Acceptable use.

01 — ScopeWho this applies to

This policy applies to anyone engaging CD Grayson for services, hosting content on our infrastructure, or otherwise interacting with our systems. It also governs the boundaries of our security testing work.

02 — AuthorizationFor security work

Penetration testing, vulnerability scanning, and other offensive security activities require explicit written authorization before we touch any system. Our standard practice:

• A signed rules-of-engagement document identifies every asset in scope and every technique permitted
• We test only what the client owns or is legally authorized to test
• We will not test third-party SaaS platforms, cloud environments, or shared infrastructure without written consent from their operators
• If during an engagement we discover the scope has overreached — for example, because a system is shared with another party — we stop and seek clarification before proceeding

Engaging us to test systems you do not have authority to test is a material breach and may be a crime. Don't ask.

03 — Prohibited usesOf our services

You may not use our services — including any hosting or infrastructure we provide — to:

• Host or distribute child sexual abuse material (CSAM), or content that sexualizes minors. We report all such material to the National Center for Missing & Exploited Children (NCMEC) and law enforcement.
• Infringe the intellectual property rights of others
• Distribute malware, spyware, ransomware, or other malicious code (except as part of an authorized security engagement, operated within the agreed scope)
• Send unsolicited bulk email or operate mail infrastructure associated with spam
• Conduct phishing, credential harvesting, or fraud against third parties
• Harass, stalk, defame, or threaten other people
• Violate the privacy or publicity rights of others, including doxxing or non-consensual intimate imagery
• Conduct denial-of-service attacks or participate in botnets
• Host command-and-control infrastructure for malicious campaigns
• Circumvent our security controls or those of any other system

04 — DisclosureHandling vulnerabilities

When we identify vulnerabilities during a client engagement, we disclose them only to the client. We don't publish vulnerability details, sell them, or use them against any other party.

If we identify a vulnerability in a product used by our client but owned by a third party, we'll discuss the appropriate response with our client — typically coordinated disclosure to the vendor on a reasonable timeline, not public release or exploitation.

If you discover a vulnerability in our own infrastructure, please report it to hello@cdgrayson.net with subject line "Security." We'll respond promptly and won't pursue good-faith researchers.

05 — ConductClient obligations

Clients engaging us for security or data work are expected to:

• Operate within the laws and regulations applicable to their business
• Represent their authorization to have work performed accurately — we rely on these representations
• Not use our findings or deliverables to harm third parties
• Treat security findings as confidential and handle them appropriately
• Not characterize our services as things they're not — we don't provide legal opinions, we don't issue audit attestations, we don't certify compliance

06 — High-risk contentOn hosting

If your engagement includes hosting or managed infrastructure, some categories of content require special handling. Before deploying the following on our infrastructure, discuss the specifics with us first:

• Regulated healthcare data (PHI subject to HIPAA or equivalent regulations)
• Regulated financial services (money transmission, securities, lending)
• Payment card data (requires PCI DSS compliance obligations)
• Adult content, gambling, or pharmacy-related services

These aren't categorically prohibited — many are legitimate businesses — but they carry compliance, legal, and infrastructure implications we need to address together before you go live.

07 — ResourcesAcceptable usage

Hosting and compute services are provided under the terms of your specific engagement. You may not use them in ways that substantially exceed the resources the SOW contemplates, disrupt other clients, or compromise infrastructure shared with others.

08 — DMCACopyright complaints

We comply with the Digital Millennium Copyright Act. To report content hosted on our infrastructure that you believe infringes your copyright, send notice to hello@cdgrayson.net including:

• Your signature (electronic is acceptable)
• Identification of the copyrighted work
• Identification and URL of the allegedly infringing material
• Your contact information
• A good-faith belief statement that the use is not authorized
• A statement under penalty of perjury that your notice is accurate and you're authorized to act for the rights holder

We review notices, act on legitimate ones, and terminate the accounts of repeat infringers.

09 — AbuseReporting violations

To report a violation of this policy — spam, malware, fraud, abuse, harassment — email hello@cdgrayson.net with subject line "Abuse," and include URLs, IP addresses, or account identifiers plus a description of what you observed. We review all reports and act on legitimate ones.

10 — EnforcementHow we respond

We respond proportionally. For most issues, we'll raise the concern, explain the problem, and give a reasonable chance to fix it. For serious violations — CSAM, active attacks, severe fraud, criminal activity — we may suspend or terminate without notice and report to authorities. We cooperate with law enforcement when required by valid legal process.

11 — ChangesPolicy updates

We may update this policy as the environment changes. Material updates will be communicated to active clients. The "last updated" date at the top always reflects the current version.

12 — QuestionsIf you're unsure

If you're unsure whether a planned use falls within this policy, ask us before you start. Email hello@cdgrayson.net.