Acceptable Use Policy

This Acceptable Use Policy (“AUP”) applies to all Services provided by Yhost. It is incorporated into the Terms of Service. Violations may result in suspension or termination, often without prior notice where necessary to protect the network or comply with law.

1. Core Principles

• Lawful use: You may use the Services only for lawful purposes and in compliance with Applicable Law.
• Network integrity: Your activity must not impair, disrupt, or damage our infrastructure or other customers’ services.
• Safety and trust: You must not use the Services to harm others, steal credentials, distribute malware, or deceive users.
• Abuse prevention: We operate under strict upstream and payment-processor requirements; fast response to abuse is mandatory.

2. Prohibited Activities

2.1 Malware, Exploits, and Unauthorized Access

• Distributing malware, ransomware, spyware, keyloggers, or other malicious code.
• Operating botnets, command-and-control servers, or malware distribution infrastructure.
• Phishing, credential harvesting, “fake login” pages, or any attempt to obtain passwords, tokens, or payment data fraudulently.
• Unauthorized access attempts, exploitation of vulnerabilities, brute force attacks, credential stuffing, or scanning without permission.
• Hosting or distributing exploit kits, unauthorized “cracks”, or tools designed primarily for unlawful intrusion.

2.2 Spam and Email Abuse

• Sending unsolicited bulk emails, messages, or advertisements (“spam”).
• Using purchased/rented lists, harvesting email addresses, or sending to recipients without valid consent or a lawful basis.
• Operating open mail relays or misconfigured SMTP servers that enable abuse.
• Activities causing blocklisting of our IP ranges or domains (e.g., high complaint rates, deceptive headers, spoofing, abusive bounces).

We may block outbound SMTP ports, impose rate limits, or require verified sender authentication (SPF/DKIM/DMARC). Deliverability is not guaranteed.

2.3 DDoS, Traffic Flooding, and Network Attacks

• Launching or participating in DDoS attacks, reflection/amplification attacks, or traffic flooding.
• Operating open DNS resolvers, NTP amplifiers, open proxies, or other services that can be abused for attacks.
• Attempting to disrupt network routing, peering, or upstream services.

2.4 Illegal Content and Harmful Content

• Content that violates criminal laws, including CSAM (zero tolerance; reported and removed immediately).
• Content that promotes violence or terrorism, or that is intended to facilitate serious wrongdoing.
• Deceptive or fraudulent schemes, including impersonation, fake “support” pages, or scam storefronts.
• Content that infringes intellectual property rights (copyright, trademarks) or privacy rights.

2.5 High-Risk and Restricted Commerce

Unless expressly approved in writing, you must not use the Services to sell or promote:

• Illegal drugs or controlled substances, or instructions for illegal manufacture.
• Counterfeit goods or “replica” items.
• Stolen payment data, “carding” content, or fraud tutorials.
• Unlicensed financial services or deceptive investment schemes.

2.6 Resource Abuse

• Running workloads that unreasonably consume CPU, RAM, disk I/O, or network bandwidth and degrade service for others in shared environments.
• Using the Services primarily as a file dump, public mirror, or media distribution platform when not included in your plan.
• Operating cryptocurrency mining or similar compute-intensive tasks on shared hosting (and on VPS only where it violates plan rules or causes upstream issues).

2.7 Prohibited Testing

• Penetration testing, port scanning, or vulnerability exploitation against our infrastructure without prior written permission.
• Benchmarking or load-testing that could impact other customers without coordinating with support.

3. Security and Operational Requirements

3.1 Account Security

You must use strong passwords and enable multi-factor authentication where available. You are responsible for all actions performed via your credentials. Compromised accounts are a major cause of abuse; we may suspend services until you remediate.

3.2 Software Maintenance

You must keep your CMS, plugins, themes, frameworks, and server packages up to date. Outdated software is commonly exploited. If we detect a critical vulnerability on your service, we may notify you and require you to patch within a defined timeframe. In urgent cases, we may temporarily disable the vulnerable component.

3.3 Web Application Firewalls and Rate Limits

We may use WAF rules, bot filtering, and rate limits. You must not attempt to bypass them. If your legitimate traffic is blocked, contact support with details and we will investigate.

4. Abuse Handling and Enforcement

4.1 How to Report Abuse

Report abuse to [email protected] and include: affected domain/IP, timestamps, log excerpts (if any), and a description of the issue. For copyright complaints, provide clear identification of the material and your rights.

