acceptable use policy - ElevateFinance

# Acceptable Use Policy Effective from 9 May 2026. Version 1.1.0. This Acceptable Use Policy (this "**AUP**") sets out the conduct rules that every Customer and every End-User agrees to when using the Platform. Acceptance of the Master Services Agreement (the "**MSA**") is acceptance of this AUP. Acceptance of the Terms of Service is acceptance of this AUP. This AUP is read together with the Terms of Service, the MSA, the Privacy Policy, the Cookie Policy, the Refund Policy, the Service Level Agreement, the Data Processing Agreement (the "**DPA**"), the Sub-Processor List, the Responsible Disclosure Policy, the Disclaimer, the SEBI (Investment Advisers) Regulations 2013 -- Safe-Harbour Mapping, and the ICAI "Holding-Out" Audit. ## Defined terms In this AUP: - "**ElevateFinance**" or "**Supplier**" means ElevateFinance Private Limited. - "**Platform**" or "**Service**" means the software-as-a-service product operated by ElevateFinance. - "**Customer**" means a Chartered Accountant firm or other entity bound by the MSA. - "**End-User**" means a natural person whom the Customer has authorised to use the Platform under the Customer's tenant. - "**Documentation**" means the user-facing technical documentation ElevateFinance publishes from time to time. - "**Personal Data**" has the meaning given in the Digital Personal Data Protection Act 2023 (the "**DPDP Act**"). - "**Applicable Law**" has the meaning given in the MSA. ## 1. Permitted uses **Plain-language summary.** The Platform is licensed for tax-compute and filing work, for routine Customer operations, and for other uses the Documentation expressly authorises. 1.1 The Platform is licensed for the following uses: (a) preparation, review, and filing of returns under the Income-tax Act 1961 and allied statutes by qualified Chartered Accountants; (b) software-driven computation of tax liability, RSU optimisation, Schedule FA disclosure, and Form 67 export, with the Customer's qualified Chartered Accountants verifying every output before acting on it; (c) management of the Customer's clients, members, billing, and subdomain branding within the Platform's exposed surfaces; (d) GST and TDS workflows where the relevant offering has been enabled for the Customer's tenant under the DPA addenda; and (e) any other use expressly authorised by the Documentation. ## 2. Prohibited conduct **Plain-language summary.** The list below is the discipline that keeps the Platform safe for every Customer and every End-User. Each item is a material obligation; breach is grounds for suspension or termination. The Customer and every End-User shall NOT: 2.1 **Reverse engineer.** Reverse engineer, decompile, or disassemble the Platform or attempt to derive the Platform's source code, proprietary configurations, model artefacts, or any other proprietary component, save where that right cannot be excluded under Applicable Law. 2.2 **Scrape.** Scrape the Platform or use any automation to access the Platform other than through the published programmatic interfaces and the Customer's own integrations. Programmatic access to the apex retail surface is prohibited. 2.3 **Bulk-export.** Bulk-export End-User data of any individual or entity that the Customer has no professional engagement with. 2.4 **Bypass.** Bypass any rate-limit, authentication, audit, or other security control of the Platform. 2.5 **Misrepresent.** Misrepresent any End-User's identity, including impersonating the Income Tax Department, the GSTN, NSDL, NPCI, or any other government authority on tenant-authored copy. 2.6 **Upload or transmit unlawful content.** Upload or transmit content that: (a) infringes any third-party intellectual property right; (b) constitutes defamation under Indian law; (c) is obscene, sexually explicit, or harmful to children within the meaning of Section 67 or 67A of the Information Technology Act 2000; (d) incites violence or hatred on the basis of religion, race, caste, or any other ground; or (e) is otherwise unlawful in India. 2.7 **File a false return.** File any return, declaration, or filing through the Platform that is knowingly false, misleading, or in violation of the Income-tax Act 1961, the CGST Act 2017, the Black Money (Undisclosed Foreign Income and Assets) and Imposition of Tax Act 2015, or any other Applicable Law. Penalties under Section 277 of the Income-tax Act 1961, Section 134(5) of the Companies Act 2013, and any other Applicable Law attach personally to the signing Chartered Accountant or the authorised representative. 2.8 **Money-laundering and prohibited activities.** Use the Platform to facilitate money-laundering, the financing of terrorism, the payment or receipt of any bribe or kickback, or any activity prohibited by the Prevention of Money Laundering Act 2002, the Unlawful Activities (Prevention) Act 1967, or the Prevention of Corruption Act 1988. 2.9 **Misuse the brand.** Use ElevateFinance's brand, logo, or marks to imply an endorsement that ElevateFinance has not given. 2.10 **Impair the platform-admin reservation.** Attempt to remove, demote, or otherwise impair the PLATFORM_RESERVED administrative role described in clause 5 of the MSA, whether through the Platform's surfaces, through direct database access, or through any other means. 2.11 **Abuse cryptographic facilities.** Abuse the Platform's verification or signing facilities (including the receipt verifier and the signed download URL surfaces) to forge, replay, or misrepresent any artefact. 2.12 **Mass communications.** Use the Platform's End-User communication channels in breach of clause 4 below. ## 3. Tenant-authored copy: ICAI compliance **Plain-language summary.