← All guides
Legal6 min read12 May 2026

Acceptable Use Policy for SaaS: Why You Need One and What to Include

What an AUP does, when it's legally required, the 10 prohibited uses every SaaS should cover, and how to enforce it without killing legitimate users.

What is an Acceptable Use Policy?

An Acceptable Use Policy (AUP) is a legal document that defines what users are and aren't allowed to do on your platform. Unlike your Terms of Service — which covers the contractual relationship between you and your users — the AUP is the operational rulebook. It specifies prohibited behaviors and the enforcement actions you'll take.

Think of it this way: your ToS says "users must comply with our policies." Your AUP says what those policies actually are.

When is an AUP legally required?

EU Digital Services Act (DSA)

The Digital Services Act, which came into full effect in 2024, explicitly requires platforms to publish an AUP-equivalent — referred to as "terms and conditions" — that includes information on restrictions on use of their service. Article 14 DSA requires:

  • Information on content or behavior restrictions
  • Enforcement actions available (suspension, termination, etc.)
  • Internal complaint mechanisms

This applies to any platform with EU users, regardless of where the company is based.

Infrastructure providers require it

AWS, Google Cloud, Azure, and Cloudflare all require you to have an AUP and to pass its obligations down to your users. If your users violate acceptable use and you don't have an AUP, you're in breach of your own provider agreements.

Enterprise security reviews

Enterprise customers routinely request your AUP during vendor security assessments. It signals that you take platform security and abuse prevention seriously. No AUP = procurement delay or rejection.

The 10 prohibited uses every SaaS AUP should cover

  1. Spam and unsolicited communications — Prohibit using your platform to send bulk unsolicited email, SMS, or other messages. This is a CAN-SPAM, CASL, and GDPR requirement.
  2. Illegal content — Content that violates local laws: CSAM, incitement to violence, regulated financial content without authorization, etc.
  3. Unauthorized scraping — Automated data collection beyond what your API explicitly permits. This protects your infrastructure and your data.
  4. Hacking and unauthorized access — Prohibit attempting to access systems, accounts, or data without authorization. Required for CFAA compliance in the US.
  5. Malware and malicious code — Uploading, transmitting, or deploying malicious software.
  6. Intellectual property infringement — Using your platform to distribute copyrighted content, trademarks, or trade secrets without authorization. This is your DMCA safe harbor trigger.
  7. Harassment and hate speech — Targeted harassment, threats, or content based on protected characteristics. Required for DSA compliance.
  8. Account impersonation — Creating fake accounts to impersonate real people or organizations.
  9. Resource abuse — Cryptocurrency mining, DDoS attacks, or any activity that consumes resources beyond normal usage.
  10. Circumvention — Attempting to bypass security controls, rate limits, or access restrictions.

Enforcement actions: what you can do

Your AUP is only as effective as your enforcement. Document the actions you're authorized to take:

  • Warning — First-line response for minor violations
  • Content removal — Remove specific content without banning the account
  • Rate limiting — Throttle API or usage access
  • Temporary suspension — Account freeze pending investigation
  • Permanent termination — For severe or repeat violations
  • Law enforcement referral — For illegal activity (required in some jurisdictions)

Important: your AUP should explicitly state that you may take these actions "at our sole discretion" and "without prior notice" for severe violations. This protects you legally when you need to act quickly.

Handling user-generated content (UGC)

If your platform allows any kind of user content — uploaded files, posts, comments, API-submitted data — your AUP needs a UGC section that covers:

  • Who owns the content (users retain ownership; you get a license to host/serve it)
  • Your right to remove content that violates the AUP
  • DMCA notice-and-takedown procedure (US) or DSA out-of-court settlement (EU)
  • Whether you proactively moderate or only respond to reports

Where to publish your AUP

Your AUP should be:

  1. Linked in your main Terms of Service ("users must comply with our Acceptable Use Policy, available at [URL]")
  2. Accessible from your footer (same level as Privacy Policy and ToS)
  3. Referenced in your API documentation if you have a public API
  4. Included in your customer contracts for enterprise deals

Generate your AUP in minutes

Building an AUP from scratch is time-consuming. Our free AUP generator covers all 10 prohibited use categories, 6 enforcement actions, EU DSA compliance, and UGC handling. It generates a complete, publication-ready HTML document in under 2 minutes.

You can also pair it with a Terms of Service and Privacy Policy — all free, all pre-filled with your company details.

More guides