An acceptable use policy defines what customers can and can’t do with your service. It’s the boundary document. Done well, it protects your platform, your other customers, and your business without creating friction for legitimate use. Done poorly, it’s either so vague it’s unenforceable or so broad it makes customers uncomfortable signing.
Most B2B SaaS companies either skip the AUP entirely (relying on general “don’t do anything illegal” language in their Terms of Service) or copy one from a consumer platform that doesn’t apply to their product. Neither approach works.
The Standard Categories
Every B2B SaaS AUP should address a baseline set of prohibited activities.
Illegal activity. The customer may not use the service for any purpose that violates applicable law. This is your catch-all, but it shouldn’t be your only provision. Relying solely on “don’t break the law” leaves you without a contractual basis for restricting activity that’s harmful to your platform but not necessarily illegal.
Security violations. Prohibit attempts to breach, test, or circumvent the security of the service, including unauthorized access to other customers’ data, accounts, or infrastructure. In a multi-tenant environment, this is essential.
Abuse of shared resources. Prohibit activity that degrades performance for other customers — excessive resource consumption, denial-of-service behavior (intentional or through negligent automation), and any activity that disproportionately loads shared systems.
Competitive use. Prohibit using the service to build a competing product or service.
SaaS-Specific Provisions
Beyond the baseline, your AUP should address concerns specific to how SaaS products are used and abused.
Reverse engineering, decompilation, and disassembly. Prohibit any attempt to reverse engineer, decompile, disassemble, or otherwise derive the source code, algorithms, or architecture of the service. This is more important than ever. With AI-assisted coding tools, the barrier to reverse engineering a product from the inside has dropped significantly. A customer with deep access to your platform’s behavior, APIs, and outputs can use AI tools to reconstruct functionality that would have previously required substantial engineering effort.
API usage and rate limiting. If your product exposes APIs, define acceptable usage patterns. Set rate limits, prohibit automated scraping or bulk data extraction beyond intended use, and specify that API access is subject to the usage terms in the customer’s Order Form.
Data scraping and extraction. Separate from API abuse, prohibit using the service to systematically extract, scrape, or harvest data for purposes outside the intended use of the platform.
Resale and redistribution. Prohibit reselling access to the service or redistributing outputs in a way that effectively gives unauthorized third parties the benefit of your platform without a direct customer relationship.
Multi-tenancy abuse. If your platform supports multiple workspaces or organizational units under a single account, define the boundaries. Prohibit using a single-entity account to provide access to multiple unaffiliated organizations as a way to avoid additional licensing fees.
AI-Specific Considerations
If your product includes AI features, your AUP should address AI-related use. The specific provisions will vary by product — there’s no universal set of AI restrictions that applies to every B2B SaaS product. But there are categories worth considering.
Input restrictions. If your AI features process customer-provided inputs, consider whether to restrict the types of data customers can submit — for example, prohibiting the input of data that infringes third-party intellectual property rights, or data the customer doesn’t have the right to process through your service.
Output use restrictions. Consider whether certain downstream uses should be restricted: using outputs to train competing AI models, representing AI-generated outputs as human-created work in contexts where that distinction matters, or using outputs in safety-critical applications if your product isn’t designed for that purpose.
Automated and agentic use. If your platform supports or can be used by AI agents acting on behalf of the customer, define the boundaries of automated use. This connects to your billing terms (how agent-driven usage is metered) and to your acceptable use framework (what an AI agent is and isn’t permitted to do within your platform).
The AI landscape is evolving quickly, and your AUP provisions should be reviewed regularly as new use patterns emerge.
Enforcement: What Happens When a Customer Violates the AUP
Right to suspend. Include a provision allowing you to suspend the customer’s access immediately upon discovering a material AUP violation, with notice provided as soon as reasonably practicable. Suspension is the critical enforcement tool because it lets you stop harmful activity without immediately terminating the relationship.
Right to terminate. For serious or repeated violations, your Terms should allow termination for cause. An AUP violation should qualify as a material breach that triggers your standard termination for cause provisions.
No liability for enforcement. Include a provision stating that you’re not liable for any disruption to the customer’s use resulting from enforcement of the AUP. Without this, a customer whose access was suspended for a legitimate AUP violation could argue that the suspension caused them damages.
Inline vs. Separate Document
Inline (AUP provisions within your Terms of Service) reduces the number of documents in your contracting stack. For most seed-stage companies, inline is simpler and sufficient.
Separate document (a standalone AUP incorporated by reference) has its own advantages. It can be easily accessible to end users who don’t have access to the full contract, posted on your website as a standalone page, and updated independently from your Terms.
The deciding factor is audience. If the people who need to follow the AUP are the same people who sign the contract, inline works. If the people who need to follow the AUP are developers, end users, or team members who will never read the Terms, a separate accessible document is better.
No Boiler provides self-service legal document generation and educational content. This material is general in nature and is not a substitute for legal advice. Please have a qualified attorney review any documents before relying on them.