Kolva
Sign inStart Free Trial

Acceptable Use Policy

Rules that apply to every person using Kolva under Customer's account.

Effective April 20, 2026Version v1.0SHA-256: 6a881039f43e

Acceptable Use Policy

Version: 1.0 Effective Date: April 20, 2026 Last Updated: April 20, 2026 Document Owner: Talentee LLC (trading as Kolva)

This Acceptable Use Policy (the "AUP") governs Customer's and its authorised users' use of the Kolva platform, hosted applications, agents, connectors, APIs, mobile and offline clients, and related services (collectively, the "Service"). This AUP is incorporated by reference into the Kolva Terms of Service (the "Terms") and applies to every person who accesses or uses the Service under Customer's account. Capitalised terms not defined here have the meaning given to them in the Terms.

Kolva publishes this AUP to protect Customer, other customers, end users, the integrity of the Service, and the third-party systems to which the Service connects (including ERP, CRM, accounting, laboratory, production, maintenance, payroll and document systems). Violation of this AUP is a material breach of the Terms.

1. Scope and Applicability

1.1 Who is bound. This AUP binds Customer and every natural person acting under Customer's account, including employees, contractors, affiliates, temporary staff, service providers, agents and any end user granted a seat or portal access. Customer is responsible for ensuring each such person has read and complies with this AUP.

1.2 Where it applies. This AUP applies to all use of the Service, including the web application, mobile applications, Kolva desktop and on-premise agents, APIs, webhooks, connectors, administrative consoles, AI-assisted features, support portals and any Kolva-provided distribution (binaries, installers, documentation, SDKs).

1.3 Relationship to other documents. In the event of a conflict between this AUP and the Terms, the Terms prevail for commercial and liability matters, and this AUP prevails for acceptable-use conduct. Kolva may update this AUP in accordance with Section 22 of the Terms.

2. Prohibited Uses

Customer shall not, and shall not permit any user or third party to, use the Service to:

2.1 Unlawful, harmful or fraudulent activity. (a) violate any applicable law or regulation, including export controls, economic sanctions (including those administered by OFAC, EU, UK or United Nations), anti-corruption laws, anti-money-laundering laws, tax laws, labour and employment laws, or consumer protection laws; (b) engage in fraud, deception, forgery, identity theft or impersonation; (c) infringe, misappropriate or violate any intellectual property, trade secret, privacy, publicity or contractual right of any person; (d) harass, bully, defame, threaten or incite violence against any person; (e) use the Service to perform, facilitate or manage activities the law of any applicable jurisdiction prohibits.

2.2 Security violations. (a) circumvent, disable or interfere with security or access controls, authentication, rate limits, signed tokens, API keys, multi-factor authentication, session controls, audit logs, consent logs or Row Level Security; (b) probe, scan or test the vulnerability of any Kolva system, network or account without Kolva's prior written consent under a Kolva-approved responsible disclosure programme; (c) attempt to decompile, reverse-engineer, disassemble or derive the source code or underlying ideas of any non-open-source component of the Service, except to the extent this restriction is unenforceable under applicable law; (d) introduce malware, viruses, worms, trojans, keyloggers, ransomware, backdoors, cryptominers, botnet code, rootkits, supply-chain implants or other malicious code.

2.3 Abusive or disruptive use. (a) send unsolicited bulk communications, spam, phishing or malicious email; (b) originate denial-of-service or distributed denial-of-service attacks; (c) generate load that is deliberately designed to exhaust capacity or evade rate limits; (d) scrape, harvest, mass-download or aggregate data belonging to Kolva or other customers except as expressly permitted; (e) interfere with another customer's use of the Service or the operation of shared infrastructure.

2.4 Unauthorised access. (a) access any account, data, file, database, ERP record, integration credential, secret, token, configuration or environment for which the user does not have express authorisation; (b) use stolen, leaked or compromised credentials; (c) share credentials across natural persons; (d) misrepresent affiliation, role or authority to obtain access; (e) bypass Customer's own internal approval, least-privilege, segregation-of-duties or audit controls through the Service.

2.5 Illegal or high-risk content. (a) upload, transmit, sync or make available content that is illegal (including child sexual abuse material, terrorist content or other content whose transmission is criminal in any applicable jurisdiction); (b) upload content that violates intellectual property, privacy or contractual obligations; (c) use the Service to process data that Customer is not lawfully authorised to process; (d) process special category personal data (Article 9 GDPR, health, biometric, racial, religious, political, sexual orientation, union membership) without complying with all applicable legal requirements and any Kolva-issued data processing instructions; (e) process data of children under the age where consent is required by applicable law, unless expressly authorised under a written Order.

2.6 Regulated and safety-critical use. (a) use the Service as a system of record for statutory accounts, tax filings, payroll, regulated financial decisions, credit decisions, employment decisions that produce legal or similarly significant effects, medical diagnostics, safety-critical controls or environmental compliance, unless Customer has independently validated such use with its own auditor, legal counsel or regulator and acknowledges that Kolva outputs require human review; (b) rely on AI outputs as the sole basis for a decision that produces legal or similarly significant effects without qualified human oversight.

