Legal
Acceptable Use Policy
Last updated July 7, 2026
This Acceptable Use Policy ("AUP") sets the ground rules for the Custom Domain service. It is part of our Terms of Service and applies to you and to anyone using the Service through your account, including your end-users. Because we sit in the DNS and domain path, misuse can harm third parties, so we take this seriously.
1. Overview
You may use the Service only for lawful purposes and in accordance with these rules and the Terms. You are responsible for all activity under your account and for ensuring your end-users comply. If you become aware of a violation involving your account, you must stop it and notify us.
2. Prohibited content
You must not use the Service to host, serve, proxy, or link to content that:
- is illegal, or facilitates illegal activity;
- infringes intellectual property or misappropriates trade secrets;
- is child sexual abuse material (CSAM) or exploits minors in any way;
- is malware, ransomware, spyware, or other malicious code;
- is designed for phishing, credential harvesting, or fraud;
- promotes violence, terrorism, or unlawful harm, or is harassing or abusive;
- violates export controls or sanctions; or
- violates the privacy or publicity rights of others.
3. Prohibited conduct
You must not:
- use the Service without authorization over the relevant domains or systems;
- send spam or unsolicited bulk communications, or support such activity;
- interfere with or disrupt the Service, its infrastructure, or other users;
- circumvent rate limits, quotas, authentication, or access controls;
- reverse engineer the hosted Service except as permitted by the open-source license or applicable law;
- resell or provide the hosted Service to third parties except as expressly permitted; or
- use the Service to build a competing service by misappropriating our non-open-source materials.
4. Domain, DNS and edge abuse
Because the Service configures DNS, issues certificates, and proxies traffic at the edge, the following are strictly prohibited:
- Connecting domains you do not control. You may only connect domains that you, or your authorized end-users, own or are permitted to configure. Domain hijacking or unauthorized DNS changes are prohibited.
- Typosquatting and impersonation. Do not connect domains that impersonate others or are confusingly similar to third-party brands for deceptive purposes.
- Dangling / subdomain takeover. Do not exploit stale DNS records to take over domains or subdomains you are not authorized to serve.
- Certificate abuse. Do not attempt to obtain certificates for domains you do not control, or use the ACME/edge flow to interfere with certificate authorities.
- Edge/proxy abuse.Do not use the reverse-proxy edge to launder, anonymize, or relay abusive traffic, to bypass another party's access controls, or to conduct denial-of-service or amplification attacks.
- Malicious DNS techniques. Do not use the Service for fast-flux hosting, domain-generation-algorithm infrastructure, botnet command-and-control, or similar abuse.
5. Registrar abuse
If you use the domain-purchase feature, you must comply with ICANN and registry policies. You must provide accurate registrant information, must not register domains in bad faith (including cybersquatting), and must not use registrations to facilitate fraud or evade abuse enforcement.
6. Security and testing
Do not probe, scan, or test the vulnerability of our systems, or breach security or authentication measures, without our prior written consent — except that good-faith security research conducted in line with our responsible disclosure policy is welcome and authorized within its scope. Do not access data that is not yours, and report anything sensitive you encounter instead of exploiting it.
7. Enforcement
We may investigate suspected violations and may remove content, disable a connection or domain, throttle, suspend, or terminate access to protect the Service, our users, and third parties. Where practicable we will give notice and an opportunity to cure, but we may act immediately for severe abuse (such as CSAM, active phishing, or attacks in progress) or where required by law. We may report illegal activity to authorities.
8. Reporting abuse
To report abuse of a domain or site served through the Service, email [email protected] with the domain, a description, and any evidence. To report a security vulnerability, use our Security page. We aim to acknowledge abuse reports promptly and act on verified reports.