karta
Sign in Join the waitlist
// aup

Acceptable Use Policy.

Last updated: 2026-06-25

This Acceptable Use Policy ("AUP") governs use of the Karta Services by Customers, Authorized Users, resellers, end users, agents, integrations, and anyone acting through a Karta account, key, embed, API, Agent, or Release. It is incorporated into, and forms part of, the Karta Terms of Service (the "Terms"). Capitalized terms used but not defined in this AUP have the meanings given in the Terms. If there is a conflict between this AUP and the Terms with respect to permitted and prohibited uses, this AUP controls.

The Karta Services are for business and developer use only. They are not directed to, and may not be used for, personal, family, or household purposes, and may not be made available to or directed at children. Authorized Users and any individual acting through the Services must be at least 18 years old.

A violation of this AUP by a Customer, an Authorized User, a reseller, an end user, an Agent, or anyone acting through the Customer's account, keys, embeds, or Releases is a material breach of the Terms, and Karta's enforcement rights under Section 7 apply in addition to all other rights and remedies available to Karta under the Terms and at law.

1. Customer Responsibility and Flow-Down

Customer is responsible for its Agents, Agent Actions, Customer Content, Authorized Users, resellers, end users, and downstream uses, including all activity conducted through its account, keys, embeds, Releases, and Agents, whether or not authorized by Customer, except to the extent such unauthorized activity results directly from Karta's breach of its security obligations under the Terms or Karta's gross negligence or willful misconduct. Customer must ensure that its end-user terms, reseller agreements, product controls, and operational practices prohibit activity that violates this AUP, and must flow down to its Authorized Users, resellers, and end users terms at least as protective as this AUP. Customer is solely responsible for obtaining all consents and providing all notices required for its Agents, Customer Content, and end-user data, and for establishing the lawful basis for any processing it directs through the Services. Customer remains responsible and liable for violations of this AUP by its Authorized Users, resellers, and end users, and that responsibility survives termination of their access.

Karta's relationship is with Customer; Karta is not a party to the relationship between Customer and its end users. This AUP binds Authorized Users, resellers, and end users only as flowed down by Customer through its own terms, and any obligation or restriction expressed in this AUP as applying to an Authorized User, reseller, or end user is an obligation that Customer must impose and enforce, not a direct contract between Karta and that person. Nothing in this AUP waives or limits any right that cannot be waived or limited under applicable law, including non-waivable consumer-protection rights of end users.

Where an Agent acts autonomously, the action is attributable to the Customer that configured and deployed it. "The agent did it" is not a defense.

Model Provider usage policies also apply. A violation of an applicable upstream model, platform, or service policy (including the Anthropic Usage Policy and any other Model Provider policy applicable to the traffic) is a violation of this AUP. For BYOK traffic, Customer is also responsible for complying with, and ensuring its end users comply with, the usage policies and terms of the Customer's own Model Provider. Customer must not configure or use the Services in any manner that would cause Karta to breach an upstream Model Provider's policies or terms.

2. Prohibited Uses

You may not use the Services to create, host, transmit, facilitate, enable, instruct, automate, or promote:

  • illegal activity or violation of applicable law;
  • child sexual abuse material, child exploitation, grooming, sextortion, or sexualization of minors;
  • human trafficking, prostitution, illegal drugs, weapons, explosives, or unlawful regulated goods;
  • violence, terrorism, violent extremism, threats, harassment, stalking, doxxing, or non-consensual intimate imagery;
  • hate or abuse targeting protected characteristics;
  • malware, ransomware, credential theft, phishing, botnets, unauthorized vulnerability exploitation, or unauthorized access;
  • attacks on critical infrastructure, voting systems, healthcare systems, financial systems, telecommunications, or public safety systems;
  • chemical, biological, radiological, nuclear, explosive, or other weapon development or evasion;
  • fraud, scams, deceptive impersonation, predatory practices, or manipulation;
  • spam, bulk unsolicited outreach, abusive scraping, automated account creation, or rate-limit/policy evasion;
  • coordinated inauthentic behavior, large-scale disinformation, or deceptive civic/election influence;
  • unlawful surveillance, biometric identification, emotion inference, social scoring, or privacy-invasive profiling;
  • infringement or misappropriation of intellectual property or trade secrets;
  • crypto mining or resource consumption unrelated to operating an Agent on Karta;
  • use, export, re-export, or transfer of the Services in violation of applicable export-control, economic-sanctions, or anti-boycott laws (including U.S. OFAC sanctions and the Export Administration Regulations), or by, on behalf of, or for the benefit of any person or entity that is the subject of such sanctions or that is located in or ordinarily resident in an embargoed or sanctioned country or region;
  • use of the Services or any model outputs to train, fine-tune, distill, benchmark for competitive purposes, or otherwise create or improve a competing AI model, foundation model, or dataset, or any other use prohibited by an applicable Model Provider's policy or model license;
  • high-impact decisions about people without legally required safeguards and meaningful human review; or
  • any use prohibited by a Model Provider's usage policy, applicable model license, or Karta service-specific terms.

