Travis ASM – Acceptable‑Use Policy (AUP)
Acceptable-Use Policy (AUP)
Version: 1.86 Last Modified Date: August 19, 2025
Applies to: All individuals, entities, and automated systems ("Users") who access or use the Travis ASM SaaS platform ("Service") — including employees, contractors, partners, customers, and any third-party integrations.
1. Purpose
This Acceptable-Use Policy (AUP) defines the permissible and prohibited ways in which the Service may be used. It is intended to protect:
- Travis ASM, its customers, and the broader Internet community from misuse, abuse, or illegal activity.
- The confidentiality, integrity, and availability of data processed by the Service.
- Compliance with applicable laws, regulations, and contractual obligations (e.g., NIST, CMMC, PCI-DSS, GDPR, HIPAA).
By accessing the Service, Users agree to be bound by this AUP. Failure to comply may result in suspension, termination, and/or legal action.
2. Scope
This AUP covers all interactions with the Service, including but not limited to:
- Web-based UI, API calls, and SDK integrations.
- Upload, storage, processing, and retrieval of data (asset inventories, scan results, reports, etc.).
- Use of any ancillary tools provided by Travis ASM (e.g., alert webhooks, email notifications, dashboards).
The AUP applies regardless of the method of access (browser, script, mobile app, or third-party service).
3. Definitions
| Term | Definition |
| Asset | Any Internet-exposed entity discovered or managed by the Service (domain, IP address, cloud resource, AI endpoint, IoT device, etc.). |
| Scanning | Automated or manual probing performed by the Service (port scans, banner grabs, vulnerability checks, AI-model assessments, etc.). |
| Customer Data | Information uploaded or generated by a Customer (including asset lists, credentials, configuration files, scan results). |
| Confidential Information | Any non-public data belonging to a Customer, Travis ASM, or a third party that is marked or reasonably understood to be confidential. |
| Authorized Use | Use of the Service expressly permitted by the Customer’s subscription agreement, this AUP, and any applicable law. |
| Unauthorized Use | Any use that falls outside the Authorized Use definition. |
4. Acceptable Use
Users may:
- Perform legitimate security-testing – Conduct automated asset discovery, vulnerability scanning, and risk-assessment activities only on assets they own or have written permission to test.
- Access, store, and transmit Customer Data – Use the Service to ingest, process, and retrieve data necessary for security management, provided the data is handled in accordance with the Customer’s policies and applicable privacy regulations.
- Integrate with authorized third-party systems – Use the Service’s REST API, webhooks, or SDKs to feed data into SIEMs, ticketing platforms, or other security tools, provided the integration follows Travis ASM’s API-usage guidelines.
- Share aggregated, anonymized data – Export or publish statistical data that has been stripped of any identifying information (see Section 9).
- Participate in community programs – Contribute to bug-bounty, research, or advisory programs when expressly invited by Travis ASM.
All acceptable activities must be performed in a non-intrusive, low-impact manner that does not disrupt the availability or normal operation of the target system.
5. Prohibited Use
Users must not:
| Category | Specific Prohibited Actions |
| Illegal Activities | Engage in any activity that violates local, national, or international law (e.g., hacking, unauthorized access, fraud, trafficking). |
| Unauthorized Scanning | Scan, enumerate, or test any asset without documented owner permission (including .gov, .mil, or any other governmental domains). |
| Disruption & Denial-of-Service | Conduct high-volume or aggressive scans designed to degrade, crash, or otherwise impair the availability of a target system. |
| Malicious Payloads | Transmit, upload, or execute malware, ransomware, spyware, or any malicious code via the Service. |
| Data Abuse | Store, transmit, or process personal data that is not required for the Service’s purpose, or that violates privacy laws (e.g., GDPR, CCPA). |
| Credential Misuse | Upload or use stolen, guessed, or otherwise unauthorized credentials in any credential-based scan. |
| Impersonation & Spoofing | Forge headers, IP addresses, or any identifying information to conceal the source of scanning activity. |
| Commercial Exploitation | Sell, license, or otherwise redistribute the Service’s raw firmware, binaries, or un-anonymized scan data without explicit written consent from Travis ASM. |
| Security Circumvention | Attempt to bypass, interfere with, or disable Travis ASM security mechanisms (e.g., rate limiting, authentication, encryption). |
| Harassment & Abuse | Use the Service to harass, threaten, or otherwise target individuals or groups. |
| Violation of Third-Party Policies | Perform scans that contravene the terms of service of third-party platforms (e.g., cloud providers, SaaS applications). |
Violations may be reported to law-enforcement authorities and will be handled in accordance with Section 8.