4.2 Our Response

We triage abuse based on severity:

• Critical (immediate action): malware, phishing, botnets, DDoS, CSAM, active exploitation. We may suspend immediately and notify you after containment.
• High (urgent): spam outbreaks, repeated compromise, serious policy breaches. We may require remediation within hours.
• Standard: content complaints, minor technical policy issues. We may provide a cure period.

4.3 Suspension and Termination

We may suspend or terminate Services for AUP violations. We may remove or disable access to content that violates this AUP or Applicable Law. We may permanently block repeat offenders or accounts associated with fraud. In some cases (e.g., confirmed CSAM or fraud), we may refuse any future service.

4.4 Logs and Evidence Preservation

We may preserve logs and relevant data to investigate abuse, comply with law, or respond to upstream providers. We may share necessary information with competent authorities or affected parties where legally permitted.

5. Contact and Updates

If you have questions about this AUP, contact [email protected]. We may update this AUP as our services evolve. Continued use after updates constitutes acceptance.

2.8 Proxies, VPNs, and Anonymization Services

• Operating open proxies, open VPN endpoints, SOCKS relays, or “bulletproof” hosting services is prohibited.
• Tor exit nodes and similar anonymization exit services are prohibited unless explicitly approved in writing, due to high abuse risk and upstream policy constraints.
• Reverse proxies for your own lawful website are allowed, provided they are not open to the public and do not enable third-party abuse.

2.9 Illegal or Sensitive Data Processing

You are responsible for ensuring you have a lawful basis to process personal data and that you provide required notices to end users. Unless we explicitly agree in writing, you must not use the Services to process highly regulated data requiring specialized compliance frameworks, including:

• Payment card data as a primary storage system (PCI DSS environments must be properly scoped and secured).
• Protected health information subject to HIPAA or equivalent healthcare laws where a specific business associate agreement is required.
• Government classified information or export-controlled technical data requiring special handling.

3.4 Compromise and Cleanup Requirements

If your account is compromised, you must promptly reset credentials, patch vulnerable software, remove malicious files, and close attack vectors. We may require you to:

• Provide a remediation plan and confirm completion.
• Rebuild a VPS from a clean image if integrity is uncertain.
• Implement MFA and IP allowlisting for administrative interfaces where feasible.

If repeated compromise occurs, we may require you to upgrade to a managed security service or we may terminate service to protect the network.

4.5 Appeals

If you believe an enforcement action was taken in error, you may appeal via the client portal. Provide evidence and a clear explanation. We will review in good faith, but we may keep a suspension in place until we are satisfied the risk is mitigated.

2.10 Copyright and Intellectual Property Complaints

We take IP rights seriously. If we receive a sufficiently detailed complaint (including identification of the protected work and the allegedly infringing material), we may disable access to the material and notify you. For U.S. complaints, we apply a DMCA-style process. Repeat infringers may have their Services terminated.

3.5 IP Reputation and Reverse DNS

For dedicated IP services, you are responsible for maintaining good sending practices. We may require rDNS alignment, SPF/DKIM/DMARC configuration, and removal of compromised scripts. If your activity harms IP reputation (e.g., blocklisting), we may reassign or revoke IP resources or require use of external mail delivery services.

Upstream providers and datacenters may impose additional requirements. Where an upstream policy requires stricter enforcement than this AUP, we may apply the upstream rule to protect service continuity for all customers.

Nothing in this AUP prevents lawful research or security testing conducted exclusively on systems you own or have explicit permission to test, provided it does not impact our infrastructure or other customers.

Additional Rules for Hosting, Email, and Domains

1. Outbound Email and High-Risk Ports

To protect our network reputation, upstream providers, and other customers, we may restrict or rate-limit outbound email (SMTP) and certain ports by default on some plans or for new accounts. We may require identity/business verification before enabling outbound email or removing restrictions. You must not use our services to send spam, unsolicited bulk messages, or messages that violate applicable law (including Canada’s Anti-Spam Legislation where applicable).

2. Self-Managed Responsibility

Self-Managed means you are responsible for the security and operation of your applications and websites. You must keep your CMS, plugins, themes, and dependencies up to date, and you must promptly remediate compromised scripts, phishing pages, and malware within your account. Repeated compromise or failure to remediate may result in suspension or termination.

3. Domain Abuse

You must not register or use domains for phishing, brand impersonation, malware distribution, unlawful content, or other abusive activity. We may suspend DNS, redirect, lock, or disable domain-related services where required by a registry/registrar, a lawful request, or to mitigate abuse.