Upgrade AI of any actual or suspected security incident, compromised credential, unauthorized access, misuse, or violation of this Policy.

Upgrade AI may monitor use of the Services and review Input, Output, logs, metadata, account activity, configuration, and related information as permitted by the applicable agreement and Privacy Notice to operate the Services, enforce this Policy, protect the Services, investigate abuse, comply with law, and satisfy third-party provider requirements.

If Upgrade AI reasonably believes that Customer or any user has violated this Policy, Upgrade AI may take appropriate action, including:

• requesting information or remediation from Customer;
• limiting, throttling, suspending, or disabling access to the Services or affected functionality;
• removing, blocking, or disabling harmful Input, Output, workflows, prompts, integrations, or content;
• notifying third-party providers where required or appropriate;
• reporting unlawful activity to law enforcement or regulators where required or appropriate;
• terminating the applicable agreement where permitted by that agreement.

Upgrade AI will use commercially reasonable efforts to make enforcement actions proportionate to the nature, severity, and urgency of the issue, except where immediate action is required to address legal, security, safety, provider, or service-integrity risk.

Upgrade AI may update this Policy upon fifteen (15) days' notice to Customer.

Updates required to address legal requirements, security risks, third-party provider requirements, abuse, service integrity, or urgent safety issues may take effect sooner where reasonably necessary.

No update to this Policy will retroactively make prior lawful use a violation, but Customer must comply with the updated Policy after it becomes effective.