An AUP tells users exactly what they can and can't do on your platform. No gray areas, no arguments. Generate one that covers every abuse scenario before it happens. Free.
Abuse happens. Having it documented in advance is what separates a quick resolution from a legal nightmare.
When a user spams your platform or uses your API to scrape competitors, you need a documented policy to stand on. An AUP written after the fact helps no one. Write it now while everything is calm and nothing is on fire.
Crypto miners, spam bots, DDoS scripts — your AUP explicitly prohibits these and gives you contractual grounds to terminate accounts and pursue damages if needed. Without it, you're just asking them nicely to stop.
Any B2B SaaS company trying to close enterprise deals will be asked for their AUP. Procurement teams check this. It's on the vendor assessment checklist right next to your privacy policy and security documentation.
Your ToS is a contract. Your AUP is a rulebook. You need both.
Terms of service documents do a lot of heavy lifting. They cover who owns the IP, what happens when there's a dispute, how liability is limited, and what the governing law is. What they rarely do well is get specific about behavior. A ToS might say "you agree not to use the platform for illegal purposes." That's technically true but completely useless the day you need to act on it.
An Acceptable Use Policy is where you get specific. It names the actual activities that are prohibited. Not "illegal purposes" — but instead: sending unsolicited commercial email, using automated scripts to scrape data, hosting malware, impersonating other users, using the platform to attack third-party systems, mining cryptocurrency without authorization, and so on through the entire list of things that someone somewhere has absolutely already done on someone's platform just like yours.
The most common abuse scenarios that generic ToS documents fail to address properly are spam and email abuse, automated bot activity, API misuse for competitive intelligence scraping, and financial fraud through marketplace platforms. Each of these deserves its own clause with specific language about what constitutes a violation and what happens when you catch one. Saying "we may suspend accounts at our discretion" is weak. Saying "accounts found sending unsolicited bulk email will be immediately suspended and may be referred to law enforcement under the CAN-SPAM Act" is a policy.
Consider what happens without a documented policy when you need to terminate an account. A user gets suspended. They email you demanding reinstatement and threatening legal action. Without a written AUP they agreed to at signup, you're in a much weaker position. With one, you can point to the specific clause they violated, the specific action they took, and the specific consequence spelled out in the document they accepted. The conversation changes completely. Most abusive users will not pursue legal action against a company that can cite chapter and verse of their own signed agreement.
One of the trickiest abuse cases for platforms is the sophisticated bad actor who stays just within the literal bounds of a vague ToS. They're not doing anything "illegal" per se. They're just using your platform in ways that damage other users or your infrastructure. An explicit AUP with broad acceptable use language gives you the contractual basis to act on bad faith behavior even when it doesn't fit a tidy legal category. Your ToS alone almost certainly doesn't cover this.
There's also the hosting and infrastructure angle. If you're running on AWS, GCP, or any major cloud provider, your account is subject to their AUP. If a user abuses your platform in a way that violates your upstream provider's AUP, you can find your entire infrastructure suspended because of one bad actor. Having your own AUP that flows down the same prohibited activities means you can act against the abuser before they trigger your upstream provider's enforcement team.
Automated scraping, credential stuffing, mass account creation — without explicit AUP language, these are hard to act on even when you catch them in the act.
If your platform has any email component, your AUP must address spam. Your email provider will hold you responsible for abuse originating from your platform regardless of whether a user did it.
Courts and payment processors alike favor platforms that have documented, publicly available policies over those that act on unstated internal rules when disputes arise.
Every clause your acceptable use policy actually needs to hold up when you use it.
Specific categories of content that cannot be uploaded, shared, or stored. Illegal content, CSAM, malware, harassment, threats, and content that violates third-party IP rights.
Specific actions that are prohibited regardless of what content is involved. Hacking, phishing, credential stuffing, network interference, and fraudulent transactions.
Prohibition on unauthorized scraping, bot-driven mass actions, circumventing rate limits, and using automated tools to access non-public areas of the platform.
Prohibition on sending unsolicited bulk email, using harvested lists, spoofing sender addresses, or using the platform as a relay for spam campaigns.
Conditions under which an account may be temporarily suspended, notice requirements, and what access is maintained during a suspension period.
Conditions triggering immediate account termination without notice, and what happens to the user's data and active subscriptions after termination for cause.
How users can report AUP violations, the contact information for abuse reports, and your commitment to reviewing reports within a stated timeframe.
The range of actions available to you, from content removal to account suspension to termination to referral to law enforcement. A menu of options, not just one outcome.
How a suspended or terminated user can contest the decision, the process for review, and the timeline for a response. Optional but strongly recommended for any platform with paying users.
Your designated abuse contact, the expected response time, and instructions for law enforcement requests. A functional contact address is legally required in many jurisdictions.
Everything platform operators actually need to know about AUPs
Full AUP coverage without a subscription or a signup form standing between you and your document.
| Feature | FreeTOS | Termly | TermsFeed |
|---|---|---|---|
| Price | Free | $14/mo | $9/mo |
| Signup Required | No | Yes | Yes |
| AUP-Specific Document | Yes | Partial (ToS section) | Partial (ToS section) |
| Enforcement Actions Included | Yes | Basic | Basic |
| PDF Download | Free | Paid plan | Paid plan |
| AI-Tailored Output | Yes | Template-based | Template-based |
| Instant Generation | Yes | Yes | Yes |
Three places where your AUP needs to live for proper legal coverage.
Your website footer should link to your AUP alongside your Privacy Policy and Terms of Service. This makes it publicly accessible, discoverable, and easy to reference when you need to cite it in enforcement action. Enterprise customers doing vendor due diligence also check footers first.
Label it clearly. "Acceptable Use Policy" or "Usage Policy" — not something vague like "Platform Rules" that users might not recognize as a legal document.
Include your AUP in the signup acceptance flow. A checkbox saying "I agree to the Terms of Service and Acceptable Use Policy" with both documents linked creates a documented agreement at account creation time. This is your strongest evidence in an enforcement dispute.
Store the timestamp and IP address of the acceptance. You'll want this if the situation ever escalates beyond an account suspension.
If you have an API, your developer documentation should prominently reference the AUP. API users are often the category most likely to push limits — rate limit circumvention, scraping, automated abuse — so having the rules clearly visible in developer-facing docs is both practical and legally smart.
Consider linking to the AUP in your API error responses too. When a request is rejected for policy reasons, the error message can point directly to the relevant section.