** The Customer's tenant subdomain may display the Customer's brand and copy, but only within the limits the ICAI Code of Ethics permits. The Platform warns the Customer where the copy is likely to fall foul of the Code; the Customer remains solely responsible for compliance. 3.1 The Platform allows the Customer to display tenant-authored copy on the Customer's subdomain, including firm name, brand colour, logo, services list, and contact details. 3.2 Tenant-authored copy must comply with the ICAI Code of Ethics, including the revised Code in force from April 2026, which permits a Chartered Accountant firm to advertise within strict limits. Specifically, the Customer shall NOT include: (a) any false or misleading claim about the firm, its members, or the services offered; (b) any comparative claim against another Chartered Accountant, firm, or platform; (c) any fee advertisement that has not been pre-approved under the revised Code's pre-approval mechanism, where applicable; (d) any claim of speciality or expertise in any specific tax matter that the relevant ICAI bye-laws restrict; (e) any reference to clients by name without that client's written consent; or (f) any misuse of professional designation (such as describing a non-Chartered-Accountant partner as a "Chartered Accountant"). 3.3 The Platform warns the Customer on a best-effort basis where tenant-authored copy is likely to fall foul of clause 3.2. The Customer remains solely responsible for ICAI Code compliance. 3.4 ElevateFinance may take down any tenant-authored copy on receipt of (a) a credible complaint from the Institute of Chartered Accountants of India, (b) a court order, or (c) ElevateFinance's reasonable opinion that the copy materially breaches clause 3.2. ElevateFinance shall give written notice of the take-down to the Customer within twenty-four (24) hours. ## 4. Communications and anti-spam **Plain-language summary.** Transactional messages directly tied to a filing, an invoice, or a service update are permitted. Marketing communications require prior opt-in consent and an unsubscribe mechanism. 4.1 The Customer shall use the Platform's End-User communication channels (transactional email, push, and SMS where enabled) only for transactional messages directly related to a filing, an invoice, or a service update. 4.2 Marketing or promotional communications to End-Users require the End-User's prior opt-in consent. The Customer shall maintain written evidence of consent and shall provide a clear unsubscribe mechanism in every marketing communication. 4.3 The Customer shall not use the Platform to send unsolicited commercial communication ("spam") within the meaning of the information-technology rules made under the IT Act 2000 or the Telecom Commercial Communications Customer Preference Regulations 2018. ## 5. Security responsibility **Plain-language summary.** Credentials are kept secret, are not shared between End-Users, are revoked promptly when a person leaves, and any suspected incident is reported promptly. 5.1 The Customer shall: (a) keep the Customer's authentication credentials secret; (b) not share credentials between End-Users; (c) revoke any End-User's access promptly when that End-User leaves the Customer's organisation; and (d) report any suspected security incident to ElevateFinance promptly on discovery, in any event within the timeline that Applicable Law prescribes for the Customer, by email to `security@elevatefinance.co`. 5.2 The Customer shall not knowingly transmit malware, exploit code, or any payload designed to compromise the Platform. ## 6. Vulnerability research and responsible disclosure **Plain-language summary.** Researchers may perform good-faith security testing on the conditions in the Responsible Disclosure Policy. Any access beyond that scope is unauthorised access under Section 43 of the Information Technology Act 2000. 6.1 Researchers may, on the conditions in the Responsible Disclosure Policy, perform good-faith security testing on the Customer's tenant subdomain. 6.2 Any access beyond the scope of the Responsible Disclosure Policy is unauthorised access under Section 43 of the Information Technology Act 2000. ## 7. Compliance with Applicable Law **Plain-language summary.** Customer use is subject to all Applicable Law, including tax law, data-protection law, anti-money- laundering law, and consumer-protection law. 7.1 The Customer shall comply with every Applicable Law in connection with its use of the Platform, including the Income-tax Act 1961, the CGST Act 2017, the IGST Act 2017, the SGST and UTGST Acts, the DPDP Act, the Information Technology Act 2000, the Chartered Accountants Act 1949, the Companies Act 2013, the Consumer Protection Act 2019, the Prevention of Money Laundering Act 2002, the Unlawful Activities (Prevention) Act 1967, and the Prevention of Corruption Act 1988. ## 8. Enforcement **Plain-language summary.** Suspension under the MSA is the standard remedy for breach. Repeated or egregious breach is grounds for termination for cause. Suspension or termination does not relieve any accrued Fee. 8.1 ElevateFinance may suspend the Customer's tenant under clause 12 of the MSA on reasonable belief of a material breach of this AUP. Repeated or egregious breach is grounds for termination for cause under clause 13 of the MSA. 8.2 Suspension or termination under this AUP does not relieve the Customer of any Fee accrued before the date of suspension or termination. ## 9. Cross-references This AUP is read together with: - Master Services Agreement - Terms of Service - Privacy Policy - Cookie Policy - Refund Policy - Data Processing Agreement - Sub-Processor List - Service Level Agreement - Responsible Disclosure Policy - Disclaimer - DPDP Grievance Redressal - ICAI "Holding-Out" Audit - SEBI (Investment Advisers) Regulations 2013 -- Safe-Harbour Mapping - CERT-In Incident Runbook