Legal

Acceptable Use Policy

Last updated: 20 April 2026.

1. Why this Policy exists

Keelr is an offensive-security service. Used correctly, it validates that your defences work by attacking them with your consent. Used incorrectly, the same capabilities could be used to attack systems you do not have the right to test - which is illegal in every EU jurisdiction and everywhere else we operate. This Policy draws the line.

2. The authorisation rule

You may only declare a scope that covers assets you:

  • own outright, or
  • operate under explicit written authority from the owner, with their informed consent to the adversarial testing described in these Terms

You may not declare a scope that covers systems belonging to third parties without their consent, regardless of whether those systems are "public-facing", "on the internet", or "appear open". The architectural posture of the target is irrelevant to the authorisation question. Consent is the only answer that matters.

Breaching this rule is grounds for immediate termination, preservation of the audit record, and where applicable, notification to the affected party and to competent authorities.

3. Scope-consent carve-outs

Two exceptions exist to the general prohibition against untouched third-party systems, both narrow and both inside the authorised-engagement envelope:

  • Unavoidable collateral discovery - when an authorised engagement legitimately touches a third-party service your scope depends on (a DNS resolver, an upstream CDN, a public certificate authority), we record the interaction but we do not engage the third party. Findings relating to the third party are reported to you for onward disclosure, never exploited against them
  • Open-source or widely-published components - where a finding class relates to a public component (open CVE against a known library version), we may reference public evidence without probing any specific third-party deployment

4. Safe engagement envelope

Within an authorised scope, you may not use Keelr to:

  • Launch denial-of-service attacks (volumetric or otherwise) against the scope target - our default engagement envelope is explicitly rate-limited to avoid this; you may not disable or circumvent the rate limit
  • Exfiltrate or retain personal data of end users beyond the minimum required to prove a finding's exploitability
  • Persist or maintain access beyond the engagement window - artifacts are short-lived by design, and you may not use them to establish long-running access
  • Chain exploits across scopes or into unauthorised territory - engagements stop at the scope boundary

5. Responsible use of findings

Findings Keelr produces are your findings. You may disclose them as you choose, consistent with your own responsible-disclosure posture. You may not use findings to harass, extort, or otherwise harm any party. You may not publish findings whose disclosure would put end users at elevated risk without first taking reasonable steps to allow the affected party to remediate.

6. Government and regulated use

Government and regulated-industry customers engage Keelr under the Government or Enterprise tier, which includes procurement-framework support and per-contract terms that can override specific clauses of this Policy in a documented way. Where there is conflict between an Enterprise or Government contract and this Policy, the contract prevails for the scope it covers.

7. Agent autonomy and customer controls

Inside an authorised scope, our Offensive Agent decides engagement timing based on propensity signals. You keep the following controls at all times:

  • Pause - any Mission, any time, from the portal
  • Stop - a hard kill that revokes every active engagement
  • Postpone - delay the next engagement without ending the Mission
  • Blackout window - declare times the Agent may not run (release windows, freeze periods)
  • Approve-before-act - optional per-Mission flag that requires your confirmation before specific engagement classes run

These controls are declarative and absolute - the Agent respects them without exception.

8. Reporting abuse

If you believe Keelr is being misused against an asset you own or operate, contact abuse@keelr.co. Include the date, target, and any evidence. We will investigate, preserve the audit record of any unauthorised engagement, and respond within 5 business days with the outcome.

9. Consequences of breach

Breach of this Policy may result in suspension or termination of your account, notification to the affected party, notification to competent authorities where required, and forfeiture of prepaid fees. We retain the audit log of any breach for the statutory retention period.

10. Contact

Policy questions: contact@keelr.co. Abuse reports: abuse@keelr.co.