1. Lawful use
You may use the Service only for lawful purposes and in accordance with the Terms, this Policy, platform rules and the rights of others. You must not ask us to perform conduct that you could not lawfully perform yourself.
2. Prohibited instructions and content
You must not submit, store, promote or request work that:
- is illegal, fraudulent, deceptive, defamatory, threatening, exploitative or discriminatory;
- facilitates malware, phishing, credential theft, unauthorised surveillance, spam or denial-of-service activity;
- circumvents access controls, paywalls, technical restrictions, sanctions or identity verification;
- infringes intellectual-property, privacy, publicity, confidentiality or contractual rights;
- sexualises or exploits minors, promotes trafficking, or contains unlawful sexual content;
- supports unlawful weapons, controlled substances, gambling, financial fraud or regulated activity without required authorisation;
- manipulates reviews, engagement, advertising metrics or public discourse through inauthentic behaviour;
- collects, scrapes, enriches or markets to personal data without a documented lawful basis; or
- creates an unreasonable risk to a person, service, infrastructure or the public.
3. Access and credentials
- Provide only access you are authorised to grant and only for the time and scope needed.
- Do not place passwords, card data, private keys, seed phrases or production secrets in task comments or ordinary attachments.
- Use an approved password manager or time-limited invitation when credentials are required.
- Revoke access that is no longer needed and notify us if credentials may be compromised.
- Do not ask us to impersonate another person or conceal an unauthorised login.
4. Personal and regulated data
Do not upload production customer databases, complete payment-card data, government identifiers, health data, biometric data, children’s data, criminal records or other highly sensitive information unless an Order Form and DPA expressly authorise it and appropriate safeguards are in place. Use synthetic, redacted or minimised samples wherever possible.
5. Platform and third-party rules
You are responsible for ensuring instructions comply with the terms of WordPress plugins, Shopify, Webflow, Wix, Framer, hosting, advertising networks, messaging platforms, APIs and other services you use. We may decline a task that appears to violate a rule or require evidence of permission from the relevant owner or provider.
6. Security testing
Vulnerability scanning, penetration testing or load testing requires advance written scope and proof that you own or are authorised to test the target. Testing must define targets, timing, methods, data handling and an emergency contact. We do not perform destructive testing or social engineering under a standard subscription.
7. Sanctions and restricted dealings
You represent that neither you nor the beneficial recipient of the Service is subject to sanctions that prohibit the transaction, and that payment and performance will not involve a prohibited bank, person, end use or territory. TUNDRÄ does not apply a blanket geographic registration ban, but may refuse a particular payment or task when required by applicable law, Lava.top, a card network or a competent authority.
8. Resource abuse
You must not automate task creation, upload excessive duplicate material, use the portal as general file storage, interfere with service operation, probe other accounts, bypass limits, or use a subscription to resell unbounded work to unrelated third parties without an agency or Scale agreement.
9. Enforcement
We may ask for clarification, remove or quarantine content, restrict an affected task, suspend access, preserve evidence, notify an affected provider or authority where legally required, or terminate for a serious or repeated violation. Where safe and lawful, we will give notice and an opportunity to remedy. We will tailor action to the risk and will not waive mandatory Consumer rights.
10. Reporting
Report suspected abuse or security issues to support@tundraa.dev. Include the relevant URL, account or task, a factual description, timestamps and evidence that can be shared lawfully. Do not send active malware or secrets by ordinary email.