6. User Responsibilities
- Obtain Authorization – Prior to any scanning, secure written permission from the asset owner. Maintain records of such authorizations for audit purposes.
- Secure Credentials – Store any credentials used for scans in a secure vault; never embed them in plain-text scripts or configuration files.
- Limit Scope – Define clear scanning scopes (IP ranges, domains, ports) and enforce them through the Service’s configuration settings.
- Monitor Impact – Observe scan results for signs of adverse impact (e.g., increased latency, error spikes) and suspend scanning immediately if disruption is detected.
- Report Incidents – Notify Travis ASM Support ([email protected]) within 24 hours of any suspected breach, misuse, or unexpected behavior of the Service.
- Maintain Privacy – Apply appropriate data-minimization and anonymization techniques when exporting or sharing findings with third parties.
7. Security & Compliance
- Encryption – All communications with the Service must use TLS 1.2 or higher.
- Access Controls – Users shall employ strong, unique passwords (or SSO/MFA) for all Service accounts.
- Data Retention – Customer Data is retained per the Customer’s data-retention policy; Travis ASM will delete data upon lawful request or contract termination, except where required for legal or compliance reasons.
- Regulatory Alignment – The Service is designed to support NIST, CMMC, PCI-DSS, HIPAA, GDPR, and other relevant frameworks. Users must ensure their use of the Service aligns with the specific controls of the applicable framework(s).
8. Enforcement & Violations
| Severity | Action |
| Minor (e.g., accidental scanning of public IP) | Warning, required corrective action, temporary suspension of affected account. |
| Serious (e.g., intentional unauthorized scanning) | Immediate account termination, removal of access tokens, possible legal action, notification to affected parties and regulators. |
| Criminal (e.g., distribution of malware, fraud) | Full cooperation with law-enforcement, preservation of logs, potential civil and criminal prosecution. |
Travis ASM reserves the right to investigate any suspected violation, preserve logs, and disclose relevant information to authorities or affected parties as required by law.
9. Anonymized Data for Research & Product Improvement
- Travis ASM may use aggregated, anonymized data (e.g., total number of assets discovered per sector, generic vulnerability trends) to improve the platform and for research publications.
- Anonymization removes all identifiers that could reasonably link the data back to a specific Customer, IP address, domain name, or credential.
- Customers may opt-out of any anonymized data sharing by contacting [email protected] with the subject line "Data-Sharing Opt-Out". Opt-out requests are honored within 5 business days.
10. Monitoring & Auditing
- Travis ASM continuously monitors Service usage for patterns indicative of abuse (rate-limit violations, repeated failed authentication, anomalous scan payloads).
- Automated alerts trigger internal review; findings may be reported to the offending User with a remediation request.
- Audits may be performed on a quarterly basis or upon request from a Customer, regulator, or law-enforcement agency.
11. Amendments
Travis ASM may revise this AUP at any time. Notice of material changes will be posted on the Travis ASM portal and emailed to all registered account administrators at least 30 days before the effective date. Continued use of the Service after such notice constitutes acceptance of the updated AUP.
12. Contact Information
Security & Policy Office Email: [email protected] Phone: +1-888-555-0199 (US toll-free)
For questions regarding this AUP, data-privacy concerns, or to submit an opt-out request, please use the contact details above.
Acknowledgement
By logging into or otherwise using the Travis ASM Service, you acknowledge that you have read, understand, and agree to abide by this Acceptable-Use Policy.