Does a small SaaS need an AUP?

Yes if the service exposes any user-controlled surface — uploads, comments, public pages. The AUP gives the operator a clear basis to remove abuse without renegotiating the contract.

Where should the AUP live?

Either as a standalone page linked from the terms or as a section of the terms themselves. Both formats are acceptable; the standalone page is easier to update.

Acceptable use policy examples for hosted services

Examples of acceptable use policy clauses for hosted SaaS, marketplaces, and user-generated content platforms.

Why an AUP matters

An acceptable use policy gives the operator a defensible basis to act on abuse. Without one, every removal turns into a contract argument. With one, the operator points to a specific clause.

Network and infrastructure abuse

Common entries: no port scanning, no denial-of-service activity, no unauthorized access attempts, no spoofed traffic, no traffic that interferes with the service or with other customers. These clauses protect the platform and the rest of the customer base.

Content abuse

Content categories typically prohibited include child exploitation material, content that incites violence, malware distribution, and fraudulent or impersonating content. Each category should be specific enough to use during a takedown decision.

Spam and unsolicited messaging

Marketplaces and SaaS commonly prohibit unsolicited bulk messaging, lead-generation through scraped contact lists, and use of communication features for purposes not described in the listing. Without this clause, support drowns in complaints.

Intellectual property

The policy should require that customers post content they have the right to post, and reference the takedown procedure for infringement claims. A reference to the broader copyright policy keeps the AUP focused.

Prohibited use cases for AI tools

Hosted AI services typically prohibit generating impersonating content, automated processing of regulated personal data without an additional contract, and any use that would defeat downstream safety controls. The AUP language should match the actual model usage.

Enforcement

Describe the enforcement steps the operator will take: warning, suspension, termination. Include the right to act without notice in cases of imminent harm. Make sure the steps are consistent with the rest of the terms.

Reporting channel

Provide a way for customers and outside parties to report abuse. A simple email address or a form is enough; the policy should also state expected response time and that the operator may share information with law enforcement when required.

Cross-references

Reference the privacy policy for how reports are handled, the terms for the broader contract, and any region-specific addendum (for example, an EU online-platforms addendum if the service is in scope).

Marketplace-specific clauses

A marketplace AUP has to address listings, communication between buyers and sellers, and platform manipulation (fake reviews, off-platform payment funnels, account farms). Each of those has its own enforcement consequence; spell them out so support has a consistent answer.

Updates and customer notice

Operators usually reserve the right to update the AUP. Material changes — new prohibited behaviors that affect existing customers — should come with reasonable notice. Generic "we may change this at any time" language reads as one-sided and tends to provoke disputes when the operator actually uses it.

FAQ

The AUP is most useful when it is short and specific. Long AUPs that quote unrelated regulations are harder to enforce than focused lists of prohibited behavior.