The above lists in this Section and in Section 3 are illustrative and not exhaustive. Karta may determine in its reasonable discretion that other conduct violates the letter or spirit of this AUP, and may treat such conduct as a violation.

3. Agent-Specific Abuse

Because Karta hosts agents that can use tools and take actions, you may not:

  • configure an Agent to bypass another system's terms, paywalls, rate limits, safety controls, or access controls;
  • use Agents to exfiltrate data through prompt injection or tool misuse;
  • allow Agents to run uncontrolled loops, self-replication, fork bombs, or runaway resource usage;
  • use Agents for mass outreach, scraping, account creation, or posting without lawful basis and platform permission;
  • conceal from end users that they are interacting with AI where disclosure is legally required or where nondisclosure would mislead a reasonable person;
  • use Agents to make legal, medical, financial, employment, housing, credit, insurance, education, or similarly significant decisions without qualified human review; or
  • connect Agents to third-party tools, MCP servers, or accounts without authorization to use those systems and data.

For high-risk use cases — including legal, healthcare, insurance, finance, employment, housing, credit, academic testing or admissions, and the automated generation and publication of journalistic or professional content — that influence decisions affecting individuals, Customer must, where required by applicable law or an upstream Model Provider's policy: (a) ensure a qualified human reviews relevant advice, recommendations, or decisions before they are finalized or disseminated; and (b) disclose to affected end users, at least at the start of each session, that AI is being used. Where an end user interacts with an Agent that is a consumer-facing chatbot or interactive AI, Customer must disclose that the end user is interacting with AI rather than a human. Customer is solely responsible for the accuracy and appropriateness of Agent outputs and for validating outputs before relying on or distributing them. Karta provides no professional, legal, medical, financial, or other regulated advice.

4. Security and Platform Integrity

You may not probe, scan, test, or attack Karta systems except through Karta's authorized vulnerability disclosure policy, and any researcher safe-harbor or good-faith-testing conditions are satisfied only if the reporter complies fully with that policy; the burden of demonstrating compliance is on the reporter. You may not interfere with tenant isolation, microVM/session isolation, authentication, API keys, embeds, billing controls, audit logs, or the integrity and availability of the Services. You may not reverse engineer, decompile, disassemble, or otherwise attempt to derive the source code, models, or underlying structure of the Services, or circumvent or disable any technical protection, rate limit, usage measurement, geographic restriction, or access control, except to the extent this restriction is prohibited by applicable law. You may not conduct benchmarking, load testing, penetration testing, or competitive performance testing of the Services without Karta's prior written consent.

In addition to its other rights and remedies, Karta may recover from Customer the reasonable costs it incurs as a result of conduct that violates this Section or otherwise threatens the security, integrity, or availability of the Services, including the costs of investigation, remediation, and enforcement.

5. Billing and Credit Abuse

Karta allows Customers to sell access to their own Agents. Karta does not allow abuse of Karta's billing, credits, keys, or managed model access.

Prohibited conduct includes stolen payment methods, chargeback abuse, fraudulent credits, multi-account abuse to obtain promotional credits, sharing Karta API keys outside authorized use, reselling Karta-managed model access as a standalone service, and evading spend caps, rate limits, or fair-use ceilings. Customer is responsible for configuring its Agents to prevent runaway autonomous loops, uncontrolled retries, and other excessive or unintended resource consumption, and remains responsible for all usage and charges resulting from such conduct. Karta may, in addition to its other enforcement rights, throttle, suspend, recover the costs of usage that abuses Karta's billing, credits, keys, or managed model access, forfeit or revoke any promotional, trial, or other Credits obtained through fraud, abuse, or violation of this AUP, and recover the reasonable costs of investigating and enforcing against such abuse. Karta may also charge a reasonable administrative fee, not to exceed Karta's actual processing and handling costs, for each chargeback or payment reversal that is later determined to be invalid.

