Legal

Acceptable Use Policy

The Acceptable Use Policy spells out the conduct, content, and security restrictions that apply to every customer using the OMINEX platform. It is incorporated into the Terms of Service and applies to authorized users, end users that interact with the Service through a customer's deployment, and any party accessing through any account.

Request a demo Request trust review

Start with the path that matches your buying stage, then move deeper once your team needs technical, diligence, or workflow detail.

Last reviewed: May 2026

1. What's prohibited

You and your authorized users must not use the Service to:

Violate applicable U.S. or other applicable law, or the terms of your contracts with your underlying verification providers.
Transmit raw identity documents, biometric data, government identifiers, full financial account numbers, payment-card data, or other directly identifying personal data. The Service is designed to receive sanitized verification metadata only.
Submit, ingest, or instruct the generation of attestation records that do not correspond to a real underlying compliance decision.
Configure trusted-issuer designations that materially misrepresent OMINEX's role (for example, presenting OMINEX as the party that performed the underlying KYC determination).
Bypass authentication, authorization, audit logging, rate limiting, replay-window enforcement, or quota controls. Sharing API keys outside your organization or reusing webhook signing secrets across unrelated tenants is a breach.
Conduct unauthorized penetration testing, denial of service, brute force, credential stuffing, or vulnerability scanning. Authorized security research is described below.
Harass, defame, defraud, or discriminate; facilitate human trafficking, child exploitation, or violence; or evade legitimate sanctions or supervisory measures.
Introduce malware, attempt to extract source code or model weights, or scrape the Service in a manner inconsistent with public documentation.
Send unsolicited commercial communications using the Service's contact endpoints (transactional email, webhook delivery).
Deploy the Service in a configuration that effectively turns OMINEX into a consumer-facing identity verification, credit decisioning, money services, or broker-dealer service.

2. Sanctions and export controls

You must not use the Service in or for the benefit of any country, region, or person subject to comprehensive U.S. sanctions (including the Crimea, Donetsk, Luhansk, Kherson, and Zaporizhzhia regions of Ukraine, Cuba, Iran, North Korea, and Syria), or any person on the U.S. SDN list, the Sectoral Sanctions Identifications list, or analogous EU, UK, or other applicable sanctions lists. You must not use the Service to evade sanctions or export controls. The Service may be subject to U.S. export control regulations; you must not export, re-export, or transfer the Service or its outputs in violation of those regulations.

Where your underlying providers perform sanctions or PEP screening, you remain responsible for acting on the results. OMINEX does not perform sanctions decisioning; it carries the result of decisions your providers make.

3. Security obligations

Store API keys, webhook secrets, and OAuth credentials in a secret manager. Rotate on personnel change and on suspected compromise.
Verify the signature on every inbound webhook before acting on it. Do not disable signature verification in production.
Where supported, restrict inbound traffic to OMINEX's published webhook source IPs.
Report suspected security issues affecting your tenant to [email protected].
Use TLS 1.2 or higher. Plain HTTP is rejected.

4. Authorized security research

OMINEX welcomes good-faith security research. Confine testing to your own tenant or to a sandbox tenant OMINEX has provisioned for testing; avoid disrupting production traffic for other tenants; do not access, modify, or destroy data that is not yours; do not social-engineer OMINEX personnel; provide reasonable advance notice for high-volume tests to [email protected]; and coordinate disclosure of any finding through that address. OMINEX will not pursue legal action against researchers who comply in good faith.

5. Enforcement

OMINEX may investigate suspected violations and review attestation metadata, audit logs, and operational artifacts as needed. OMINEX does not review the contents of customer end-user identity documents because the Service is not designed to receive them; if such content is detected, it is quarantined and deleted, and the customer is notified.

Where a violation is curable and not imminently harmful, OMINEX provides notice to the workspace administrator and a reasonable period (usually at least five business days) to cure. OMINEX may suspend access immediately and without prior notice when the violation poses a security risk to others, risks regulatory or legal liability for OMINEX, involves raw PII, false attestations, sanctions, or harm to others, or constitutes a material breach that cannot reasonably be cured. Severe or repeated violations may result in immediate termination and reporting to law enforcement, regulators, or affected third parties.

6. Reporting

Security incidents: [email protected]
Privacy incidents: [email protected]
Other violations: [email protected]

Reports should include the workspace, relevant attestation or webhook IDs, timestamps, and a description of the conduct. OMINEX treats reports confidentially to the extent consistent with investigation and applicable law.

Terms of Service — incorporates this AUP by reference.
Data Processing Agreement — processor obligations governing customer data.
Privacy Policy — what OMINEX processes and why.
Trust Center — incident response — how OMINEX coordinates response and customer review during an event.

Contact