# Sidecar Acceptable Use Policy

Last updated: 2026-05-19

This Acceptable Use Policy ("AUP") is incorporated by reference into the [Terms of Service](TERMS.md) and governs all use of the Sidecar Network service ("Service"). Capitalized terms not defined here have the meanings given in the Terms of Service. By using the Service, you agree to this AUP.

---

## What We Are

Sidecar operates as a **network relay service** — a "mere conduit" under 17 U.S.C. § 512(a). We transmit encrypted network packets between users and internet destinations. We do not host, store, select, modify, or inspect content transiting our infrastructure.

Because we are a relay, not a content platform, **violations of this AUP result in immediate, permanent revocation of your API token.** There are no warnings. There are no strikes.

---

## Prohibited Uses

You may not use Sidecar for:

- **Copyright infringement** — unauthorized reproduction, distribution, or public performance of copyrighted works
- **Child sexual abuse material (CSAM)** — transmission of CSAM or any material that sexually exploits minors, in violation of 18 U.S.C. § 2256 et seq.
- **Spam** — bulk unsolicited email or other messaging (outbound port 25 is blocked by default)
- **Network attacks** — DDoS, SYN floods, amplification attacks, port scanning, brute force, credential stuffing
- **Malware or botnet operation** — distribution of malware, ransomware, or command-and-control traffic
- **Phishing, credential harvesting, or fraud** — including business email compromise and identity theft schemes
- **Sanctions violations** — use by or for the benefit of any person or entity on the OFAC Specially Designated Nationals (SDN) list (31 C.F.R. § 594.315), or any person or entity located in a country subject to comprehensive U.S. sanctions (currently Cuba, Iran, North Korea, Russia, Syria, and the Crimea/Donetsk/Luhansk regions of Ukraine). You represent that you are not subject to these restrictions. See also Terms of Service § 16.6.
- **Terrorism** — material support for terrorist organizations as defined under 18 U.S.C. § 2339A/2339B
- **Human trafficking** — facilitating or profiting from human trafficking in violation of 18 U.S.C. § 1591 et seq.
- **Unauthorized computer access** — violations of the Computer Fraud and Abuse Act, 18 U.S.C. § 1030
- **Cryptojacking** — unauthorized use of third-party computing resources for cryptocurrency mining

---

## Technical Enforcement

To protect our infrastructure and other users:

- **Outbound port 25 blocked** (SMTP) — prevents spam abuse
- **Outbound ports 137, 138, 139, 445 blocked** (NetBIOS/SMB) — prevents ransomware lateral movement
- **Per-account concurrent tunnel limit** — concurrent peers are capped at the quota granted by your subscription tier (e.g. 1 for Micro, 3 for Free, up to 50 for Relay and higher for contracted plans); exceeding your tier quota is a violation of this AUP regardless of the method used
- **Behavioral abuse detection** — automated systems detect and block DDoS traffic, port scanning, cryptojacking, and low-and-slow C2 beaconing patterns at the network level without inspecting payload content. The detector uses streaming statistical models (Half-Space Trees + Isolation Forest) over per-peer network metadata; a two-tick debounce keeps the false-positive rate at approximately 0.1%.
- **Newly-registered-domain (NRD) DNS blocking** — DNS lookups for domains registered within the last 7 days are blocked by default. Newly-registered domains are responsible for a disproportionate share of phishing, malware, and abuse-network traffic. The blocklist contains approximately 2.7 million domains and is refreshed hourly from an upstream open-source project distributed under GPL-3.0. NRD blocking is default-ON for Free, Spark, and Launch tiers. Pulse-tier and above customers may opt out per-peer via the dashboard for legitimate use cases that require fresh domains.
- **ODoH oblivious DNS forwarding** — all customer DNS queries are forwarded via Oblivious DNS over HTTPS (RFC 9230). The relay sees who is asking; the upstream resolver sees what is asked; neither party can link the two.
- **NCMEC URL and IP blocklist** — known-bad URLs and IPs from the NCMEC feed are continuously pushed into per-relay nftables blocked sets. Egress to these destinations is blocked at the network layer.
- **AI-assisted abuse triage** — an offline locally-hosted language model assists operators by extracting the reported peer, category, and severity from inbound abuse emails. The model never takes enforcement action autonomously; a human operator confirms every revocation. See §3 of the [Terms of Service](TERMS.md).

---

## Attribution

Our newly-registered-domain DNS block list incorporates data from an open-source community-maintained project distributed under the GNU General Public License v3.0. The project name and source are disclosed in writing to enterprise and DPA customers on request, and the source code derived from that project is available on request under the terms of GPL-3.0. We thank the upstream maintainers for keeping this resource current and freely available.

---

## Revocation Policy

**Any verified AUP violation results in immediate, permanent revocation of your API token.** This is not a "three-strike" system. We do not issue warnings for prohibited activity.

