Acceptable use policy

What you cannot do with Dokima. Forms part of the Terms of Service.

You may not:

• submit model identifiers with the intent of inflating, deflating, or otherwise manipulating Dokima's published scores or leaderboards;
• create multiple accounts, use proxies or VPNs, or coordinate with others to inflate scan counts or distort statistical outputs;
• attempt to reverse-engineer the precise weights of any rubric component beyond what is published at the Methodology page, including by submitting probe model identifiers crafted to expose internal scoring thresholds;
• submit deliberately falsified Hugging Face metadata, or solicit a model author to do so, for the purpose of producing a misleading Dokima score about a third-party model;
• publish a falsified Dokima badge — that is, an SVG that visually claims a Dokima grade that does not match the score returned by our canonical badge endpoint at the time of display. The Dokima badge endpoint is the canonical source of truth; you must not replace it with a static asset that might become out of date or that misrepresents the model's current grade.

You may not:

• operate more than one account per natural person without our prior written consent;
• delete an account and re-sign-up with the same email or a trivial variant of it (for example dot-tricks on Gmail addresses, plus-tag aliases) for the purpose of evading the prior account's used quota — we retain a one-way SHA-256 hash of normalised email and apply inherit-quota for re-signups within the same billing period, as disclosed in our Privacy Policy;
• use disposable email services to sign up — we block known disposable domains via an open-source allowlist refreshed quarterly;
• circumvent rate limits via IP rotation, account rotation, distributed clients, browser automation against the public web scanner, or any other technical means.

You may not:

• scrape, crawl, mirror, or systematically extract Dokima content other than via the documented API and within your tier's published rate limits;
• use the badge endpoint or score-report endpoint in a way that exceeds reasonable embedding (for example automated bulk fetching of badges for entities other than your own model cards, or polling intervals that exceed cache-control headers);
• impersonate a Dokima user-agent, omit a user-agent header, or otherwise disguise the source of automated traffic.

You may not:

• resell, sublicence, syndicate, or otherwise commercially exploit Dokima scores, reports, badges, or remediation text as a product or service to third parties without a written commercial licence from us;
• use Dokima output as a labelled training set, fine-tuning input, evaluation set, benchmark, or any other input to the development or training of any AI/ML model intended for commercial use, without a written licence;
• use Dokima output, methodology, or service to develop, market, or operate a competing AI model trustworthiness scoring service.

Individual Verdicts for public Hugging Face models are released under CC BY 4.0 and may be reused with attribution; bulk corpus extraction is governed by this clause and requires a separate commercial licence.

You may not use Dokima:

• to facilitate any illegal activity in your jurisdiction, including scanning identifiers known to host or traffic child sexual abuse material, terrorism material, or other content that is unlawful in your jurisdiction;
• to distribute malware, viruses, exploits, or other harmful code via score reports, dispute communications, or support tickets;
• to infringe intellectual property rights — yours, ours, or anyone else's;
• to harass, threaten, defame, or invade the privacy of any individual, including model authors, other Dokima users, or our staff and subprocessors;
• to interfere with the operation of Dokima's infrastructure, our subprocessors' infrastructure, or any third party's infrastructure, including by volumetric attacks, malformed payloads, resource-exhaustion patterns, or social engineering of staff;
• to spam, mass-message, or otherwise abuse the support, score-appeal, or other communication channels we provide.

You may not perform automated security scanning, penetration testing, fuzzing, or vulnerability research against Dokima infrastructure (production or staging) without our prior written authorisation. To report a security vulnerability you have discovered through ordinary use, contact [email protected]. We follow a two-stage acknowledgement process aligned with RFC 9116 and ISO/IEC 29147 vulnerability-disclosure norms:

• Automated acknowledgement within 24 hours of receipt: every valid report is auto-acknowledged with a tracking identifier and an estimated triage window;
• Human triage within 1 to 3 business days following the automated acknowledgement, with substantive reply, severity assessment, and proposed remediation timeline;
• we will not pursue legal action against good-faith security researchers who follow our coordinated disclosure process;
• at our discretion, we credit researchers (with their consent) in our security acknowledgements;
• we negotiate disclosure timelines reasonably and in good faith.

We may suspend or terminate your account immediately and without refund if we reasonably believe you have materially breached this Acceptable Use Policy. For severe or repeated breaches (including rating manipulation, scraping, commercial resale, or any conduct in the "Illegal, harmful, and abusive use" section above), we may also:

• ban the IP addresses, browser fingerprints, payment instruments, and email domains used in the breach, and refuse to do business with you in future under any identity;
• at our discretion, preserve and disclose breach evidence to law enforcement, the Information Commissioner's Office, or any other authority of competent jurisdiction;
• at our discretion, notify any third party harmed by the breach (for example, a model author whose score was manipulated) where necessary for that party to protect their interests;
• seek indemnification from you under the Terms of Service for any third-party claim, regulatory action, or loss arising from the breach.

For the avoidance of doubt: an account suspended or terminated under this section is not entitled to a refund under the cooling-off provisions of the Terms of Service or otherwise.