← Back to home

Acceptable Use Policy

Effective date: May 13, 2026 · Custodia, LLC, Pittsburgh, Pennsylvania, USA

This Acceptable Use Policy (“AUP”) governs all use of the BidFedCMMC platform (the “Service”) and is incorporated by reference into our Terms of Service. Violation of this AUP is a material breach of the Terms and may result in immediate suspension or termination, with or without notice, and may be reported to law enforcement.

1. Prohibited content

You may not upload, store, transmit, or process through the Service:

  • Controlled Unclassified Information (CUI) of any category.
  • Classified information of any level.
  • Protected Health Information (PHI) regulated by HIPAA.
  • Payment-card primary account numbers (PAN) outside of the supported payment processor.
  • Social Security numbers, biometric identifiers, or precise geolocation of natural persons.
  • Technical data subject to ITAR (22 CFR 120–130) or EAR (15 CFR 730–774) restrictions, unless a specific written authorization from BidFedCMMC is in place.
  • Data of children under 13 (COPPA) or other minors.
  • Personal data of individuals located outside the United States that triggers obligations under non-U.S. law (e.g., GDPR, UK GDPR, PIPL).
  • Content that is unlawful, defamatory, harassing, fraudulent, infringing, obscene, or that promotes violence or discrimination.
  • Malware, ransomware, exploit code, or other malicious payloads.

2. Prohibited conduct

You may not:

  • Submit false, fabricated, or fraudulent compliance evidence, attestations, or affirmations through the Service.
  • Use the Service to facilitate any fraud, false claim, wire fraud, or misrepresentation against the United States Government, any prime contractor, or any other party. False statements may be prosecuted under the False Claims Act (31 U.S.C. §§ 3729–3733) and 18 U.S.C. § 1001.
  • Reverse-engineer, decompile, disassemble, scrape, frame, mirror, sublicense, white-label, or resell the Service.
  • Use automated means to access the Service except as expressly permitted by published APIs.
  • Attempt to gain unauthorized access to any account, tenant, system, or data not your own.
  • Probe, scan, or test the vulnerability of the Service except under a written authorization from BidFedCMMC (see our Security overview for the coordinated-disclosure process).
  • Circumvent rate limits, authentication, audit logging, attestation signatures, or evidence-hash integrity controls.
  • Use the Service to develop, train, or benchmark a competing product or model.
  • Use the Service to send unsolicited bulk email, SMS, or autodialed calls.
  • Misuse AI features to generate misleading evidence, impersonate persons, or evade compliance obligations.
  • Use the Service in connection with sanctioned persons or jurisdictions, or in violation of U.S. export-control laws.

3. Account hygiene

  • Keep your credentials confidential. Enable multi-factor authentication when offered.
  • Notify us promptly if you suspect unauthorized access at security@bidfedcmmc.com.
  • Each user must use their own account. Do not share logins.
  • Promptly remove access for users who leave your organization.

4. Enforcement

BidFedCMMC may investigate suspected violations of this AUP. We may remove content, suspend, or terminate access immediately if we determine, in our reasonable discretion, that conduct violates this AUP or poses a risk to the Service, our customers, or any third party. Where required by law or where public safety is at risk, we may cooperate with law enforcement.

5. Reporting violations

Report suspected violations to abuse@bidfedcmmc.com. Report security vulnerabilities to security@bidfedcmmc.com (see also /.well-known/security.txt).