Acceptable Use and AI Safety Policy

Effective May 16, 2026 · Avalon Flow Inc., a subsidiary of Questili LLP · support@avalonflow.com

For this policy, "Avalon," "we," "us," or "our" means Avalon Flow Inc., a subsidiary of Questili LLP, unless a signed order form or customer agreement identifies a different contracting entity.

This Acceptable Use and AI Safety Policy applies to every use of Avalon, including the website, web application, APIs, AI-assisted features, hosted model routes, local models, BYO model providers, custom endpoints, MCP connectors, Slack/Salesforce integrations, automations, logs, exports, browser automation, scraping, and any other method of interacting with Avalon.

This policy supplements the Avalon Terms of Service. If you use Avalon on behalf of an organization, you are responsible for ensuring your users, administrators, contractors, agents, tools, scripts, and connected systems comply with this policy.

1. Human responsibility for AI-assisted work

Avalon provides assistive AI and automation features. You remain responsible for reviewing and approving important outputs and actions, including:

  • AI drafts before sending;
  • summaries, meeting briefs, Daily Pulse items, due dates, classifications, search results, analytics, and memory entries before relying on them;
  • Slack posts, CRM updates, custom endpoint calls, unsubscribes, deletes, forwards, sends, and other external or material actions before execution unless you have expressly configured an approved automation workflow;
  • outputs from hosted models, local models, BYO providers, custom endpoints, or other customer-controlled AI systems.

Avalon must not be used as the sole basis for legal, compliance, employment, financial, medical, safety-critical, or other regulated decisions.

2. Prohibited extraction of Avalon prompts and internal systems

You may not extract, derive, reconstruct, distill, copy, train on, fine-tune on, benchmark against, or otherwise attempt to learn Avalon’s non-public prompts, system instructions, internal policies, model-routing logic, safety rules, tool schemas, evaluation data, source code, hidden workflows, ranking logic, detection logic, or proprietary operating methods.

This restriction applies regardless of method, including:

  • hosted model prompts or outputs;
  • local models, BYO model providers, private models, open-source models, self-hosted inference, model gateways, and custom endpoints;
  • prompt injection, jailbreaks, adversarial prompting, red-team prompts outside an authorized security program, or attempts to force Avalon to reveal hidden instructions;
  • scraping, crawling, browser automation, replay tools, scripted use, API probing, traffic interception, telemetry capture, logs, traces, exports, screenshots, or support bundles;
  • repeated querying, differential testing, benchmarking, model distillation, behavioral cloning, or output comparison intended to infer Avalon’s internal systems;
  • using Avalon outputs, traces, logs, metadata, prompts, completions, UI behavior, or workflow behavior to build, train, improve, operate, or evaluate a competing or substitutive system.

You may not ask any hosted model, local model, custom endpoint, agent, crawler, browser automation tool, employee, contractor, or third-party service to perform these restricted activities on your behalf.

3. Prohibited misuse of AI and automation

You may not use Avalon to:

  • violate law, contracts, third-party rights, or connected-service terms;
  • process data you are not authorized to provide to Avalon;
  • send spam, phishing, malware, harassment, impersonation, deceptive communications, or unlawful marketing;
  • generate or execute harmful, abusive, fraudulent, discriminatory, or illegal actions;
  • bypass required human approval for risky, external, destructive, or material actions;
  • make unsupported high-impact decisions about employment, credit, housing, education, insurance, healthcare, legal rights, financial status, safety, or access to essential services;
  • operate surveillance, profiling, or analytics in a way that violates law, workplace policy, customer commitments, or privacy expectations;
  • intentionally create, preserve, or exploit hallucinations, unsafe outputs, or model failures;
  • use prompt injection, jailbreaks, malicious files, malicious links, poisoned data, or adversarial content to manipulate Avalon, connected models, tools, endpoints, users, or third parties.

4. Data handling and sensitive content

You should only connect, upload, prompt, store, or route information through Avalon when you are authorized to do so and it is necessary for the configured use case.

You are responsible for protecting secrets, credentials, regulated data, privileged information, confidential information, employee data, customer data, client data, third-party data, and any other sensitive information you process through Avalon or connected systems.

You may not use Avalon, local models, custom endpoints, logs, exports, browser automation, or connected tools to bypass privacy, confidentiality, retention, deletion, access-control, or data residency obligations.

5. Connected services, custom endpoints, and local models

If you enable Google APIs/Gmail, Microsoft Graph/Outlook, Slack, Salesforce via MCP, MCP connectors, custom endpoints, hosted AI providers, BYO AI providers, local/private models, self-hosted inference, or other connected systems, you are responsible for:

  • ensuring you have authorization to connect and use those systems;
  • granting only appropriate permissions and scopes;
  • securing credentials, tokens, endpoints, logs, and network access;
  • testing inputs, outputs, permissions, and failure modes before production use;
  • reviewing outputs and actions before external use;
  • complying with provider terms, model licenses, privacy obligations, security requirements, and applicable law.

Avalon may disable or restrict a connected service, endpoint, model route, automation, or account if it creates security, privacy, legal, operational, abuse, or intellectual-property risk.

6. Security research and vulnerability reporting

Good-faith security research must avoid privacy harm, service disruption, data exfiltration, destructive actions, social engineering, spam, persistence, lateral movement, and access to other users’ data. Report suspected vulnerabilities to support@avalonflow.com.

This policy does not authorize prompt extraction, model distillation, production data access, denial of service, credential harvesting, malware, phishing, or attempts to bypass customer approval controls.

7. Enforcement

Avalon may investigate suspected violations and may suspend, restrict, disable, or terminate access; disable connectors, endpoints, model routes, automations, or workflows; remove harmful configurations; preserve relevant evidence; and notify affected customers, providers, or authorities where appropriate.

Violations may also trigger indemnity, payment, termination, or other remedies under the Terms of Service or an applicable customer agreement.

8. Contact

For questions about this policy or to report abuse or security concerns, contact support@avalonflow.com.