6. Regulated and Sensitive Data

Unless Karta expressly agrees in writing, you may not submit, transmit, or process through the Services any protected health information, payment-card or cardholder data subject to PCI DSS, Social Security numbers, government-issued identifiers, financial-account or GLBA-regulated data, or other regulated, special-category, or sensitive data requiring a special contractual or compliance pathway. Karta is not currently SOC 2 certified, is not a HIPAA business associate, and is not certified under the EU-U.S. Data Privacy Framework; the Services are not designed or authorized for regulated data absent a separate written agreement. Customer is solely responsible for screening and excluding such data, and any submission of such data in breach of this Section is subject to Customer's indemnification obligations under the Terms and governed by the liability provisions of the Terms.

7. Monitoring and Enforcement

Karta may, in its sole discretion, monitor, investigate, review, block, throttle, modify, disable, suspend, remove, or terminate access to enforce this AUP, protect users and third parties, comply with law, and satisfy upstream-provider obligations. Karta has no obligation to monitor, but may do so to the extent permitted by law and the applicable Data Processing Addendum. To the extent any enforcement or monitoring action involves Processing of End-User Data for which Karta acts as processor, Karta performs that action on the documented instructions of Customer (which Customer gives by accepting this AUP and the Terms) and as necessary to comply with Karta's legal obligations and to ensure the security and integrity of the Services, as further described in the Data Processing Addendum.

Karta usually tries to act at the smallest effective scope, such as a session, end user, key, Release, Agent, or organization. Karta may act immediately and without prior notice for emergencies, child-safety issues, active abuse, security threats, legal risk, upstream-provider violations, or imminent harm.

Enforcement may include warnings, remediation requests, rate limits, output/action blocks, key revocation, Agent suspension, account suspension, termination, referral to law enforcement, and evidence preservation where legally required. The operational mechanics, escalation, and prioritization of Karta's safety enforcement are described in the Karta Trust & Safety Policy; that policy is referenced here and not duplicated, and nothing in it limits the enforcement rights set out in this AUP or the Terms.

Karta is not liable to Customer for any action taken in good faith to enforce this AUP (and Customer is responsible for the corresponding treatment of its Authorized Users, resellers, and end users under Customer's own terms), and no such action entitles Customer to any refund, credit, any remedy under an applicable service level agreement (if any), or extension. Credits or fees attributable to usage that is suspended, blocked, or terminated for a violation of this AUP, as finally determined by Karta (including after any appeal under Section 9), are non-refundable. Customer remains responsible for all amounts incurred up to the time of enforcement.

Karta's failure to enforce, or delay in enforcing, any provision of this AUP is not a waiver of its right to enforce that or any other provision later.

Sections 1 (Customer Responsibility and Flow-Down), 5 (Billing and Credit Abuse), 6 (Regulated and Sensitive Data), and this Section 7, together with each accrued payment obligation and cost-recovery, indemnification-trigger, and non-refundability provision in this AUP, survive any suspension or termination of access or of the Terms. This Section is intended to supplement, and not to limit or supersede, the survival provisions of the Terms.

8. Reporting

Report abuse, prohibited content, or AUP violations through Karta's abuse-reporting channel or by emailing legal@karta.sh. Report security vulnerabilities through Karta's vulnerability disclosure process or by emailing security@karta.sh. Report copyright issues through the Karta DMCA / Copyright Policy or by emailing dmca@karta.sh. Privacy concerns may be sent to privacy@karta.sh. General legal issues may be sent to legal@karta.sh.

9. Appeals

If Karta takes an enforcement action and Customer believes it was mistaken, Customer may appeal by replying to the enforcement notice or by contacting legal@karta.sh. Appeals are between Karta and Customer; Karta does not adjudicate appeals directly with Authorized Users, resellers, or end users, and Customer is responsible for handling any appeal from such persons under Customer's own terms. Karta will review timely appeals but is not obligated to reverse any action, and any decision on appeal is at Karta's discretion. Appeals do not pause or suspend emergency, child-safety, security, legal-compliance, or upstream-provider-required actions, and do not pause Customer's payment obligations.

10. Changes

Karta may update this AUP as risks, laws, and upstream-provider policies change. Material changes will be communicated in accordance with the notice provisions of the Terms, and nothing in this AUP shortens any minimum notice period the Terms require for material changes. Changes required to address an emergency, comply with law, or comply with an upstream Model Provider's policy may take effect immediately. Continued use of the Services after an update takes effect constitutes acceptance of the updated AUP.