2.7 Service integrity. (a) impersonate or misrepresent another person, entity, subsidiary, affiliate, government or Kolva; (b) manipulate, forge or falsify logs, metrics, approvals, consents, scroll-depth telemetry, audit trails or timestamps; (c) attempt to evade entity, seat, module, agent, environment, storage or usage limits (including by creating fake accounts or sub-tenants); (d) use the Service to train competing products or large language models (foundation models and fine-tunes) on Kolva-generated outputs or Kolva-managed data, except to the extent Customer controls such data and the training does not use Kolva's proprietary material.

2.8 AI misuse. (a) use AI-assisted features to generate content that is defamatory, deceptive, harassing, discriminatory, unlawful or manipulative, including deepfakes, electoral disinformation and non-consensual synthetic media; (b) use AI features to make adverse automated decisions about natural persons without complying with Customer's applicable obligations (including GDPR Article 22, EU AI Act deployer obligations where applicable, and sector rules); (c) submit prompts or data designed to jailbreak, prompt-inject or exfiltrate other customers' data; (d) use AI outputs to draft, generate or deliver legal, tax, medical, safety or regulated financial advice without qualified human review.

2.9 Credential and secret hygiene. (a) store plaintext ERP credentials, API keys, OAuth tokens, personal access tokens, service account keys, TLS private keys, database passwords, SSH keys, payroll or banking credentials in any Kolva field not explicitly designed for secret material; (b) commit such secrets to Customer's source control, ticketing, documentation or screenshots within the Service; (c) share such secrets with Kolva personnel outside controlled support-access flows; (d) reuse production credentials in non-production environments.

2.10 Integrations and connectors. (a) connect the Service to any source system Customer is not authorised to access; (b) use a Kolva agent to write, modify, delete, re-queue or re-sequence records in a source system, except through an explicit Kolva write feature Customer has enabled and the source system supports; (c) connect agents with broader ERP privileges than those strictly required (least privilege); (d) bypass vendor terms of the source system (including Sage, SAP, Oracle, Microsoft Dynamics, NetSuite, Workday, Acumatica, Epicor, Infor, Odoo, JD Edwards and similar).

3. Security and Operational Rules

3.1 Authentication and access. Customer shall: (a) use multi-factor authentication on administrative accounts; (b) operate individual named accounts only (no shared logins); (c) rotate credentials on personnel changes; (d) suspend or remove access immediately when a user leaves; (e) configure least-privilege roles, row-level scopes and entity filters; (f) keep an up-to-date list of its authorised administrators.

3.2 Device and endpoint security. Customer shall ensure that devices used to access the Service are reasonably secured, including up-to-date operating systems and security updates, anti-malware, full-disk encryption on laptops and mobile devices, screen lock and, for on-premise agents, a patched host.

3.3 Network and on-premise agents. Customer shall: (a) run Kolva agents on hosts Customer owns or controls, on a network Customer administers; (b) keep agent binaries, configurations and service accounts within Customer's control; (c) not proxy agent traffic through unauthorised hosts; (d) not attempt to attach Kolva agents to third-party customer tenants Customer does not own; (e) monitor and log agent activity within Customer's environment.

3.4 Credentials for the Service. Customer shall: (a) not share personal passwords or personal MFA factors; (b) use Kolva-issued API keys or service accounts, not shared user passwords, for machine access; (c) rotate API keys on suspected compromise; (d) revoke unused keys; (e) report suspected credential compromise to security@kolva.ai as soon as practicable.

3.5 Data classification. Customer is responsible for applying its internal data classification and handling requirements (including any restrictions on storing personal health information, payment card data, financial statements before publication, or legally privileged material) to its use of the Service. Customer shall not upload data to the Service that is prohibited from third-party processing under Customer's internal or regulatory rules.

4. Bandwidth, Rate Limits and Fair Use

4.1 Fair use. The Service is provided on a fair-use basis. Customer shall use bandwidth, storage, compute, AI consumption, discovery pipelines, connectors and API calls in a manner consistent with (a) the Order; (b) published plan entitlements and documentation; and (c) Kolva's documented rate limits.

4.2 Rate limits. Kolva may apply rate limits, concurrency limits, token-per-minute ceilings, request-size caps, payload-size caps, storage quotas and sync frequency ceilings. Customer shall not deliberately circumvent such limits, including by parallelising requests across identities, rotating API keys, using headless clients to bypass UI throttles, or fanning-out synthetic load.

4.3 Batch and automation. Customer shall (a) use batch and bulk endpoints where available rather than per-record calls for mass operations; (b) implement exponential back-off on 429/503 responses; (c) not poll at sub-second intervals; (d) not schedule all sync jobs at the same wall-clock minute across tenants.

4.4 Abuse controls. Kolva may throttle, queue, refuse or suspend requests that (a) exceed plan entitlements; (b) originate from a compromised or misconfigured client; (c) appear to be an attack; (d) generate disproportionate infrastructure or third-party cost; or (e) pose a risk to shared stability.

