← Back to Home

Acceptable Use Policy

Last Updated: April 25, 2026

Table of Contents

  1. Introduction
  2. Authorized Use
  3. Prohibited Activities
  4. Tool Execution Guidelines
  5. Data Handling
  6. Security Requirements
  7. Enforcement
  8. Reporting Violations
  9. Contact

1. Introduction

This Acceptable Use Policy governs your use of the oakallow API and related services. oakallow exists to make AI agent execution safer through permissions, approvals, and audit trails. We expect all users to use the Service responsibly and in a manner consistent with its security-first purpose.

2. Authorized Use

You May Use oakallow To:

  • ✓ Implement permission checks for AI agent tool execution
  • ✓ Build approval workflows requiring human oversight
  • ✓ Generate cryptographic execution tokens for auditable actions
  • ✓ Maintain audit logs of all tool executions
  • ✓ Define granular permission rules for multi-tenant applications
  • ✓ Integrate with your own applications via our documented REST API

3. Prohibited Activities

You Must Not:

  • ✗ Use oakallow to authorize harmful, illegal, or destructive operations
  • ✗ Build systems that circumvent or automate approval of dangerous tool executions
  • ✗ Auto-approve tool executions that the permission system flagged as requiring human review
  • ✗ Attempt to access other developers' data, organizations, or permission rules
  • ✗ Reverse-engineer, decompile, or attempt to extract the source code of the Service
  • ✗ Use the API for denial-of-service attacks, vulnerability scanning, or penetration testing without written authorization
  • ✗ Share API keys publicly or embed them in client-side code
  • ✗ Create multiple accounts to circumvent rate limits or billing

4. Tool Execution Guidelines

oakallow is designed to ensure AI agents ask before they act. When the permission system returns requires_approval, your system must route that request to a human decision-maker. Automatically approving these requests defeats the purpose of the permission system and violates this policy.

Tools with disabled permission must not be executed under any circumstances. If a tool is disabled, do not attempt to bypass the restriction.

5. Data Handling

oakallow is not designed to store personally identifiable information (PII). The rules below apply to fields you submit through the runtime API: tool-call arguments, approval reasons, and any free-text context attached to a permission check or approval request. They do not apply to your own account profile (your name and email are required to operate the service).

Do not submit the following inside tool-call arguments or approval reasoning:

  • Social security numbers or government-issued identification numbers
  • Credit or debit card numbers, bank account numbers, or financial account details
  • Personal street addresses or precise physical locations
  • Health or medical information
  • Dates of birth, passwords, or authentication credentials
  • Contact information of unrelated third parties whose data does not need to be visible to an approver

oakallow performs automated PII redaction as a safety net. Any detected PII patterns are removed before processing and storage. The redaction is best-effort. You bear responsibility for ensuring PII is not transmitted through the API. Use the reference_id field to correlate approval requests back to records in your own system rather than including identifying information in request fields.

Notification channels (Slack, PagerDuty, webhooks)

You can configure oakallow to send approval-event notifications to third-party services you choose. The destinations you configure are services you, not oakallow, are responsible for. By configuring a channel you confirm that:

  • You are authorized to send notifications to the destination (Slack workspace, PagerDuty service, webhook endpoint)
  • You accept the destination provider's terms of service and privacy practices for the data oakallow sends
  • You will keep the destination's credentials (Slack webhook URL, PagerDuty API Key, webhook signing secret) confidential and rotate them if exposed

Notification payloads are intentionally minimal — event type, tool name, PII-scrubbed reason, and the oakallow reference id. Tool parameters and customer data are never sent. Approval decisions remain governed by oakallow's mobile app with enforced multi-factor authentication; no third-party destination has authority to decide an approval. Configuring a channel that purports to make decisions, automating "approval" from a chat surface, or otherwise bypassing the mobile-app decision flow violates this policy.

6. Security Requirements

  • Store API keys securely (environment variables, secrets managers)
  • Use HTTPS for all API communication
  • Rotate API keys periodically and immediately after any suspected compromise
  • Validate HMAC-signed execution tokens before executing tools
  • Implement appropriate access controls within your own systems

7. Enforcement

Violations May Result In:

  • Warning and request to correct the behavior
  • Temporary suspension of API access
  • Permanent account termination
  • Legal action in severe cases

We will always attempt to contact you before taking action, except in cases involving immediate security risk or legal obligation.

8. Reporting Violations

If you become aware of any violation of this policy or a security incident, please report it immediately to security@oakallow.io. We take all reports seriously and will investigate promptly.

9. Contact

✉️

Policy Questions

legal@oakallow.io
🛡️

Security Reports

security@oakallow.io

Related Policies

AboutPrivacy PolicyTerms of Service