Grounds for immediate revocation include (without limitation):
- Receipt of a credible, specific abuse report we can independently correlate to your token
- Confirmed CSAM-related activity (simultaneous NCMEC report — see below)
- Confirmed DDoS or network attack originating from your assigned addresses
- Valid DMCA notice correlated to your token
- Infrastructure abuse report correlated to your token
- Any credible, documented report of sanctions violations or illegal activity

Revocation is permanent. We do not reinstate tokens revoked for AUP violations.

---

## DMCA Procedure (17 U.S.C. § 512(a))

We qualify as a "mere conduit" under 17 U.S.C. § 512(a). We transmit encrypted data; we do not host or store content. Full DMCA procedures, counter-notification rights, and our designated agent information are set out below in this AUP and incorporated into the [Terms of Service](TERMS.md) via § 3.4 (Copyright infringement); operator abuse contacts are in TERMS § 12.

On receipt of a valid DMCA notice, we will:

1. Log complaint metadata (timestamp, claimant, reported IP — no traffic data logged)
2. Immediately revoke the token assigned to the reported IP address
3. Send a 512(a) response to the claimant explaining our conduit status
4. Forward to the origin hosting provider if determinable

Our repeat infringer termination policy is consistent with 17 U.S.C. § 512(i).

---

## CSAM Procedure (18 U.S.C. § 2258A; REPORT Act, Pub. L. 118-73)

Upon receiving an external report constituting actual knowledge of child sexual abuse material (CSAM) or apparent child sexual exploitation:

1. **Immediate token revocation** within 1 hour, no exceptions, no warnings
2. **NCMEC CyberTipline report** within 24 hours: https://www.cybertipline.org (1-800-843-5678)
3. **Metadata preservation** for 90 days per 18 U.S.C. § 2258A(h): token ID, assigned IP addresses, peer creation timestamp, revocation timestamp
4. **Full cooperation** with law enforcement — we will provide all records we maintain
5. **No reinstatement** under any circumstances

We do not have and cannot provide traffic content (architecturally impossible — see Privacy Policy). We provide what we have: account metadata, IP assignments, timing records.

---

## Our Technical Limitations

We maintain **no logs** of:

- Traffic content (WireGuard end-to-end encrypted — technically impossible to inspect)
- Session timestamps or connection duration
- Destination IP addresses
- DNS queries
- Bandwidth by peer

In response to legal process, we can only produce what we actually maintain. See [Privacy Policy](PRIVACY.md) § 3 for the complete list of data we do maintain.

---

## Abuse Reporting

Report abuse to: **abuse@sidecar.network**

We acknowledge all abuse reports within 24 hours. Because we are a relay service with no content logs, our response to abuse complaints typically involves revoking the responsible token and, where determinable, forwarding the complaint to the relevant origin hosting provider.

We do not terminate accounts based on unverified, non-specific allegations.

---

## Law Enforcement Requests

Valid legal requests must be:

- Issued by a court of competent jurisdiction or otherwise legally authorized
- Served through proper legal channels — domestic requests via U.S. court process; foreign requests via MLAT (Mutual Legal Assistance Treaty) or applicable treaty process
- Specific about the account, token, or information sought

**We accept and respond to:**
- Federal court orders and grand jury subpoenas
- State court orders
- Administrative subpoenas issued pursuant to statutory authority (e.g., 18 U.S.C. § 2703(d) court orders; NSL procedures)
- Emergency disclosure requests under 18 U.S.C. § 2702(b)(8) where imminent threat to life or safety is credibly documented

We produce only what we have. We have very little (see [Privacy Policy](PRIVACY.md) § 3 and § 4). We will notify affected users of legal process to the extent permitted by law.

Law enforcement contact: **legal@sidecar.network** (monitored for urgent requests)

---

## DMCA Designated Agent

> **Name:** Sidecar Network Legal Team  
> **Email:** dmca@sidecar.network  
> **Registration:** [To be registered with U.S. Copyright Office prior to launch — see DMCA_REGISTRATION.md]

---

## OFAC and Export Control

Use of the Service by persons or entities subject to OFAC sanctions or U.S. export restrictions is prohibited. The full export compliance representation lives in this AUP itself (the "Prohibited Uses — Sanctions" section above); the [Terms of Service](TERMS.md) incorporates this AUP by reference (§ 3). We reserve the right to immediately revoke access upon identification of a sanctions-related connection, without notice and without refund.

---

## Changes to This Policy

We may update this AUP at any time. Material changes will be notified as described in [Terms of Service § 11.1](TERMS.md) (Modification). Continued use of the Service constitutes acceptance of the revised AUP.

---

*Sidecar Network — sidecar.network*  
*Abuse: abuse@sidecar.network | Legal: legal@sidecar.network*