4.5 AI consumption. AI-assisted features consume metered resources. Kolva may meter AI consumption by requests, input tokens, output tokens, embedding calls, vector storage, tool invocations, agent steps, transcription minutes, document pages or similar units. Customer shall not deliberately inflate AI consumption, including via prompt loops, self-chatting bots or redirection of unrelated workloads.

5. Content Restrictions

5.1 Customer content. Customer retains ownership of Customer content. Customer represents and warrants that it has all rights necessary to upload, process, transmit and store such content through the Service, and that such content does not violate law, third-party rights or this AUP.

5.2 Prohibited content. In addition to Section 2.5, Customer shall not upload, store, sync or process through the Service (a) pornographic, sexually explicit or lewd content, unless the business is legally permitted adult entertainment and the use is explicitly approved by Kolva in writing; (b) content that glorifies, promotes or facilitates violence, terrorism, self-harm or hate speech; (c) content encouraging illegal drug manufacture or distribution; (d) malware, exploit code or tooling designed to cause harm.

5.3 Personal data. Customer shall (a) only upload personal data it is lawfully entitled to process; (b) respect applicable data-subject rights; (c) refrain from processing special-category personal data unless it has a valid legal basis and has configured the Service to handle it appropriately; (d) keep personal data retention aligned with Customer's retention policy, by using Kolva's retention, deletion and export features as appropriate.

5.4 Intellectual property. Customer shall not upload content it does not have the right to upload, including content protected by copyright, trade marks, patents or trade secrets of others, except under a valid licence or doctrine of law.

5.5 Confidentiality. Customer shall not upload third-party confidential information to the Service except as permitted under the relevant confidentiality agreement, nor use the Service to exfiltrate trade secrets of a former employer or third party.

6. AI, Automation and Workflow Rules

6.1 Human oversight. Customer shall ensure that AI outputs, automated workflows and agent-generated actions relevant to legal, financial, employment, safety, medical or similar decisions are reviewed by qualified personnel before being relied upon.

6.2 Automation scope. Customer shall configure automated workflows and Auto-Pilot rules in line with Customer's internal approvals, separation of duties and risk controls. Automations that initiate outbound communications, financial transactions, credit actions, employment decisions, data deletions, or changes in source systems should carry appropriate human approval gates.

6.3 AI-generated content disclosure. Where Customer externally distributes material substantially produced by AI-assisted features (marketing, communications, regulatory filings), Customer is responsible for complying with applicable disclosure, labelling and transparency rules.

7. Enforcement, Suspension and Remedies

7.1 Monitoring. Kolva may monitor the Service for security, stability, compliance and fraud-prevention purposes, including aggregate usage signals, rate-limit telemetry, error traces, abuse heuristics and security events. Monitoring is conducted in accordance with the Kolva Security Policy and DPA.

7.2 Right to suspend. Kolva may suspend, throttle, disable a feature for, or terminate access of any user, account, company, agent, API key or environment that (a) is reasonably believed to be in violation of this AUP, the Terms, the DPA or applicable law; (b) poses an immediate security, privacy, legal or stability risk; (c) is the subject of a valid government order or court order; or (d) is generating costs disproportionate to contracted entitlements. Where commercially reasonable, Kolva will notify Customer before suspension.

7.3 Mandatory reporting. Customer shall promptly report to security@kolva.ai: (a) suspected credential compromise; (b) unauthorised access to Customer's account; (c) discovery that Customer content was uploaded without authorisation; (d) any incident that may affect the security or integrity of the Service.

7.4 Cooperation with investigations. Customer shall cooperate reasonably with Kolva investigations of suspected AUP violations, including providing logs, user identity information, workflow configurations and timeline reconstructions.

7.5 No waiver. Failure by Kolva to enforce any provision of this AUP does not waive Kolva's right to enforce it later.

7.6 Consequences of violation. Material, repeated or unremedied violations of this AUP may result in (a) service credits being void; (b) suspension of paid features; (c) removal of offending content; (d) termination of the Order for cause as described in the Terms; (e) reporting to law enforcement where required or appropriate.

8. Reporting Abuse

To report a suspected AUP violation, abusive behaviour, security vulnerability or content concern, contact:

  • Abuse: abuse@kolva.ai
  • Security: security@kolva.ai
  • Legal: legal@kolva.ai
  • Privacy: privacy@kolva.ai

Reports may be made anonymously, though anonymous reports may limit Kolva's ability to follow up. Kolva will acknowledge receipt of security reports within 24 hours where possible, triage them, and communicate progress for confirmed issues consistent with responsible disclosure.

9. Changes to this AUP

Kolva may update this AUP from time to time. Material changes will be communicated under the change-process provisions of the Terms. Continued use of the Service after the effective date of an update constitutes acceptance of the updated AUP.

10. Contact

Talentee LLC (trading as Kolva) Sheridan, Wyoming, United States legal@kolva.ai · abuse@kolva.ai · security@kolva.ai

This AUP is a template for business use. It does not create an attorney-client relationship and does not constitute legal advice. Customers with specific legal or regulatory questions should consult qualified counsel in their jurisdiction.